[asterisk-users] Is this doable?
Josh
mojo1736 at privatedemail.net
Tue Feb 7 11:43:54 CST 2012
>> It is indeed. This is already implemented in Asterisk I take it then? If
>> so, brilliant news!
> More or less. I don't know if it's easy to trigger for specific
> caller ID values, or for none. You might need to to a little
> customization, but something mostly like what you describe is present.
I am glad to see this! Which modules/functions present this
functionality - do you know? I am almost certainly going to customise
this as the screening of calls will be done using my own custom-defined
criteria and the response options will also have to be
customised/enhanced as well (how much really depends on what is
currently implemented in Asterisk).
> Is there some kind of attack that you believe is possible on one
> interface that isn't on the other? I can't conceive of any way that
> making your service available on additional addresses increases your
> vulnerability.
Of course it does - by making Asterisk service available on, say eth2
(by binding on 0.0.0.0 that is automatically enabled, i.e. Asterisk can
receive packets coming from that interface). This is not what I want.
If I could restrict Asterisk to bind only on the eth0 and eth1 for
example, packets coming from that interface (eth2) won't affect Asterisk
at all and they will either be dropped or rejected as nothing would
listen on that address/port.
I know that you may say "netfilter/iptables is there to protect you",
but the system will be more secure if Asterisk don't have the (physical)
ability to answer requests coming from "undesired" interfaces -
regardless of whether I have a fully-functional netfilter/iptables in
place (even if it is compromised), rather than having Asterisk
potentially answering such requests (by binding to 0.0.0.0) even if
netfilter/iptables are functioning.
In other words, having physically restricted Asterisk from answering
requests coming from undesired interfaces (short of directly
forwarding/routing packets from/to that interface) is better than
allowing it do so and relying solely on netfilter/iptables for protection.
More information about the asterisk-users
mailing list