On Tue, May 20, 2008 at 7:11 AM, Tzafrir Cohen <[EMAIL PROTECTED]> wrote: > > On Tue, May 20, 2008 at 06:46:49AM -0400, Raj Jain wrote: > > One way to make the system more secure would be by not opening these ports > > statically in Linux iptables. I have not tested this, but Linux iptables > > have shipped with ip_nat_sip and ip_conntrack_sip modules since kernel > > version 2.6.18. With these modules, Linux iptables will act as a SIP-aware > > NAT that opens the ports dynamically depending on what's exchanged in the > > signaling. > > Err... and if you want to allow someone to connect to UDP port 5060 of > your boxm what iptables trick should you use?
My comment was about RTP/RTCP ports (I should have been clearer). SIP signaling ports will have to be opened statically. Although, for added security you could open the port as symmetric if you know the ip/port of "someone" that wants to connect to you as opposed to opening it in a full-cone way. Also, I'm curious as to what experience others have had with ip_nat_sip and ip_conntrack_sip modules. Do they really work? -- Raj Jain _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
