[asterisk-biz] 87.230.80.186

Calleasy BsAS sisint2005 at hotmail.com
Sun Jun 27 20:54:58 CDT 2010


Dear friends, like someone said before me in the list : neither of both extrems could be pretty good!!

 one for dangerous the other  for heavy dutty requeirements in maintenance for users changes...

 

 thus  leave the system open with out Firewall+ IDS system   this will be dangerous 

,  or  closing the   firewall at all ,  if you needs  to  lead  with  users that will be travelling or changing from ip address ,  and need to use  the same account from any IP, from anywhere.. then the users will be angry any timne that they can't make a call.

 

 

So i think we must workaround the needs and search the mix that better serves to our purproses. many times  the solution may seems something   "out  of good arts rules" or , but if it works  with efficciency, and it is non expensive...   then " ARE WELLCOME"

 

VPNs routed end to end with VPN- Routers requeires some hardware that limits the  mobile use and requeires more expensive  hard, i.e.  if i have my sip acocunt configured on my  handheld  using it with wifi behind a VPN router i can't to use it to  make calls in a hotel or airpot  or any  wifi zones o hotspot, with the exception that this unit can run a vpn client too.

 

on other hand,   if i have a notebook, laptop or netbook using a softphone with  TLS may be usefull,  but  a bunch of IP telephones, sofphones and gateway   not support TLS , or many protocols ,  then it will depend on the user ....

 

On my mind  asking to my self, " some advice to follow?? " and the answer could  be 

 

try using   services that enable me to  locate  users  from domains and  at the same time  define yours accoutns using it ... it may  requieres aditional efforts to use them, but setting up the peers using  host with DNS resolution , avoiding the resgiter use from users,may help  

 

host= my.domain

 

What will be happen  if the ip changes  or the user hasn't your own domain???  askme  again  , and asnwer me:

 

 

try this DDNS service like this :

 

  host=my.domain.in.prefer.ddns.service.

 

may be  helpull ,   any servers from popular ones, ( dyndns, no-ip, ...)

 it will requiere that the user can run at same time a DDNS client ( many router/ATAs/Gateways have  embeded on them) and  a softphone/SIP Client from same ip address,

  and the other end ,  on the   PBX , also need  reload the sip module each time that the ip changes , to reload the news ip  from those domains, this must be  so often like the  client's ip changes...

 

WHAT A  CHEAP SOLUTION !!! 

 

 

this task for reload ,  could be MADE   at fixed period of time , ie the same value  that you usually speficiy  in the expire options  for registering , thus the "GAP " between the old ip and the new,   has the same behavior if you customer changes th ip addres  with out re-registering,  ie  an user  using DHCP in you internet conection ,  that changes your ip adders and not restart your softphone or gateway., i means :  the the incoming calls  goes to  old ip , until the client re-register orput an outgoing call.

 

 

in the same way , for  the inbound connections to the servers ( a PBX or any other server too)  ,some similar can be made with iptables modules ,   it's quite simple,  former  set the policy to DENNY all connections and then enables just  according  ddns domains that you will accept ..

 

iptables -P INPUT DROP

iptables -I INPUT  -s my.first.client,inddns.service  -j ACCEPT

iptables -I INPUT  -s my.fsecond.client,in-other-ddns.service  -j ACCEPT

 

(  some specfication for ports and protocols may be added,   i dont include  in the example to make it easier )

 

after made this, only the  ip according to domains can connnect to server , 

 but at any time that the ips may change,  you   need to restart iptables services ,and the input filter will be refilled  with the ips according that domains defined on DDNS service ....

 

to restart  this at regular frecuencies in "automatic mode", just need to  enable this task  in CRON service,   also  can be joined  with the  sip module reload   to update the host definition  in the  peer/users/friend  in the PBX , for that   must need include  any script  that  has this two lines for system excution 

 

sevrice iptables restart ( restarting iptables fedora /centos  style  other use init.rc  services)

asterisk -rx sip reload   ( relaod the sip modules , renewing the domain definitios for peers , be carefull that your PBX  systems must  resolve  using  DNS service )

 

 and... that's all 

 

 now   can renew the ip  that can connect with the server and also the  host defined to make calls  

 

 

easy efecctive and cheap,   may be other solution betters ,, yeap....so more expensive too

 

Feel free to contact  off the list.

I hope that it can be helpfull.

 

Marcos

info at calleasy.com.ar

 
 		 	   		  
_________________________________________________________________
Ahora Hotmail es un 70% más rápido. Para que chequear correos sea cada vez más fácil. Ver más
http://www.descubrehotmail.com/velocidad.asp 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20100627/be28aea1/attachment.htm 


More information about the asterisk-biz mailing list