[asterisk-dev] Asterisk Network Security Idea ( using tcp_wrappers )
Andrew Kohlsmith (lists)
aklists at mixdown.ca
Sun Mar 29 17:49:07 CDT 2009
On March 29, 2009 06:38:07 pm Venefax wrote:
> I don't think it is a good idea to use a firewall in an Asterisk box, it
> has got to slow things down. I have found that this way of catching the IP
> addresses of the wholesale clients in RAM is nearly instantaneous.
"got to" slow things down? If you're running things that tight, your PBX will
not be stable, period. The kernel networking code makes hundreds of
decisions about the packets coming in already; adding a half dozen more for
blacklist or whitelist checks isn't going to slow things down any measurable
amount on any "normal" installation.
> I want to share the way I handle security with the community. I load in
> memory global variables like this: CIP.ADD.RE.SS=X, where X is a client
> number. If the client is sending a prefix, then the global variable takes
> this form
> CIP.ADD.RE.SSPNNN=X, where the 4 digits after the "P" are the prefix. I
> generate this file directly from SQL server and it gets reloaded with every
> "dialplan reload". Then, when the call arrives, it goes through this simple
> filter, where ${SIPIP} is the incoming IP address:
>
> [gateway]
> exten=>_X.,1,GotoIf($[${EXISTS(${${SIPIP}P${destino:0:4}})}]?gateway,haspre
>f ix,1)
> exten=>_X.,n,GotoIf($[${EXISTS(${${SIPIP}})}]?gateway,hasnoprefix,1)
> exten=>_X.,n,Verbose(0,"${destino} CLIENT UNKNOWN FROM IP ${SIPIP}")
> exten=>_X.,n,Hangup(34)
> exten=>hasprefix,1,Set(X=${${SIPIP}P${destino:0:4}})
> exten=>hasprefix,n,Goto(defaultproc,${destino:4},1)
> exten=>hasnoprefix,1,Set(X=${${SIPIP}})
> exten=>hasnoprefix,n,Goto(defaultproc,${destino},1)
>
> At this point the client is accepted, we know his client ID and the call is
> candidate for routing. That does not mean it will route, it still has to go
> through a very complex least cost routing algorithm that amongst other
> things checks instantly if the number has been ported, going through a
> database of 220 million US numbers. All this in max 1/4 of a second, simply
> by NOT using mysql anywhere in the system.
... and you are worried about iptables-type firewalling slowing down your PBX?
It looks nifty, but it also looks waaaaaaaaaay over-the-top for any kind of
sane security. I am positive that it works for you though, and give you the
kudos for developing such a complex system.
-A.
More information about the asterisk-dev
mailing list