How to connect "two interface cards" in Elastix ?

Discussion in 'General' started by tolengo, Jan 30, 2009.

  1. tolengo

    Joined:
    Oct 31, 2008
    Messages:
    117
    Likes Received:
    0
    Hi all, i want to install two NIC interface cards in Elastix like this =>

    my ip addresses are ISP: 192.168.0.1 gw=192.168.0.1 subnmask= 255.225.225.0
    my internal LAN has included(DHCP): 192.168.1.1 gw=192.168.1.1 subnmask= 255.225.225.0


    INTERNET -------->(card eth0)--> ELASTIX -->(card eth1)-----------------> to my phones

    so my ideas is to use Elastix also as a router or bridge with DHCP server in the eth1. I Think it is a super idea to avoid problem with routers and port forwardings :eek:hmy: .

    May some of you already did it.


    thanks.

    Johnny
     
  2. donhwyo

    Joined:
    Aug 8, 2008
    Messages:
    293
    Likes Received:
    0
    I think that would be very dangerous. You would at least have to implement an iptables firewall. The more other security the better.

    Don
     
  3. tolengo

    Joined:
    Oct 31, 2008
    Messages:
    117
    Likes Received:
    0
    I know it so dangerous but may somebody can use this configuration in a internal net, so it should an interesting config.
     
  4. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Johnny,

    I realise that some of your interest is out of curiousity for such a setup, and in fact there are a couple of systems that implement this type of setup (e.g Firewall/Router/PBX).

    However this goes against the grain of good design and practice. A firewall/Router should always be separated (completely) from the device it is trying to protect. No matter how good the person is that designs it and maintains it, it is impossible to secure it 100%.

    In good network design, there should always be three layers of security (not always possible with budget constraints). Putting the PBX on the same box as the Firewall for the network, leaves you with only one layer. They hack that layer, find a vulnerability, your PBX system is hacked.

    The PBX system would be the last device that I would double up on a firewall due to the potential for major loss of money through phreaking. A website hacked, possible loss of face with your clients, a PBX hacked in a small to medium business, a possible loss of company.

    So I would expect that you may not get many responses as it is definitely not a good idea, even for home. Far better time spent learning the issues with Routing and NAT, learn them well, and in 99% cases you will not have issues.

    Regards

    Bob
     
  5. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Sorry, I couldn't resist . . .


    I disagree with the others, it is indeed a "a super idea", and anyone can indeed " . . . use this configuration in a internal net . . ." and eliminates any need for NATting or firewalls or anything


    quote:

    my ip addresses are ISP: 192.168.0.1 gw=192.168.0.1 subnmask= 255.225.225.0
    my internal LAN has included(DHCP): 192.168.1.1 gw=192.168.1.1 subnmask= 255.225.225.0

    The first line being eth0 and the second eth1, and I assume the box set up as router for hosts on eth1 to route to the other internal adapter at eth1.

    your have arranged to route all outbound traffic to yourself!
    you can chat away on your phones all day with each other!
    Your VOIP bill will be minimal!
    You don't have to worry about your machine being hijacked!

    Inbound traffic from your ISP provided router:-

    INTERNET -------->(card eth0)--> ELASTIX -->(card eth1)-----------------> to my phones

    and

    Outbound Traffic:-

    phones ---------->(card eth1)--> ELASTIX -->(card eth0)--->|
    phones <----------(card eth1)<-- ELASTIX <--(card eth0)<---|


    Brilliant!

    but expect the internet to be a little slower than usual for hosts on the eth1 network.

    (call us from your phone or post to this forum when you get it going ;-) )
     
  6. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Dicko,

    I will start this post off saying that I couldn't work out whether you were being serious or not.

    Having been in this business (comms / IT / Corporate Infrastructure), the statements I make are from over 25 years of experience, and believe me I have seen a lot (naturally not everything), right down to phone freaking of a major vendors phone system ($700,000 worth of calls made). The system itself was well protected by some great products, but where the error finally came from was human error or complacency.

    You mention about a router, but it sounds like he wishes to avoid a router (to remove the issues with NAT and routing).

    He only has to have a component unpatched in regards to a newly found vulnerability, and his system becomes a target.

    Regards

    Bob
     
  7. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Sorry Bob,

    I ask you to excuse my sometimes puckish nature, it was serious only in encouraging the poster to examine his own post.

