[Shorewall-newbies] Newbie - How to open range of RTP ports

Richard Atcheson ratcheson at earthlink.net
Sat Jan 10 21:45:42 PST 2004


On Saturday 10 January 2004 09:02 pm, Tom Eastep wrote:
> > Don't think it would help for me to warn about whats the point of a FW if
> > you open up big ranges of IP's .. This really needs another scheme and
> > this stuff to be allowed and run in the DMZ .. but ..
>
> The safety of opening a port range rests solely with how the host to which
> they are forwarded treats those ports. If the only thing that binds to
> those local port numbers is the asterisk server then the safety is totally
> dependent on how will that server is written. This is the same as any
> internet server in my view...
>
> Feel free to jump in if you want to comment....
>
Tom:

	I just want to ask a little question or perhaps just get some clarification 
on this port range thing.  I am using the Vonage VOIP which requires the same 
10k to 20k port range and in my system I DNAT them to 192.168.1.152 which is 
the CISCO ATA 186 adapter.  From what I read in this thread, that is safe 
cause the only place those ports go is to the ATA.  Assuming the ATA will 
only respond to data it is looking for i.e., the phone stuff, any attempt by 
someone to hack into my system would be fruitless???  So I and anyone else 
with a similar setup should not have to worry about intruders.

	Is that a fair statement?  I suspect a lot of people are a bit paranoic about 
opening ports thinking that an open port is tantamount to letting the wolf 
through the door.  From what you have written it seems like an open port is 
kind of a bit bucket if it is properly monitored by some program/device such 
as the ATA and we only need to worry if that open port is not monitored 
properly.  Is my understanding accurate or am I FOS?

	Richard




More information about the Shorewall-newbies mailing list