[asterisk-dev] Asterisk Network Security Idea ( using tcp_wrappers )
Gregory Boehnlein
damin at nacs.net
Sun Mar 29 19:29:28 CDT 2009
> > I don't think it is a good idea to use a firewall in an Asterisk box,
> it
> > has got to slow things down. I have found that this way of catching
> the IP
> > addresses of the wholesale clients in RAM is nearly instantaneous.
>
> "got to" slow things down? If you're running things that tight, your
> PBX will not be stable, period. The kernel networking code makes hundreds
of
> decisions about the packets coming in already; adding a half dozen more
> for blacklist or whitelist checks isn't going to slow things down any
> measurable amount on any "normal" installation.
I'll second this. Dealing with IP address blocking at the lowest level is
always the most efficient. It's far more efficient to put in an iptables
rule that blocks packets at the kernel level, rather than bringing all of
that information into the Asterisk core and doing a bunch of extra
processing. I can't see how anyone could believe that it would be more
efficient. The Linux iptables and routing stacks can handle line-rate on a
100 meg connection w/out breaking a sweat on a Pentium 3 even with thousands
of iptables rules. I've done it.
More information about the asterisk-dev
mailing list