[asterisk-users] Asterisk, SIP & Firewalls

Ryan Wagoner rswagoner at gmail.com
Wed Apr 27 12:56:10 CDT 2011


On Wed, Apr 27, 2011 at 1:16 PM, Myles Wakeham <myles at techsol.org> wrote:
> It kinda scares me though.  I know that SIP is an attractive attack-vector,
> and that there are scripts out there that target SIP devices.  I know I
> could run Fail2Ban on the server, which is fine (we're doing that anyway
> now), but before I go down this path, I wanted to get general feedback if we
> are using our Asterisk system using 'best practices' or whether it should
> never be sitting behind a Firewall, despite the fact that it is working
> pretty close to perfect as it is right now.  I just want to find a way to
> reduce the latency.

I have placed Asterisk outside the firewall / nat router to avoid the
translation. I usually will setup the server with dual NICs. One has
the public IP and another has the internal private IP. Set the default
gateway to the public IP gateway. Then just configure iptables to
firewall the server interfaces accordingly. This configuration allows
Asterisk to sit directly on the Internet while keeping your internal
phones from going out your nat router and back to Asterisk. Basically
the best of both worlds.

Ryan



More information about the asterisk-users mailing list