    I have deployed in domestic situations (including but not limited to my own) very basic hardware. my favorite is a little fanless epia or such, two nics and your at less than 400 bucks, 25 watts and about the size of a big paperback.
    Start with Elastix, add routing to the LAN, vlan, iptables, fail2ban, a little QOS if the in situ router doesn't speak 2009, avantfax, vncserver, the one I'm on right now has a gnome desktop from which I'm replying, observe password good practice, a couple or so spa942's or aastra57's, add a spa3102 if they have a landline/dsl for 911 and earthquakes.
    Disable root logins, move the needed services from the normal ports, don't start anything until you need it.
    Still at 400 bucks plus the 3102 and phones and you have all tolengo asked for, you saved money space and energy and even replaced his windows desktop machine. (still gotta do that NAT/port forwarding somewhere though)

    In any real world situation I move the routing and vlan to hardware but pretty well keep everything else, (including the gnome bit, it's a pain to jiggle a polycom without it's built in gui and I'm too lazy/cautious to map tunnels to all the internal devices )

    A agree with you 100%, my experience is of the same order of magnitude as yours, I also have seen, and even been on the smelly end of, some pretty scary scenarios both in the TDM and VOIP world, once bitten twice shy. but . .

    I just couldn't get past the suggested configuration:-

    snip:-
    my ip addresses are ISP: 192.168.0.1 gw=192.168.0.1 subnmask= 255.225.225.0

    where the gateway used is the local interface IP. so of course the network is a notwork and all other points are moot until noticed or corrected.

    I guess it was my attempt at paraphrasing "RTFM" in what I considered a humorous fashion.
     
  8. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Point taken and understood:cheer: ....completely missed that in the O.P.

    I was more concerned re: security, and that one flew past. I had an assumption that you were being humerous, but could not clearly pick it.

    It will teach me to stop doing fly-by forum responses and sit down and read the posts in more detail.
    Part of the reason for not sitting down is that it is 39 deg celcius (102F) outside, and a reasonable deal more in my home office at the moment. Like the main office, I have a rack cabinet with various systems and it heats this room up like crazy. Definitely not worth sitting in here during the main heat of the day.

    Anyhow, have a BBQ to fire up, visitors coming round...now wheres the steaks and sausages???

    Regards

    Bob
     
  9. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Jeez, I'll have to wait till august for that,
    shouldn't that be "barbie" and "bangers"?
    pop a K.B. for me will ya sport.

    enjoy . . .
    Dick

    How's that Aastra patch stuff going? Personally I still haven't got it down quite right yet.


    (Maybe we need a few stickies in the Newbie's corner.)
     
  10. wiseoldowl

    Joined:
    Aug 19, 2008
    Messages:
    251
    Likes Received:
    0
    Re:How to connect

    Actually, you just reminded me of something I have been meaning to ask for a while now. Is there any chance that that some sort of configuration utility for iptables and fail2ban could be included with Elastix?

    I mention this because over at "the competition" :lol: they've put up an article called Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security wherein they talk about how their systems come with iptables preconfigured. That's fine in one respect but it's also limiting. I think a better approach would be to have some configuration utility that assumes you know absolutely nothing about configuring iptables (because unless you are a dyed-in-the-feathers Linux geek you probably won't) or fail2ban, but explains certain options and lets you pick. For example, it might ask whether you have any extensions that are not on your local network, whether you will ever need to ssh into your system from outside you local network and so on, and configure accordingly. For fail2ban it could ask how many attempts you wish to allow, how long the timeout should be, and so on.

    I actually found fail2ban easy enough to set up (using the page Fail2Ban (with iptables) And Asterisk at voip-info.org) but other than what was in that article, iptables configuration is a big mystery to me. I have seen a number of articles suggesting that everyone should configure iptables, but then in the next paragraph they as much as admit that most people aren't going to be able to figure out how. Some suggest using Webmin, and indeed, you can go to Webmin's "Linux Firewall" module, whereupon you get this message:

    Webmin has detected 1 IPtables firewall rules currently in use, which are not recorded in the save file /etc/sysconfig/iptables. These rules were probably setup from a script, which this module does not know how to read and edit.

    If you want to use this module to manage your IPtables firewall, click the button below to convert the existing rules to a save file, and then disable your existing firewall script.


