[asterisk-users] Binding to 0.0.0.0 a security risk?

Josh mojo1736 at privatedemail.net
Tue Feb 7 11:45:49 CST 2012


> All of that is true, but none of it appears to be a security concern, 
> specifically.
For you, may be, but from where I am sitting, I don't want to rely 
solely on netfilter/iptables to protect me when I could physically 
restrict Asterisk from binding to that interface (and answering such 
requests) - that will serve me well in the event netfilter/iptables is 
somehow compromised (see my previous post).

> It's possible for an application to bind a socket to a specific 
> interface, but very few do.  Generally speaking, server applications 
> bind a socket to an address.  The kernel decides what interface that 
> packets are sent on.  Normally that will be the interface that has the 
> lowest cost default route, not necessarily the one on which a 
> connection was initiated.  That is why I noted previously that you 
> have to use connection tracking, packet mangling, and ip rules for 
> multi-homed hosts.  If you've never verified that your packets are 
> being routed out the interface you expect (probably with tcpdump), 
> perhaps you should.
Yeah, that was already clarified by another poster - I assumed (wrongly, 
as it turned out) that Asterisk, somehow, could "automagically" take 
care of directing sip/voip packets between interfaces and also take care 
of all the other related issues. As I understand it now, I will have to 
reconfigure this myself by using the standard Linux/Unix tools (ip & 
iptables mostly). Thanks for the clarification yet again!




More information about the asterisk-users mailing list