Re: Restricting ports?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Nov 2, 2011 at 11:47 AM, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote:
> Hi,
>
> Robert Kulagowski wrote:
>> From a security perspective, has anyone found reason to restrict the
>> ports that GnuGk uses?  I'm assuming that opening UDP 1025-65535,
>> TCP/1719 and TCP/1720 to the internet is all that's required for full
>> functionality?
>
> Opening UDP 1025-65535 basically means to turn off the firewall for
> UDP, a lot of people won't feel comfortable with that.

Perhaps I'm being naive, but what's the practical difference?
Wouldn't one port or 10 be just as big a compromise potential as 64000
ports?

> But you will also need open TCP ports for H.245 if thats not tunneled.
> 1719 is also UDP, not TCP.
>
>> Also, it appears that the status port (7000) binds to all interfaces.
>> Is there a configuration switch to only allow it to bind to a
>> particular interface or IP address?  In a dual-nic proxy situation, it
>> would be better to not even listen to the external port, even with
>> appropriate firewall rules in place.  I use multiple secondary
>> addresses on my external NIC and each of them are listening to 1720
>> and 7000.
>
> Thats what Home= is for.

In the documentation, it says:
Home=192.168.1.1
Default: listen to all IPs
The gatekeeper will listen for requests on this IP address. If not
set, the gatekeeper will listen on all IPs of your host. Multiple Home
addresses can be used and must be separated with a semicolon (;) or
comma (,).

does this mean "listen for status port requests", or all requests?  If
I have a dual-nic proxy, then I would still want it to listen for
incoming call requests to port 1720 on the outside interface, but not
port 7000?

------------------------------------------------------------------------------
RSA&#174; Conference 2012
Save $700 by Nov 18
Register now&#33;
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/



[Index of Archives]     [SIP]     [Open H.323]     [Gnu Gatekeeper]     [Asterisk PBX]     [ISDN Cause Codes]     [Yosemite News]

  Powered by Linux