[asterisk-users] Should you "ever" use nat=no?

Brian ipt voiplists at iptel.co
Sun Feb 12 15:58:00 CST 2012


On Sun, Feb 12, 2012 at 12:59 AM, Bruce B <bruceb444 at gmail.com> wrote:

> If your server is open to the internet and in SIP general section you have
> nat=no and in peers you have nat=yes or vice versa then it's possible to
> enumerate your extension. Because Asterisk responds with different messages
> if the extension exists or not based on that difference in the nat setting
> then it's possible to tell if an extension 100 exists or not. Over the past
> few years, Digium has come to realization to respond to all unauthenticated
> calls the same way in order to thwart any attack attempts or guesses on the
> extension but it's still not perfect yet as these improvements are done at
> a really slow pace. Regardless, they are being made and there truely is a
> security risk.
>
> I always use nat=yes. I don't even know why nat=no exists as there is
> nothing that can't be done with nat=yes. Plus nat=yes will take care of
> some of the surprise one-way audio scenarios as well so why use nat=no at
> all?! I vote to totally get rid of the nat setting all together and hard
> code it and set it to yes but again there are others who may not agree.
>
> -
>
>
I'm stunned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120212/7d1d14b2/attachment.htm>


More information about the asterisk-users mailing list