On 02/08/2012 09:28 AM, Josh wrote:
If one has internal networks, accessible via, say eth1 and tun0, and implements Asterisk to act as the internal/private PBX (without exposing it to the outside world), then having been forced to use 0.0.0.0 will, of course, expose Asterisk to any other - undesirable - interfaces, including those pointing to the outside world.
OK. We can agree on that, but you haven't been clear that you're trying to keep Asterisk in a private network, and not make it publicly available. Had you simply said that you didn't want to bind to any interfaces that had routable addresses, you'd have made a lot more sense. Instead, you've objected to binding to a "third" or "subsequent" interface.
I still think the idea that binding to 0.0.0.0 is a security risk is silly. Making an application available to the public when it doesn't need to be is, certainly. Making a service publicly available or not is a policy decision; binding to specific interfaces is a mechanism that can be used to implement that policy. Policy is where you manage security risks. Mechanisms aren't to blame for good or bad policy.
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