    Whoa... does that mean that if I do that, fail2ban will no longer work? And how do I "disable [my] existing firewall script" anyway? This is why I think Elastix could benefit greatly from a module that would manage both iptables and fail2ban in a unified way. More to the point, it would already be aware of which ports need to be open for the software included with Elastix to be usable. Of course, with a good hardware router/firewall I suspect that iptables may be a bit redundant (since no outside traffic can get to your Elastix box other than on the ports you explicitly route to that box) but still it couldn't hurt, especially when there are probably people who find it easier to "just place the Elastix box in the DMZ" so everything works! :S
     
  11. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Re:How to connect

    Wiseoldowl, greetings

    We are her in the newbies corner and so for many reasons this thread should be moved to a more appropriate place before we terrify them all, however I will respond . . .

    Personally I don't consider them opposition, it is a rock solid distribution but with a slightly different agenda and perhaps presumes a little more user sophistication than does Elastix. I use it myself when the fit is right, and is in many ways way more flexible than Elastix. Further I believe the attacked system was a third distribution, which I don't use and never will (but have in the past).

    Fail2ban is certainly easy to implement in Elastix from the resources you quote, however the upgrade script is, as it self-references, an upgrade of an older version of fail2ban, Elasatix chooses to limit the repos it uses for very good reasons, and fail2ban is not included within those limits.

    Personally I support the inclusion of fail2ban in this distribution, but as I see it, we are quite a way out from 1.4 final for many other reasons. So let's be patient and let the developers digest all the input they are getting from these fori. Further, and in the spirit of open source, post the actions you performed to realize fail2ban under Elastix, hopefully as a script, for your peers to review.

    As to the webmin "behavior" you notice, it is because fail2ban dynamically re-writes the iptables on-the-fly, this is not a problem, it is designed to do that to keep the load on the server low (no re-writes to the text based configs) the down side is that on a reboot you will loose all that protection, the up side is it will kick in immediately you restart the system. Anything you set up statically in iptables or the webmin interface to them will however be honored over the reboot.

    There is no real idiot's guide to iptables, (I wish there were 'cos I'm one!) it is designed to be able to examine every part of any network packet, reference it to existing connections and act on it accordingly. There's the rub, there are so many possibilities and so many solutions that things like "firestarter" and "fire wall builder" while good attempts to relieve the task, are likely to never achieve the depth of filtering necessary on a truly functional and secure firewall, Webmin's iptables module does at least expose almost all of those variables but that is, as you say, no advantage if you don't know what they mean. This is one reson why it costs so much to be cisco certified, whereby you have to know it all before you even type it on the command line to successfully achieve the depth's of routing/firewalling/qos et al that is possible.

    Putting anything in the DMZ(which in itself is a dangerous misnomer) puts it, like lambs to the slaughter, on the internet, the bad guys don't play the DMZ thing well so it is up to us implementors to cover our asses from all directions, it's up to Elastix et al to sternly warn people "not to do stupid things", and this they indeed do, all we have to do now is get newbies to "RTFM" (dream on dicko)

    Unfortunately I have found that there is no substitute for learning. So go with a serious router with an understandable gui or if you have the time and inclination, go to google, your books and eventually iptables. either route can provide what you need.

    (p.s. I'm not certified by Cisco or for that matter anyone, but I think I am probably certifiable)
     
  12. donhwyo

    Joined:
    Aug 8, 2008
    Messages:
    293
    Likes Received:
    0
    Re:How to connect

    I think the last 2 posts are worth their own thread. Maybe even a security section just for it.

    Don
     
  13. wiseoldowl

    Joined:
    Aug 19, 2008
    Messages:
    251
    Likes Received:
    0
    Re:How to connect

    Funny, my perception was that PiaF was aimed at LESS sophisticated users. The reason I say that is that they do all their upgrades with scripts and if you try to change anything (even to fix a bug) it will likely get overwritten by their script. We tried it and didn't care for it - the thing I recall was fixing some permissions problems, then running their upgrade script and finding that all the permissions I had fixed were changed back to what they had been, which in some cases were clearly wrong. Therefore my feeling was that you'd use that distribution if you wanted them to in effect take over the way your system operates, which might well be something a complete newbie would want but after about three months that sort of thing could get seriously irritating (in our case it took exactly one week). But that was just my perception. As for that third distribution, I think we used it in the past too, and wanted to get away and stay far away from it.

    Actually I think if you follow the instructions on the voip-info.org site you DO get the latest fail2ban. The confusion is that the current version of PiaF ships with an older version of fail2ban (or at least it did, don't know if that's changed) and apparently the configuration files for the two versions aren't compatible.

