[asterisk-users] Binding to 0.0.0.0 a security risk?

Tony Mountifield tony at softins.co.uk
Wed Feb 8 04:29:31 CST 2012


In article <4F324279.70909 at Message-ID.plonk.de>,
Jakob Hirsch <jh at plonk.de> wrote:
> Raj Mathur (राज माथुर), 2012-02-08 03:27:
> > Packets not going out on the same interface as the one they were 
> > received on is a general IP issue, not just for connectionless 
> 
> Right, this was a inaccuracy. It should say "Asterisk does not reply
> with the IP address with which packets were received". Asterisk (as most
> applications) does not care about network interfaces, it just handles IP
> addresses.
> 
> > protocols.  The same behaviour can be seen with TCP too.  Unless you 
> > mangle with iptables or something, all information about the received 
> 
> A tcp connection is defined by the tuple (source host&port, destination
> host&port), so if you write to a tcp socket, the kernel knows which
> source address it has to use (and also which destination address, so the
> application doesn't need to know that at all).
> As there's no such relation in udp, the application has to provide the
> destination address. The kernel then decides which source address to
> use, as long as the application did not bind() to a specific address.

This is why some UDP servers such as for DNS and NTP create a separate
socket bound specifically to each local IP address. Then by sending a
response via the same socket as the request was received on, it can be
reasonably sure that the response will go out on the right interface.

Maybe Asterisk does or could do the same. I haven't checked.

Cheers
Tony
-- 
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org



More information about the asterisk-users mailing list