atsak
Guru
- Joined
- Sep 7, 2009
- Messages
- 2,387
- Reaction score
- 440
I would tend to agree. I have to dig into this further, but have trouble seeing how this would impact my setups.I think you can probably clamp down your firewall as much as you want, because symmetric RTP should allow media to get through by way of establishing an outbound stream (inbound stream comes back on the same path).
sed -i 's|/usr/sbin/iptables -A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#/usr/sbin/iptables -A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /usr/local/sbin/iptables-custom
sed -i 's|-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /etc/iptables/rules.v4
sed -i 's|-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /etc/iptables/rules.v4.ubuntu14
sed -i 's|-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /etc/sysconfig/iptables
sed -i 's|-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT|' /etc/sysconfig/rules.v4.ubuntu14
sed -i 's|-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT|' /etc/iptables/rules.v4
sed -i 's|-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT|\#-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT|' /etc/iptables/rules.v4.ubuntu14
Note that as for the time of writing, the official Asterisk fix is vulnerable to a race condition. An attacker may continuously spray an Asterisk server with RTP packets. This allows the attacker to send RTP within those first few packets and still exploit this vulnerability.
@wardmundy
II tried doing that on iptables on centos running travelinman. I get oneway audio. Others can hear me, I cannot hear outsiders.I have selected NAT=no and gsm and ulaw codes. the server is on cloud with public IP.
What Am I doing wrong.
3CX is not Asterisk based so it's not affected.should i worry of this on the 3cx system?
@wardmundy
I tried doing that on iptables on centos running travelinman. I get oneway audio. Others can hear me, I cannot hear outsiders.I have selected NAT=no and gsm and ulaw codes. the server is on cloud with public IP.
What Am I doing wrong.
@wardmundy
do you plan on including the change in your snapshots for new installs, or will we need to remember to change Travelin’ Man on clean installs?
Link up your team and customers Phone System Live Chat Video Conferencing
Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.
Check your inbox!
We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).
Upon verification you will be directed to the 3CX setup wizard.