[asterisk-users] Is this doable?

Gordon Messmer yinyang at eburg.com
Mon Feb 13 14:49:59 CST 2012


On 02/08/2012 09:28 AM, Josh wrote:
> If one has internal networks, accessible via, say eth1 and tun0, and
> implements Asterisk to act as the internal/private PBX (without exposing
> it to the outside world), then having been forced to use 0.0.0.0 will,
> of course, expose Asterisk to any other - undesirable - interfaces,
> including those pointing to the outside world.

OK.  We can agree on that, but you haven't been clear that you're trying 
to keep Asterisk in a private network, and not make it publicly 
available.  Had you simply said that you didn't want to bind to any 
interfaces that had routable addresses, you'd have made a lot more 
sense.  Instead, you've objected to binding to a "third" or "subsequent" 
interface.

I still think the idea that binding to 0.0.0.0 is a security risk is 
silly.  Making an application available to the public when it doesn't 
need to be is, certainly.  Making a service publicly available or not is 
a policy decision; binding to specific interfaces is a mechanism that 
can be used to implement that policy.  Policy is where you manage 
security risks.  Mechanisms aren't to blame for good or bad policy.



More information about the asterisk-users mailing list