[asterisk-dev] Asterisk Network Security Idea (using tcp_wrappers)

Venefax venefax at gmail.com
Sun Mar 29 17:38:07 CDT 2009


I don't think it is a good idea to use a firewall in an Asterisk box, it has
got to slow things down. I have found that this way of catching the IP
addresses of the wholesale clients in RAM is nearly instantaneous.

I want to share the way I handle security with the community. I load in
memory global variables like this: CIP.ADD.RE.SS=X, where X is a client
number. If the client is sending a prefix, then the global variable takes
this form
CIP.ADD.RE.SSPNNN=X, where the 4 digits after the "P" are the prefix. I
generate this file directly from SQL server and it gets reloaded with every
"dialplan reload". Then, when the call arrives, it goes through this simple
filter, where ${SIPIP} is the incoming IP address:

[gateway]
exten=>_X.,1,GotoIf($[${EXISTS(${${SIPIP}P${destino:0:4}})}]?gateway,haspref
ix,1)
exten=>_X.,n,GotoIf($[${EXISTS(${${SIPIP}})}]?gateway,hasnoprefix,1)
exten=>_X.,n,Verbose(0,"${destino} CLIENT UNKNOWN FROM IP ${SIPIP}")
exten=>_X.,n,Hangup(34)
exten=>hasprefix,1,Set(X=${${SIPIP}P${destino:0:4}})
exten=>hasprefix,n,Goto(defaultproc,${destino:4},1)
exten=>hasnoprefix,1,Set(X=${${SIPIP}})
exten=>hasnoprefix,n,Goto(defaultproc,${destino},1)

At this point the client is accepted, we know his client ID and the call is
candidate for routing. That does not mean it will route, it still has to go
through a very complex least cost routing algorithm that amongst other
things checks instantly if the number has been ported, going through a
database of 220 million US numbers. All this in max 1/4 of a second, simply
by NOT using mysql anywhere in the system.






More information about the asterisk-dev mailing list