Re: [Asterisk-Users] Asterisk firewall config

2004-05-24 Thread Chris Stenton
The latest cisco ios which has ip sip inspect seems to work well. Of course
with cisco you swap one set of bugs for another set when you upgrade. I have
yet to get a version of the ios that has all the features I want working at
the same time:-(

Chris

- Original Message - 
From: "Karl Dyson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 24, 2004 9:23 AM
Subject: RE: [Asterisk-Users] Asterisk firewall config


> Ah yes. I too would like to see ip_conntrack_sip :)
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chris
> Stenton
> Sent: 24 May 2004 08:57
> To: [EMAIL PROTECTED]
> Subject: Re: [Asterisk-Users] Asterisk firewall config
>
> If your firewall has some form of sip inspect then you will not need to
> leave open the rtp ports.
>
> Chris
>
> - Original Message -
> From: "Tony Hoyle" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, May 22, 2004 11:11 PM
> Subject: [Asterisk-Users] Asterisk firewall config
>
>
> > The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to
> the
> > world to work.  Is this necessarily true, or does it only need some of
> these
> > outgoing?
> >
> > I'm concerned as anyone that could guess an extension number&password
> could
> > use my server to make outgoing calls.  It would help if the extensions
> had
> a
> > netmask/allowable IP setting like the iax.conf file uses, but there
> isn't
> one
> > documented...
> >
> > Tony
> >
> > -- 
> > Te audire no possum. Musa sapientum fixa est in aure.
> >
> > Tony Hoyle <[EMAIL PROTECTED]>  Key ID: 104D/4F4B6917 2003-09-13
> > Fingerprint: 063C AFB4 3026 F724 0AA2  02B8 E547 470E 4F4B 6917
> > ___
> > Asterisk-Users mailing list
> > [EMAIL PROTECTED]
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> > To UNSUBSCRIBE or update options visit:
> >http://lists.digium.com/mailman/listinfo/asterisk-users
> >
>
> ___
> Asterisk-Users mailing list
> [EMAIL PROTECTED]
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
> 
> This e-mail has been scanned for all viruses by Star Internet. The
> service is powered by MessageLabs. For more information on a proactive
> anti-virus service working around the clock, around the globe, visit:
> http://www.star.net.uk
> 
>
> 
> This e-mail has been scanned for all viruses by Star Internet. The
> service is powered by MessageLabs. For more information on a proactive
> anti-virus service working around the clock, around the globe, visit:
> http://www.star.net.uk
> 
> ___
> Asterisk-Users mailing list
> [EMAIL PROTECTED]
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>

___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


RE: [Asterisk-Users] Asterisk firewall config

2004-05-24 Thread Karl Dyson
Ah yes. I too would like to see ip_conntrack_sip :) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris
Stenton
Sent: 24 May 2004 08:57
To: [EMAIL PROTECTED]
Subject: Re: [Asterisk-Users] Asterisk firewall config

If your firewall has some form of sip inspect then you will not need to
leave open the rtp ports.

Chris

- Original Message -
From: "Tony Hoyle" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, May 22, 2004 11:11 PM
Subject: [Asterisk-Users] Asterisk firewall config


> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to
the
> world to work.  Is this necessarily true, or does it only need some of
these
> outgoing?
>
> I'm concerned as anyone that could guess an extension number&password
could
> use my server to make outgoing calls.  It would help if the extensions
had
a
> netmask/allowable IP setting like the iax.conf file uses, but there
isn't
one
> documented...
>
> Tony
>
> -- 
> Te audire no possum. Musa sapientum fixa est in aure.
>
> Tony Hoyle <[EMAIL PROTECTED]>  Key ID: 104D/4F4B6917 2003-09-13
> Fingerprint: 063C AFB4 3026 F724 0AA2  02B8 E547 470E 4F4B 6917
> ___
> Asterisk-Users mailing list
> [EMAIL PROTECTED]
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>

___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk



This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk

___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [Asterisk-Users] Asterisk firewall config

2004-05-24 Thread Chris Stenton
If your firewall has some form of sip inspect then you will not need to
leave open the
rtp ports.

Chris

- Original Message - 
From: "Tony Hoyle" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, May 22, 2004 11:11 PM
Subject: [Asterisk-Users] Asterisk firewall config


> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the
> world to work.  Is this necessarily true, or does it only need some of
these
> outgoing?
>
> I'm concerned as anyone that could guess an extension number&password
could
> use my server to make outgoing calls.  It would help if the extensions had
a
> netmask/allowable IP setting like the iax.conf file uses, but there isn't
one
> documented...
>
> Tony
>
> -- 
> Te audire no possum. Musa sapientum fixa est in aure.
>
> Tony Hoyle <[EMAIL PROTECTED]>  Key ID: 104D/4F4B6917 2003-09-13
> Fingerprint: 063C AFB4 3026 F724 0AA2  02B8 E547 470E 4F4B 6917
> ___
> Asterisk-Users mailing list
> [EMAIL PROTECTED]
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>

___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [Asterisk-Users] Asterisk firewall config

2004-05-23 Thread Brancaleoni Matteo
Hi.

Il dom, 2004-05-23 alle 01:52, Tony Hoyle ha scritto:
> Surely it depends on who's calling me - if they're using a SIP phone it'll 
> come in over the SIP port, and if they're using an IAX phone it'll come in 
> over the IAX port - ie there's this context in the default iax.conf:
> 
> [guest]
> type=user
> context=default
> callerid="Guest IAX User"

for letting unauthorized user to call you over IAX(2).
Like a pstn call... everyone can call you if the have your
number (or IP in Voip calls)
If you don't want that, just delete that entry :)

> btw. how many rtp streams do I need?  I only have 1 phone at the moment (max. 
> will be about 4 I think).

mmh... I dunno the values of that association, but
bear in mind that:
* are only UDP ports
* are opened only during a RTP session, in a dynamic way

so leaving open ports 1 to 2 UDP as in default rtp.conf
isn't a problem, since there's not any port open...
(unless you run any udp service on that interval :) )
and a portscan will detect these port as closed.

only during a call, * and the phone will handshake an RTP
port and use that. otherwise will be closed.

