[Shorewall-newbies] Newbie - How to open range of RTP ports
ratcheson at earthlink.net
Sat Jan 10 21:45:42 PST 2004
On Saturday 10 January 2004 09:02 pm, Tom Eastep wrote:
> > Don't think it would help for me to warn about whats the point of a FW if
> > you open up big ranges of IP's .. This really needs another scheme and
> > this stuff to be allowed and run in the DMZ .. but ..
> The safety of opening a port range rests solely with how the host to which
> they are forwarded treats those ports. If the only thing that binds to
> those local port numbers is the asterisk server then the safety is totally
> dependent on how will that server is written. This is the same as any
> internet server in my view...
> Feel free to jump in if you want to comment....
I just want to ask a little question or perhaps just get some clarification
on this port range thing. I am using the Vonage VOIP which requires the same
10k to 20k port range and in my system I DNAT them to 192.168.1.152 which is
the CISCO ATA 186 adapter. From what I read in this thread, that is safe
cause the only place those ports go is to the ATA. Assuming the ATA will
only respond to data it is looking for i.e., the phone stuff, any attempt by
someone to hack into my system would be fruitless??? So I and anyone else
with a similar setup should not have to worry about intruders.
Is that a fair statement? I suspect a lot of people are a bit paranoic about
opening ports thinking that an open port is tantamount to letting the wolf
through the door. From what you have written it seems like an open port is
kind of a bit bucket if it is properly monitored by some program/device such
as the ATA and we only need to worry if that open port is not monitored
properly. Is my understanding accurate or am I FOS?
More information about the Shorewall-newbies