[asterisk-users] Is this doable?

[Josh]

> http://www.asterisk.org/astdocs/node66.html
Thanks, never knew that!

> Yes, I understand that it's not what you want, but that doesn't make 
> it a security concern.  If Asterisk is publicly available on one 
> interface, making it available on another interface doesn't make you 
> less secure.
You lost me. What I want/don't want is largely irrelevant. The issue is, 
as you rightly pointed out, whether it is considered more secure or less 
secure when Asterisk binds to 0.0.0.0 as oppose to using a specific set 
of interfaces, selected at startup.

If one has internal networks, accessible via, say eth1 and tun0, and 
implements Asterisk to act as the internal/private PBX (without exposing 
it to the outside world), then having been forced to use 0.0.0.0 will, 
of course, expose Asterisk to any other - undesirable - interfaces, 
including those pointing to the outside world.

By having the option to specify which interfaces Asterisk should use to 
bind to (via multiple {udp,tcp}bind statements or by any other means) 
Asterisk is *not* exposed to any undesirable interfaces and thus, the 
risk is not there. I thought I have made that clear by now, obviously I 
haven't, it seems.

> It's fine if you want to take that step, but please drop the "everyone 
> knows this is a security risk" thing.  You appear to be alone in that 
> opinion, and unable to explain why you think it's a security risk. 
> Moreover, you're speaking for others without warrant or welcome.
If you can't see why binding to 0.0.0.0 carries greater risk than 
restricting Asterisk which interfaces to use, then you are truly blind 
and beyond help, I am afraid.