Re: [Asterisk-Users] Asterisk firewall config
The latest cisco ios which has ip sip inspect seems to work well. Of course with cisco you swap one set of bugs for another set when you upgrade. I have yet to get a version of the ios that has all the features I want working at the same time:-( Chris - Original Message - From: "Karl Dyson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 24, 2004 9:23 AM Subject: RE: [Asterisk-Users] Asterisk firewall config > Ah yes. I too would like to see ip_conntrack_sip :) > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Chris > Stenton > Sent: 24 May 2004 08:57 > To: [EMAIL PROTECTED] > Subject: Re: [Asterisk-Users] Asterisk firewall config > > If your firewall has some form of sip inspect then you will not need to > leave open the rtp ports. > > Chris > > - Original Message - > From: "Tony Hoyle" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, May 22, 2004 11:11 PM > Subject: [Asterisk-Users] Asterisk firewall config > > > > The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to > the > > world to work. Is this necessarily true, or does it only need some of > these > > outgoing? > > > > I'm concerned as anyone that could guess an extension number&password > could > > use my server to make outgoing calls. It would help if the extensions > had > a > > netmask/allowable IP setting like the iax.conf file uses, but there > isn't > one > > documented... > > > > Tony > > > > -- > > Te audire no possum. Musa sapientum fixa est in aure. > > > > Tony Hoyle <[EMAIL PROTECTED]> Key ID: 104D/4F4B6917 2003-09-13 > > Fingerprint: 063C AFB4 3026 F724 0AA2 02B8 E547 470E 4F4B 6917 > > ___ > > Asterisk-Users mailing list > > [EMAIL PROTECTED] > > http://lists.digium.com/mailman/listinfo/asterisk-users > > To UNSUBSCRIBE or update options visit: > >http://lists.digium.com/mailman/listinfo/asterisk-users > > > > ___ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > > > This e-mail has been scanned for all viruses by Star Internet. The > service is powered by MessageLabs. For more information on a proactive > anti-virus service working around the clock, around the globe, visit: > http://www.star.net.uk > > > > This e-mail has been scanned for all viruses by Star Internet. The > service is powered by MessageLabs. For more information on a proactive > anti-virus service working around the clock, around the globe, visit: > http://www.star.net.uk > > ___ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] Asterisk firewall config
Ah yes. I too would like to see ip_conntrack_sip :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Stenton Sent: 24 May 2004 08:57 To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] Asterisk firewall config If your firewall has some form of sip inspect then you will not need to leave open the rtp ports. Chris - Original Message - From: "Tony Hoyle" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, May 22, 2004 11:11 PM Subject: [Asterisk-Users] Asterisk firewall config > The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the > world to work. Is this necessarily true, or does it only need some of these > outgoing? > > I'm concerned as anyone that could guess an extension number&password could > use my server to make outgoing calls. It would help if the extensions had a > netmask/allowable IP setting like the iax.conf file uses, but there isn't one > documented... > > Tony > > -- > Te audire no possum. Musa sapientum fixa est in aure. > > Tony Hoyle <[EMAIL PROTECTED]> Key ID: 104D/4F4B6917 2003-09-13 > Fingerprint: 063C AFB4 3026 F724 0AA2 02B8 E547 470E 4F4B 6917 > ___ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk firewall config
If your firewall has some form of sip inspect then you will not need to leave open the rtp ports. Chris - Original Message - From: "Tony Hoyle" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, May 22, 2004 11:11 PM Subject: [Asterisk-Users] Asterisk firewall config > The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the > world to work. Is this necessarily true, or does it only need some of these > outgoing? > > I'm concerned as anyone that could guess an extension number&password could > use my server to make outgoing calls. It would help if the extensions had a > netmask/allowable IP setting like the iax.conf file uses, but there isn't one > documented... > > Tony > > -- > Te audire no possum. Musa sapientum fixa est in aure. > > Tony Hoyle <[EMAIL PROTECTED]> Key ID: 104D/4F4B6917 2003-09-13 > Fingerprint: 063C AFB4 3026 F724 0AA2 02B8 E547 470E 4F4B 6917 > ___ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk firewall config
Hi. Il dom, 2004-05-23 alle 01:52, Tony Hoyle ha scritto: > Surely it depends on who's calling me - if they're using a SIP phone it'll > come in over the SIP port, and if they're using an IAX phone it'll come in > over the IAX port - ie there's this context in the default iax.conf: > > [guest] > type=user > context=default > callerid="Guest IAX User" for letting unauthorized user to call you over IAX(2). Like a pstn call... everyone can call you if the have your number (or IP in Voip calls) If you don't want that, just delete that entry :) > btw. how many rtp streams do I need? I only have 1 phone at the moment (max. > will be about 4 I think). mmh... I dunno the values of that association, but bear in mind that: * are only UDP ports * are opened only during a RTP session, in a dynamic way so leaving open ports 1 to 2 UDP as in default rtp.conf isn't a problem, since there's not any port open... (unless you run any udp service on that interval :) ) and a portscan will detect these port as closed. only during a call, * and the phone will handshake an RTP port and use that. otherwise will be closed. Matteo. -- Brancaleoni Matteo <[EMAIL PROTECTED]> Espia - Emmegi Srl ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk firewall config
