vicidial.org

Hello asterisk experts,

on the www I found a ppt presentation (astricon_performance.ppt from securax.be), sorry i don't know the exactly link any more, where the guys said, to improove performance you should not run a firewall (iptables) or a traffic shaper on the asterisk machine.

That's why my question is, if you have a multi server asterisk/vicidial system e.g. 1 asterisk/vicdial + 1 web/mysql server and the clients are shared in the WAN, is it better to use a hardware firewall (eg. cisco asa) or run iptables on each ethernet interface of the asterisk and webserver which are connected to the WAN.

Thanks for your anwers!

It is always much better to keep the firewall as far as possible away from the VICIDIAL servers. It should be a dedicated machine that only does firewall duties.

What could be the impact of using iptables in every asterisk/vicidial, web, database servers?

If your server is on the open internet with only iptables firewall to protect it and someone decides to DDOS or brute-force attack your server then it will be slowed down to the point of being not usable. This happened to a client of ours and moving to a dedicated firewall machine fixed the issue.

considering you can buy a pix for a couple hundred bucks, it seems insane not to. Even so, I have a firewall running on asterisk, but I doubt it will ever get much of a workout since the pix will always do the bulk of the work.

I think its not very wise to recommend people *not* to run a firewall.

Proper configuration of iptables can avoid it being a bottle neck in a DDOS attack - and yes hardware firewalls rule but not everyone has the budget.

can you show us some iptable rules that can filter ddos attacks? I am thinking about security of vicidial servers now.

I am not a firewall expert, but the sheer amount of traffic is the whole problem with DDOS attacks, not really how they are filtered. An external firewall is always the best solution, but even one of those will not help your bandwidth usage if you get DDOS attacked.