All of that is true, but none of it appears to be a security concern, specifically.
For you, may be, but from where I am sitting, I don't want to rely solely on netfilter/iptables to protect me when I could physically restrict Asterisk from binding to that interface (and answering such requests) - that will serve me well in the event netfilter/iptables is somehow compromised (see my previous post).

It's possible for an application to bind a socket to a specific interface, but very few do. Generally speaking, server applications bind a socket to an address. The kernel decides what interface that packets are sent on. Normally that will be the interface that has the lowest cost default route, not necessarily the one on which a connection was initiated. That is why I noted previously that you have to use connection tracking, packet mangling, and ip rules for multi-homed hosts. If you've never verified that your packets are being routed out the interface you expect (probably with tcpdump), perhaps you should.
Yeah, that was already clarified by another poster - I assumed (wrongly, as it turned out) that Asterisk, somehow, could "automagically" take care of directing sip/voip packets between interfaces and also take care of all the other related issues. As I understand it now, I will have to reconfigure this myself by using the standard Linux/Unix tools (ip & iptables mostly). Thanks for the clarification yet again!


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to