Installing PIAF2 + CentOS 6.2

[Hyksos]

Preaching to the already converted...

It's actually more interesting for people reading it thinking about what to do with their pbx and how to see it.

I'm there saying it's dangerous and you answer you've being hacked...
We'll get the message out!

Thanks for posting your experience and sorry if I sounded autoritarian, was not my intentions.

You should investigate VPN which answer those needs with even higher security and less management. My two cents. But you take it seriously and my hat to you for it.

Do you have off site backups? Just kidding! I'm having flashback of my dentist who stored his backup floppy on top of his speakers for 5 years until his HD crashed with his entire business on it. He learned what a magnet means to a floppy. hehe

 

[Ramblin]

No Ports exposed to the Internet?

First off: THANK YOU!

I have just installed PBXiaf2 on my 32-bit back-up system and it went very cleanly. When I went in to configure it to the way I have configured previous versions, the settings were all there, done by the installer. Very nice, very clean, very comprehensive.

My question is about port forwarding.

I have seen in the description for PBXiaf2 the phrase "A Word About Security. PBX in a Flash has been engineered to run on a server sitting safely behind a hardware-based firewall with NO port exposure from the Internet".

I have several satellite phones which get moved around and as such can come into the asterisk server from different IP addresses at different times. And of course any soft-phones on a laptop come in at unpredictable times from unpredictable locations.

How, in these situations, can I have the server not exposed to ports? I have always port forwarded 5060 (SIP registration) and 10002-10203 (RTP Audio) to the server behind the firewall. Do I no longer need to do this? If I no longer need to do this, how does a satellite phone or soft-phone get through?

 

[darmock]

TravelMan2

does what you are asking. Still being tested however and only works if incredible is installed thus you are restricted to freepbx 2.9.x as 2.10 is not supported yet.


TravelMan2 is an auto port poker 8^)

you log in from the remote address with a browser using super secret passwords et al Then it senses your IP address from the remote site and then pokes a hole in iptables (without persistence) which allows your softphones to work. As for satellite phones they would need a browser on the phone to work.


Tom

 

[wardmundy]

Or you can use FQDN's for your remote sites and do this.

 

[Ramblin]

Shorewall - version 4.4 vs 3.2 ?

I am looking to set up a software firewall on the system.

I have historically used apf/bfd and it works fine, but it has no stated plans for ipv6 compatibility, so I am looking at an alternative. I figure the systems I install today will be around for a while so I may as well install the products that will be able to sustain for a while.

I see that Shorewall is installed on the PBXiaf2 system so am looking at using it - it does have ipv6 products available. The ipv6 version only comes in v4.2.4. or higher, and I'd like to learn about that version so I do not have to re-learn a new system when ipv6 is required.

I tried to get the instructions for using Shorewall, but all the instructions available on their site are for v4.x (4.4.27.3 being the currently supported, major-release, stable version) but the version installed with PBX2 is 3.2.

Is there a concern with Shorewall 4.4.x ?

If not, I'd like to upgrade Shorewall to 4.4.27.3

Any thoughts?

Do you know if the upgrade to v4.4.23.7.3 is clean if we start with v3.2 of Shorewall?

 

[rossiv]

What's wrong with IPTables? I'm pretty sure a version of it is included that supports IPv6.