All of that is true, but none of it appears to be a security concern,
specifically.
For you, may be, but from where I am sitting, I don't want to rely
solely on netfilter/iptables to protect me when I could physically
restrict Asterisk from binding to that interface (and answering such
requests) - that will serve me well in the event netfilter/iptables is
somehow compromised (see my previous post).
It's possible for an application to bind a socket to a specific
interface, but very few do. Generally speaking, server applications
bind a socket to an address. The kernel decides what interface that
packets are sent on. Normally that will be the interface that has the
lowest cost default route, not necessarily the one on which a
connection was initiated. That is why I noted previously that you
have to use connection tracking, packet mangling, and ip rules for
multi-homed hosts. If you've never verified that your packets are
being routed out the interface you expect (probably with tcpdump),
perhaps you should.
Yeah, that was already clarified by another poster - I assumed (wrongly,
as it turned out) that Asterisk, somehow, could "automagically" take
care of directing sip/voip packets between interfaces and also take care
of all the other related issues. As I understand it now, I will have to
reconfigure this myself by using the standard Linux/Unix tools (ip &
iptables mostly). Thanks for the clarification yet again!
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users