"J. Oquendo" <[EMAIL PROTECTED]> Wrote: 4/5/2007 6:47 AM: > Joe Acquisto wrote: >> >> >> Thanks. And this might go where, in rc.d/rc.firewall.local ? >> >> But I don't get it. Isn't this redundant? Since I have port forwarding >> already. . .? >> >> joe a. >> >> _______________________________________________ >> --Bandwidth and Colocation provided by Easynews.com -- >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> > > What this is doing is allowing unfettered access between your PBX and > phones. Too many people forget that a VoIP transaction consists of more > than just opening up ports 5060 and 5061. This are used for > registration/administration, etc., in the case of one way audio, or > audio for any matter, this is carried out by RTP on separate ports > which > will never be the same port unless you have it specified. > > Summarized: NAT + VoIP = nightmare > > If at all doable, segment your phones out to a DMZ with VLANs, > constructive routing, and ACL's to avoid leveraged security incidents > via those phones being opened. >
Thanks. Do you have recommended switches, capable of supporting VLAN's in an appropriate manner? The cheaper the better, at this point. I have attempted VLAN's several times, for this purpose specifically, using Nortel Baystack 450-24's. Not working as one would expect. Some say these simply do not do VLAN's "properly" This can go off list, if it is OT. joe a. _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
