On Wed May 16 2007 15:11:56 Andrew Kohlsmith wrote: > On Wednesday 16 May 2007 2:28 pm, Mark Borg wrote: > > Thanks for the quick suggestion.... > > BUT, the SIP phones are on hand already & are aastra 9133i. > > Not too sure if I would be able to put client PBX on the public IP, that > > would be a tough sell. > > While I understand the layered security model, I have found that in > practice it's not nearly as effective as you'd think. > > My Asterisk box sits on its own DSL connection through a Sangoma S518. > It's also got a TE407P for the actual PSTN interface. > > Looking at netstat output, I have the following ports open: > tcp/5432 (PostgreSQL) > udp/5060 (Asterisk SIP) > tcp/5038 (Asterisk Manager) > tcp/22 (SSH) > tcp/20&21 (FTP) > > Now, every single one of these ports is needed "worldwide" -- I have remote > extensions which use FTP for provisioning, I have a number of external > PBXes which communicate over SSL to the Postgres server, and some web/gui > stuff that uses the manager. What advantage does having a separate > firewall in front of this box provide me? It's not going to block any more > ports... If someone manages to root the box through an exploit in > Asterisk... Well they'll do the same thing if there's a firewall in front. > Rate-limiting? ACLs? I can do that with iptables and iproute2 (and in fact > I do). > > In my experience, it's far more of a pain in the ass to have Asterisk > behind a firewall, especially if NAT is involved. The increase in security > is marginal at best. Linux has great firewalling capabilities, so why not > make use of them *and* make your life easier? > > I'm genuinely curious -- every time I tell people my Asterisk box is > hanging on the 'net directly, they go pale and start whispering about me > behind my back. :-) > > -A. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED]
Yes I kind of figured that is an appropriate solution, but this client also has a server2003 on the other side of the router/firewall. As the dsl modem only gives one IP address, would it be appropriate to just DMZ the * box assuming it will ignore ports it dosen't use?