Matteo.
-- 
Brancaleoni Matteo <[EMAIL PROTECTED]>
Espia - Emmegi Srl

___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [Asterisk-Users] Asterisk firewall config

2004-05-22 Thread Tony Hoyle
Brancaleoni Matteo wrote:
if you plan to do only IAX, only port 4569 UDP needs to be opened.
but if you plan to do only sip you need only port 5060 UDP
and 1 to 2 UDP for sip rtp stream (configurable
into rtp.conf)
so... all depends :)
Surely it depends on who's calling me - if they're using a SIP phone it'll 
come in over the SIP port, and if they're using an IAX phone it'll come in 
over the IAX port - ie there's this context in the default iax.conf:

[guest]
type=user
context=default
callerid="Guest IAX User"
Which I assume is there for a reason... otherwise why have it?
btw. how many rtp streams do I need?  I only have 1 phone at the moment (max. 
will be about 4 I think).

otherwise... use very strange passwords along with superstrange
usernames I bet someone to get a login data like
username : 2h729872pcnt
with pw  : inr2.f2f2232DDFW3r
I already use pretty strange/long passwords...  the recommendation always 
seems to be make username==extension number, though.

Tony
--
Te audire no possum. Musa sapientum fixa est in aure.
Tony Hoyle <[EMAIL PROTECTED]>  Key ID: 104D/4F4B6917 2003-09-13
Fingerprint: 063C AFB4 3026 F724 0AA2  02B8 E547 470E 4F4B 6917
___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [Asterisk-Users] Asterisk firewall config

2004-05-22 Thread Brancaleoni Matteo
Hi

Il dom, 2004-05-23 alle 00:11, Tony Hoyle ha scritto:
> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the 
> world to work.  Is this necessarily true, or does it only need some of these 
> outgoing?
all depends on what you need to do.
if you use only zap channels and no Voip, perhaps
the only port you need to open is ssh (if using it, of course)

if you plan to do only IAX, only port 4569 UDP needs to be opened.
but if you plan to do only sip you need only port 5060 UDP
and 1 to 2 UDP for sip rtp stream (configurable
into rtp.conf)

so... all depends :)

> I'm concerned as anyone that could guess an extension number&password could 
> use my server to make outgoing calls.  It would help if the extensions had a 
> netmask/allowable IP setting like the iax.conf file uses, but there isn't one 
> documented...
mmmh... setting into the extension seems to me the same as setting
into iax.conf (or sip.conf), or not?

otherwise... use very strange passwords along with superstrange
usernames I bet someone to get a login data like
username : 2h729872pcnt
with pw  : inr2.f2f2232DDFW3r

or not :) ?

-- 
Brancaleoni Matteo <[EMAIL PROTECTED]>
Espia - Emmegi Srl

___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [Asterisk-Users] Asterisk firewall config

2004-05-22 Thread Rich Adamson
> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the 
> world to work.  Is this necessarily true, or does it only need some of these 
> outgoing?
> 
> I'm concerned as anyone that could guess an extension number&password could 
> use my server to make outgoing calls.  It would help if the extensions had a 
> netmask/allowable IP setting like the iax.conf file uses, but there isn't one 
> documented...

Tony,

What you open up (and how you restrict access) is really a function of the
resources you have available. Example, on some firewalls you can open a ton
of ports, but then limit which IP's can actually use them.

I think there is a "permit=" statement for sip def's that limit which IP's
can use that sip definition.

If that's not enough, implement IP tables as another mechanism to restrict
access.

All depends on what you've got available.

Rich


___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


RE: [Asterisk-Users] Asterisk firewall config

2004-05-22 Thread Karl Dyson
I personally only allow IAX2 in and out from my asterisk box, due to the
simplicity of one (udp) port. I do not relish the thought of trying to
open the port ranges for SIP securely!

As long as your inbound stuff in iax.conf lands in a sensible context,
inbound connections would only be able to call your internal extensions,
and not make "cost" calls.

Hope that helps

Karl

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:asterisk-users-
> [EMAIL PROTECTED] On Behalf Of Tony Hoyle
> Sent: 22 May 2004 23:11
> To: [EMAIL PROTECTED]
> Subject: [Asterisk-Users] Asterisk firewall config
> 
> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to
the
> world to work.  Is this necessarily true, or does it only need some of
> these
> outgoing?
> 
> I'm concerned as anyone that could guess an extension number&password
> could
> use my server to make outgoing calls.  It would help if the extensions
had
> a
> netmask/allowable IP setting like the iax.conf file uses, but there
isn't
> one
> documented...
> 
> Tony
> 
> --
> Te audire no possum. Musa sapientum fixa est in aure.
> 
> Tony Hoyle <[EMAIL PROTECTED]>  Key ID: 104D/4F4B6917 2003-09-13
> Fingerprint: 063C AFB4 3026 F724 0AA2  02B8 E547 470E 4F4B 6917
> ___
> Asterisk-Users mailing list
> [EMAIL PROTECTED]
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
> 
>

> This e-mail has been scanned for all viruses by Star Internet. The
> service is powered by MessageLabs. For more information on a proactive
> anti-virus service working around the clock, around the globe, visit:
> http://www.star.net.uk
>





This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk

___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users