[asterisk-users] Is this doable?

Tue Feb 7 11:43:54 CST 2012

>> It is indeed. This is already implemented in Asterisk I take it then? If
>> so, brilliant news!
> More or less.  I don't know if it's easy to trigger for specific 
> caller ID values, or for none.  You might need to to a little 
> customization, but something mostly like what you describe is present.
I am glad to see this! Which modules/functions present this 
functionality - do you know? I am almost certainly going to customise 
this as the screening of calls will be done using my own custom-defined 
criteria and the response options will also have to be 
customised/enhanced as well (how much really depends on what is 
currently implemented in Asterisk).

> Is there some kind of attack that you believe is possible on one 
> interface that isn't on the other?  I can't conceive of any way that 
> making your service available on additional addresses increases your 
> vulnerability.
Of course it does - by making Asterisk service available on, say eth2 
(by binding on 0.0.0.0 that is automatically enabled, i.e. Asterisk can 
receive packets coming from that interface). This is not what I want.

If I could restrict Asterisk to bind only on the eth0 and eth1 for 
example, packets coming from that interface (eth2) won't affect Asterisk 
at all and they will either be dropped or rejected as nothing would 
listen on that address/port.

I know that you may say "netfilter/iptables is there to protect you", 
but the system will be more secure if Asterisk don't have the (physical) 
ability to answer requests coming from "undesired" interfaces - 
regardless of whether I have a fully-functional netfilter/iptables in 
place (even if it is compromised), rather than having Asterisk 
potentially answering such requests (by binding to 0.0.0.0) even if 
netfilter/iptables are functioning.

In other words, having physically restricted Asterisk from answering 
requests coming from undesired interfaces (short of directly 
forwarding/routing packets from/to that interface) is better than 
allowing it do so and relying solely on netfilter/iptables for protection.