    I posted exactly what I did - followed the instructions on that voip-info.org page. What it says there is what I did. I am NOT a Linux geek by any stretch of the imagination, and what is more, I really have only minimal interest in Linux (or any other operating system, for that matter). If someone cares to write a script then more power to them (I don't know why you'd need one because the instructions on that page really aren't difficult to follow, and believe me, if I can do it the instructions must be pretty clear and simple).

    That sounds like a big problem to me!

    This is exactly the sort of thing that hinders the acceptance of Linux. I can see why this is a problem, because it's exactly my reaction to the way PiaF does things vs. the way Elastix does things. In the case of Asterisk and FreePBX, I want more control - if I fix permissions on a directory I don't want an upgrade script changing them back (by the way, before anyone says anything about how maybe they were doing it right and I wasn't, the issue was that Asterisk wouldn't play certain sound files that were included in the distribution because the permissions on the directory containing those files was wrong - it was an issue with one of the subdirectories in /var/lib/asterisk/sounds, if I recall correctly). But in the case of the operating system itself, or things like firewalls, I just want to keep it simple - I'd rather not touch it at all if I don't have to.

    The problem is that if you are deploying Elastix in a large corporation, you can hire an IT professional (sometimes known as the BOFH) and that person, in theory, should be able to set up firewalls in his sleep. And he very likely enjoys and appreciates the control of something like iptables. But in a small business or home setting you probably don't have such a person available, and I guarantee you that there is not one home or small business owner in 10,000 that is going to know how to configure iptables, nor are they going to take the time to learn. What they will do is maybe try to find a "cookbook" telling them how to set it up, or failing that, they just won't bother with it. In most cases they'll have an external router with firewall and if they don't open the wrong ports on that they will probably be okay (I'm just waiting to hear the "security professionals" scream about that statement, but really their exposure is fairly low).

    So to me the question is, what is really more irresponsible - for end users to not take a college-level course so they can learn to configure their firewall, or for Linux to use such a complicated firewall that nobody by a true Linux geek can figure out how to set it up? By giving a few "power users" all those configuration options they set up a situation where most users can't configure their firewalls at all. Since I suspect that the vast majority of Elastix users are NOT Linux power users (I KNOW beyond the shadow of a doubt that I am not one and never will be - nor, in fact, do I really want to be one), that's why I say it might be good to have a configuration utility that configures iptables in a sensible manner for use with Elastix. This would be better (IMHO) then the PiaF approach of simply giving it to you preconfigured, because at least you'd have some limited options.

    As a slight digression, it's interesting how this is handled under Mac OS X. They give you a basic firewall with three options: Allow all incoming connections (which, strangely, is the default!), Allow only essential services, or Set access for specific services and applications (the latter prompts you to allow or disallow new incoming connections). But if you want more control, there's a program called WaterRoof (from a third-party developer) which is described as "an IPFW firewall frontend for Mac OS X" - that's what I assume your network professionals would use. The same company also offers a free, "basic firewall configuration tool" called NoobProof (its icon is a baby pacifier). They say "NoobProof is the right solution for the average Mac user. WaterRoof is a tool for experienced network administrators." We need something like NoobProof for Linux, because, like it or not, not everyone who uses Linux is an "experienced network administrator", and that's especially true of people who have downloaded Asterisk/FreePBX based distributions such as Elastix.

    Agreed. But people do things like that because "it's the only way I could get my system to work" (as you note, it also means they will very likely be hacked in short order). So the more we can to to ease the pain of getting the system to work AND be reasonably secure from intrusions, the better. I know, everybody clamors for more features and nobody clamors for better security (until they get hacked) but I do think security should be a higher priority in these types of "install and play" distributions, which appeal to those who (like me) ordinarily wouldn't set up a Linux box if you paid me (well, in my case I might set up something like Ubuntu on an older box just to have a look, but I've never yet found a Linux desktop distribution I could actually use and feel comfortable with on a day-to-day basis... but I digress).

    I think the "serious router with an understandable gui" is the approach that 95%+ of Elastix users will wind up taking. The problem is that fail2ban won't work with your router's firewall. I guess that really isn't a big issue because if you configure fail2ban as in the voip-info article, it will catch the hacking attempts, and your router should do the rest... assuming, of course, that people have sense enough not to open up ports they shouldn't (for example, exposing the web browser or Webmin to the Internet is just asking for trouble).

