On 02/06/2012 03:27 PM, Josh wrote:
Why do you see binding to 0.0.0.0 to be a security risk?
Purely because a response from Asterisk can be received as a result of a
connection on *any* interface on the system/machine. If I have Asterisk
confined to, say, 2 interfaces - eth0 (10.1.1.1) and eth1 (10.2.1.1)
then a request over a third/subsequent interface cannot be served - it
is not normally possible.
When Asterisk binds to 0.0.0.0 that is not the case and request over a
third/subsequent interface *can* be served by Asterisk (provided the
routing is setup properly, that is).
All of that is true, but none of it appears to be a security concern,
specifically.
If you have 3 or more interfaces (or you need to just bind to some
subset), you should have the skills to configure 'iptables.'
I do, but that is not the point - do you rely on microsoft for the
security of your own desktop system (if you have one running windows
that is) or do you take it into your own hands and make sure it is
properly implemented? I don't know about you, but I am firmly in the
latter category.
As am I, but that has nothing to do with socket binding. The simile
doesn't even make sense.
Unfortunately, (IIRC) Asterisk does not reply to the same interface
packets are received from which limits the usefulness of multiple
interfaces.
What do you mean by that? If a request is received over eht1 are you
saying that Asterisk does not respond over the same interface?!
It's possible for an application to bind a socket to a specific
interface, but very few do. Generally speaking, server applications
bind a socket to an address. The kernel decides what interface that
packets are sent on. Normally that will be the interface that has the
lowest cost default route, not necessarily the one on which a connection
was initiated. That is why I noted previously that you have to use
connection tracking, packet mangling, and ip rules for multi-homed
hosts. If you've never verified that your packets are being routed out
the interface you expect (probably with tcpdump), perhaps you should.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
