[asterisk-dev] SIP, NAT, security concerns, oh my!
Terry Wilson
twilson at digium.com
Sat Oct 22 13:23:28 CDT 2011
> Therefore, I propose Option 4:
>
> Remove or strongly discourage the use of the per-peer setting. This
> would ensure consistent behaviour for every extension, and leave the
> behaviour configurable globally. I can live with that personally.
> Strongly discouraging could be accomplished by linking to this thread
> from the default config file comments.
I would not recommend removal since we generally try not to make policy decisions for the users. There are tons of ways Asterisk gives users enough rope to hang themselves. Discouraging per-peer nat setting would be fine. I would also change the default to nat=yes since it seems to be the more common setting and not likely to break any devices. Of course, that is pretty much option 3 with a warning discouraging per-peer setting of nat=. Perhaps we could display a warning on initial config parsing for peers set opposite of the general setting. I would also recommend to people to use TCP. For the purposes of SIP signaling I don't see any NAT advantages for UDP over TCP like there are for RTP since Asterisk is always in the signaling path.
More information about the asterisk-dev
mailing list