    As for this being in the Newbie's Corner, I had not noticed that originally (probably because I get the RSS feed of new messages and clicked off of that) but I would hope that rather than being frightened by this discussion, the newbies could pick up some pointers on what not to do, in order to protect their systems. But ultimately, my reason for posting my original message was in the hope that someday a utility might be included (wouldn't even necessarily have to be one written by the Elastix developers, if there is already a good open source one out there) that would make it easier to configure some minimal additional security. That would make it even easier on the newbies, not to mention those of us who have been around a while but who have no intention of becoming Cisco certified just so we can run a home Asterisk box!
     
  14. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Re:How to connect

    Wiseoldowl,

    I sense I have raised your hackles. This was certainly not my intention. My response was, as I implicitly stated, my personal feelings on the subject and certainly implied no criticism of anyone. Please take what you want from it, and reject anything you feel remotely offended by or disagree with. So far this world still has room for more than one opinion.

    All the best

    Dicko
     
  15. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Re:How to connect

    donhwyo,

    I agree with your comments. Especially with some of the recent PBX intrusions (which are not necessarily to to PBX software vulnerabilities - most likely poor security), it is defintely worth a section on its own.

    Rafael, I know that we have quite a few sections, but your thoughts on a security section, that contains threads of all security related matters and improvements. Even from clients, I have had a run of questions about the security, so it is a hot topic at the moment...

    Regards

    Bob
     
  16. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Re:How to connect

    Bangers - more the english name - not much used in Australia.
    K.B. - I think it died out - at least haven't seen anyone with a can since 1983??

    Aastra stuff - definitely working. I am putting together some code for the Endpoint configuration changes needed. It is not a big deal, just January has been a huge month for us with work, and has limited spare time available. But we finally complete the last big job this weekend, and will be back on track with work and spare time..

    Regards

    Bob
     
  17. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Re:How to connect

    Well it HAS been a while since I was there, guess I really am an old fart.

    Thanks for the update. (I'll be patient)
     
  18. wiseoldowl

    Joined:
    Aug 19, 2008
    Messages:
    251
    Likes Received:
    0
    Re:How to connect

    dicko - not at all, and I apologize if my response came across that way. We may not agree on everything but then who does, and you haven't said anything I'd take strong issue with. The only people who really raise my hackles are the "trolls" that go around on various forums saying things like "If you're not willing to learn everything there is to know about firewalls/security/Linux/whatever you have NO BUSINESS running an Asterisk server." I don't know what rarefied air those people are breathing, but down here in the real world most people are NOT Linux geeks nor certified by anyone to configure a firewall. These are probably the same people who pop up from time to time saying that people should be licensed to operate a computer (assuming that most people aren't competent to do so because they aren't willing to write their own operating system as a hobby, or something like that). As far as I can recall nobody's advanced that position here yet, but I have seen it pop up from time to time on various forums.

    It's kind of like my theory about how people in various operating system related forums respond if you ask how to do something that's maybe a little bit unusual:

    Windows forums: "Sure, there's a program that will do that, it costs $x.xx, but there also about five free programs that will do it. And you can get more information over on these hundred or so web pages..."

    Mac OS X forums: "Sure, there's a wonderful program that will do that for you. It costs $xx.xx. Oh, you found a free program that will do that? It's rubbish, don't even consider using it, buy the commercial software - preferably something from the Apple Store."

    Linux forums: "You're using Linux and you're asking a basic question like that? Read the f***'g manual and the man pages, or just f***'g Google it. Oh, you don't know what to search for in Google? Not our problem, go back to Windows if you can't figure it out."

    (Okay, I may be being just a BIT hard on the folks in the Linux forums, but it's not THAT over the top. And don't even get me started on the #asterisk IRC channel! :angry: )

    Thing is that many Elastix users come from a Windows background, not a Linux background. We wouldn't be using Elastix if it weren't an "install and go" distribution. Heck, in my case I wouldn't be using Asterisk at all if it weren't for the original Asterisk@Home program (and you probably know how well THAT was received by the Asterisk "purists" ). So some of us need relatively simple ways to do these things, because we're not all folks who cut our teeth on Linux when we were ten years old. :)
     
  19. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Re:How to connect

    Wiseoldowl,
    Bob,
    Don
    Dicko,

    Can we agree that the answer to the poor original poster is :-

    "No, not a good idea at all, especially for a newbie."

    and

    "Please read the manual(s) as to why"


    and await hopefully the response from Rafael, our fearless leader, as to a new security related forum where I am sure we will "cross pointy-sticks" later.

    (perhaps we can call the forum "Opinionated Curmudgeons with a Concern for Security" )
     
  20. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Re:How to connect

    Dicko,

    Sounds like an answer to me!!

    Bob
     

Share This Page