vicidial.org

VICIDIAL astGUIclient discussion forum

Skip to content

Vicidial.org Home      Vicidial Forum      Vicidial Wiki      Vicidial Issue Tracker      astGUIclient Project Page


firewall/iptables on asterisk server

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Post a reply

firewall/iptables on asterisk server

Postby CHP » Thu Jul 24, 2008 11:48 am

Hello asterisk experts,

on the www I found a ppt presentation (astricon_performance.ppt from securax.be), sorry i don't know the exactly link any more, where the guys said, to improove performance you should not run a firewall (iptables) or a traffic shaper on the asterisk machine.

That's why my question is, if you have a multi server asterisk/vicidial system e.g. 1 asterisk/vicdial + 1 web/mysql server and the clients are shared in the WAN, is it better to use a hardware firewall (eg. cisco asa) or run iptables on each ethernet interface of the asterisk and webserver which are connected to the WAN.

Thanks for your anwers!
CHP
 
Posts: 33
Joined: Thu Jul 17, 2008 12:53 pm
Top

Postby mflorell » Thu Jul 24, 2008 1:44 pm

It is always much better to keep the firewall as far as possible away from the VICIDIAL servers. It should be a dedicated machine that only does firewall duties.
mflorell
Site Admin
 
Posts: 18339
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida
Top

Postby eijal » Thu Jul 24, 2008 4:32 pm

What could be the impact of using iptables in every asterisk/vicidial, web, database servers?
eijal
 
Posts: 186
Joined: Thu Feb 08, 2007 6:34 pm
Top

Postby mflorell » Fri Jul 25, 2008 8:12 am

If your server is on the open internet with only iptables firewall to protect it and someone decides to DDOS or brute-force attack your server then it will be slowed down to the point of being not usable. This happened to a client of ours and moving to a dedicated firewall machine fixed the issue.
mflorell
Site Admin
 
Posts: 18339
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida
Top

Postby js19 » Fri Aug 22, 2008 6:06 pm

considering you can buy a pix for a couple hundred bucks, it seems insane not to. Even so, I have a firewall running on asterisk, but I doubt it will ever get much of a workout since the pix will always do the bulk of the work.
js19
 
Posts: 40
Joined: Wed May 28, 2008 11:03 am
Top

Postby Mika1974 » Tue Aug 26, 2008 8:02 am

I think its not very wise to recommend people *not* to run a firewall.

Proper configuration of iptables can avoid it being a bottle neck in a DDOS attack - and yes hardware firewalls rule but not everyone has the budget.
Mika1974
 
Posts: 22
Joined: Mon Jun 23, 2008 3:47 pm
Top

Postby Op3r » Tue Aug 26, 2008 3:18 pm

can you show us some iptable rules that can filter ddos attacks? I am thinking about security of vicidial servers now.
Get paid for US outbound Toll Free calls. PM me.
Op3r
 
Posts: 1424
Joined: Wed Jun 07, 2006 7:53 pm
Location: Manila
Top

Postby mflorell » Tue Aug 26, 2008 4:21 pm

I am not a firewall expert, but the sheer amount of traffic is the whole problem with DDOS attacks, not really how they are filtered. An external firewall is always the best solution, but even one of those will not help your bandwidth usage if you get DDOS attacked.
mflorell
Site Admin
 
Posts: 18339
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida
Top
Post a reply

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 235 guests

Powered by phpBB® Forum Software © phpBB Group
cron