[asterisk-users] Is this doable?
Gordon Messmer
yinyang at eburg.com
Mon Feb 13 14:49:59 CST 2012
On 02/08/2012 09:28 AM, Josh wrote:
> If one has internal networks, accessible via, say eth1 and tun0, and
> implements Asterisk to act as the internal/private PBX (without exposing
> it to the outside world), then having been forced to use 0.0.0.0 will,
> of course, expose Asterisk to any other - undesirable - interfaces,
> including those pointing to the outside world.
OK. We can agree on that, but you haven't been clear that you're trying
to keep Asterisk in a private network, and not make it publicly
available. Had you simply said that you didn't want to bind to any
interfaces that had routable addresses, you'd have made a lot more
sense. Instead, you've objected to binding to a "third" or "subsequent"
interface.
I still think the idea that binding to 0.0.0.0 is a security risk is
silly. Making an application available to the public when it doesn't
need to be is, certainly. Making a service publicly available or not is
a policy decision; binding to specific interfaces is a mechanism that
can be used to implement that policy. Policy is where you manage
security risks. Mechanisms aren't to blame for good or bad policy.
More information about the asterisk-users
mailing list