[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Kai Hoerner kai at ciphron.de
Wed Nov 18 05:09:58 CST 2009


Olle E. Johansson wrote:
>>> The idea is to default 'allowguest to 'local' using the following.
>>>
>>> 'allowguest=local'
>>> 	only computers on the same subnet as asterisk, 'That magic moment is
>>> still preserved when first connecting to asterisk.
>>>       
> This is becoming too complicated to be a simple security protection.
>
> I still think we should separate incoming context for guests and the one we use as a default for devices, then let the dialplan control what services we provide to anyone. That the default context configuration in sip.conf is used in two ways is confusing and may lead to problems.

Additionally, if we change the default from "yes" to "local", we may
break existing setups that do not have the setting explicitly set. (we
already had this in the beginning of the discussion)

Regards,
Kaii





More information about the asterisk-dev mailing list