Brancaleoni Matteo wrote: if you plan to do only IAX, only port 4569 UDP needs to be opened. but if you plan to do only sip you need only port 5060 UDP and 1 to 2 UDP for sip rtp stream (configurable into rtp.conf) so... all depends :) Surely it depends on who's calling me - if they're using a SIP phone it'll come in over the SIP port, and if they're using an IAX phone it'll come in over the IAX port - ie there's this context in the default iax.conf: [guest] type=user context=default callerid="Guest IAX User" Which I assume is there for a reason... otherwise why have it? btw. how many rtp streams do I need? I only have 1 phone at the moment (max. will be about 4 I think). otherwise... use very strange passwords along with superstrange usernames I bet someone to get a login data like username : 2h729872pcnt with pw : inr2.f2f2232DDFW3r I already use pretty strange/long passwords... the recommendation always seems to be make username==extension number, though. Tony -- Te audire no possum. Musa sapientum fixa est in aure. Tony Hoyle <[EMAIL PROTECTED]> Key ID: 104D/4F4B6917 2003-09-13 Fingerprint: 063C AFB4 3026 F724 0AA2 02B8 E547 470E 4F4B 6917 ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk firewall config
Hi Il dom, 2004-05-23 alle 00:11, Tony Hoyle ha scritto: > The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the > world to work. Is this necessarily true, or does it only need some of these > outgoing? all depends on what you need to do. if you use only zap channels and no Voip, perhaps the only port you need to open is ssh (if using it, of course) if you plan to do only IAX, only port 4569 UDP needs to be opened. but if you plan to do only sip you need only port 5060 UDP and 1 to 2 UDP for sip rtp stream (configurable into rtp.conf) so... all depends :) > I'm concerned as anyone that could guess an extension number&password could > use my server to make outgoing calls. It would help if the extensions had a > netmask/allowable IP setting like the iax.conf file uses, but there isn't one > documented... mmmh... setting into the extension seems to me the same as setting into iax.conf (or sip.conf), or not? otherwise... use very strange passwords along with superstrange usernames I bet someone to get a login data like username : 2h729872pcnt with pw : inr2.f2f2232DDFW3r or not :) ? -- Brancaleoni Matteo <[EMAIL PROTECTED]> Espia - Emmegi Srl ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Asterisk firewall config
> The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the > world to work. Is this necessarily true, or does it only need some of these > outgoing? > > I'm concerned as anyone that could guess an extension number&password could > use my server to make outgoing calls. It would help if the extensions had a > netmask/allowable IP setting like the iax.conf file uses, but there isn't one > documented... Tony, What you open up (and how you restrict access) is really a function of the resources you have available. Example, on some firewalls you can open a ton of ports, but then limit which IP's can actually use them. I think there is a "permit=" statement for sip def's that limit which IP's can use that sip definition. If that's not enough, implement IP tables as another mechanism to restrict access. All depends on what you've got available. Rich ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] Asterisk firewall config
I personally only allow IAX2 in and out from my asterisk box, due to the simplicity of one (udp) port. I do not relish the thought of trying to open the port ranges for SIP securely! As long as your inbound stuff in iax.conf lands in a sensible context, inbound connections would only be able to call your internal extensions, and not make "cost" calls. Hope that helps Karl > -Original Message- > From: [EMAIL PROTECTED] [mailto:asterisk-users- > [EMAIL PROTECTED] On Behalf Of Tony Hoyle > Sent: 22 May 2004 23:11 > To: [EMAIL PROTECTED] > Subject: [Asterisk-Users] Asterisk firewall config > > The asterisk wiki states that it needs SIP, IAX2, IAX and RTP open to the > world to work. Is this necessarily true, or does it only need some of > these > outgoing? > > I'm concerned as anyone that could guess an extension number&password > could > use my server to make outgoing calls. It would help if the extensions had > a > netmask/allowable IP setting like the iax.conf file uses, but there isn't > one > documented... > > Tony > > -- > Te audire no possum. Musa sapientum fixa est in aure. > > Tony Hoyle <[EMAIL PROTECTED]> Key ID: 104D/4F4B6917 2003-09-13 > Fingerprint: 063C AFB4 3026 F724 0AA2 02B8 E547 470E 4F4B 6917 > ___ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > > > This e-mail has been scanned for all viruses by Star Internet. The > service is powered by MessageLabs. For more information on a proactive > anti-virus service working around the clock, around the globe, visit: > http://www.star.net.uk > This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
