On Wednesday 16 May 2007 2:28 pm, Mark Borg wrote: > Thanks for the quick suggestion.... > BUT, the SIP phones are on hand already & are aastra 9133i. > Not too sure if I would be able to put client PBX on the public IP, that > would be a tough sell.
While I understand the layered security model, I have found that in practice it's not nearly as effective as you'd think. My Asterisk box sits on its own DSL connection through a Sangoma S518. It's also got a TE407P for the actual PSTN interface. Looking at netstat output, I have the following ports open: tcp/5432 (PostgreSQL) udp/5060 (Asterisk SIP) tcp/5038 (Asterisk Manager) tcp/22 (SSH) tcp/20&21 (FTP) Now, every single one of these ports is needed "worldwide" -- I have remote extensions which use FTP for provisioning, I have a number of external PBXes which communicate over SSL to the Postgres server, and some web/gui stuff that uses the manager. What advantage does having a separate firewall in front of this box provide me? It's not going to block any more ports... If someone manages to root the box through an exploit in Asterisk... Well they'll do the same thing if there's a firewall in front. Rate-limiting? ACLs? I can do that with iptables and iproute2 (and in fact I do). In my experience, it's far more of a pain in the ass to have Asterisk behind a firewall, especially if NAT is involved. The increase in security is marginal at best. Linux has great firewalling capabilities, so why not make use of them *and* make your life easier? I'm genuinely curious -- every time I tell people my Asterisk box is hanging on the 'net directly, they go pale and start whispering about me behind my back. :-) -A.
