[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Olle E. Johansson oej at edvina.net
Wed Nov 18 11:46:26 CST 2009


18 nov 2009 kl. 12.09 skrev Kai Hoerner:

> Olle E. Johansson wrote:
>>>> The idea is to default 'allowguest to 'local' using the following.
>>>> 
>>>> 'allowguest=local'
>>>> 	only computers on the same subnet as asterisk, 'That magic moment is
>>>> still preserved when first connecting to asterisk.
>>>> 
>> This is becoming too complicated to be a simple security protection.
>> 
>> I still think we should separate incoming context for guests and the one we use as a default for devices, then let the dialplan control what services we provide to anyone. That the default context configuration in sip.conf is used in two ways is confusing and may lead to problems.
> 
> Additionally, if we change the default from "yes" to "local", we may
> break existing setups that do not have the setting explicitly set. (we
> already had this in the beginning of the discussion)
I dont' agree with "local" since it assumes a lot of other configurations and doesn't really help. We already have settings for handling ACLs that users are free to use. 

I am beginning to think that we should propably divide the "sample" configurations and the "reference". The "sample" could be much more simple and just have some basic settings to get things going and security information.

/O


More information about the asterisk-dev mailing list