What Are You Doing Right Now

EddieJennings

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.

My point was why are you needing to open something INBOUND

The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?

Then you need 443, 5061, and some range of ports for RTP.

Obviously 443 should hit your reverse proxy. The rest are straight to your PBX.

For the RTP ports, I suggest setting a small range in your phone's config to force it to use a known set of port and then only forward those to reduce the exposure.

That was the plan. I like the idea of reducing the range of ports for RTP.

JaredBusch

@eddiejennings said in What Are You Doing Right Now:

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.

My point was why are you needing to open something INBOUND

The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?

Then you need 443, 5061, and some range of ports for RTP.

Obviously 443 should hit your reverse proxy. The rest are straight to your PBX.

For the RTP ports, I suggest setting a small range in your phone's config to force it to use a known set of port and then only forward those to reduce the exposure.

That was the plan. I like the idea of reducing the range of ports for RTP.

Note, I said 5061 and not 5060. That is the TLS port for PJSIP.

You don't' want your phone sending its login over clear text do you?

EddieJennings

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.

My point was why are you needing to open something INBOUND

The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?

Then you need 443, 5061, and some range of ports for RTP.

Obviously 443 should hit your reverse proxy. The rest are straight to your PBX.

For the RTP ports, I suggest setting a small range in your phone's config to force it to use a known set of port and then only forward those to reduce the exposure.

That was the plan. I like the idea of reducing the range of ports for RTP.

Note, I said 5061 and not 5060. That is the TLS port for PJSIP.

You don't' want your phone sending it's login over clear text do you?

I do not, another good idea. On that note, will Yealink phones gripe about the fact that the PBX is presenting a self-signed cert?

JaredBusch

@eddiejennings said in What Are You Doing Right Now:

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.

My point was why are you needing to open something INBOUND

The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?

Then you need 443, 5061, and some range of ports for RTP.

Obviously 443 should hit your reverse proxy. The rest are straight to your PBX.

For the RTP ports, I suggest setting a small range in your phone's config to force it to use a known set of port and then only forward those to reduce the exposure.

That was the plan. I like the idea of reducing the range of ports for RTP.

Note, I said 5061 and not 5060. That is the TLS port for PJSIP.

You don't' want your phone sending it's login over clear text do you?

I do not, another good idea. On that note, will Yealink phones gripe about the fact that the PBX is presenting a self-signed cert?

No.

siringo

Signing up as a new user & typing this!

jt1001001

Headed to Syracuse office today to install network gear

scottalanmiller

Good morning!

EddieJennings

An observation: I don't know how folks effectively tested stuff before there were VMs. It's so nice to make a change, and if something breaks, apply a snapshot.

scottalanmiller

@eddiejennings said in What Are You Doing Right Now:

An observation: I don't know how folks effectively tested stuff before there were VMs. It's so nice to make a change, and if something breaks, apply a snapshot.

We had second hardware.

scottalanmiller

@eddiejennings said in What Are You Doing Right Now:

VMs. It's so nice to make a change, and if something breaks, apply a snapshot.

That's a storage thing, not a VM thing. VMs didn't give us snapshots. We used snapshots the same before VMs.

black3dynamite

@eddiejennings said in What Are You Doing Right Now:

An observation: I don't know how folks effectively tested stuff before there were VMs. It's so nice to make a change, and if something breaks, apply a snapshot.

We use to setup a small recovery partition in case we needed to do a restore.

We also used software like deep freeze too.

Having a second computer help with testing as well.

RojoLoco

So yeah... we got power back about an hour ago finally. And now I have a dev server's RAID card acting up. Hopefully the rebuild will go well.

Also, eat a dick Georgia Power. Clumsy bastards.

travisdh1

Just got a wazuh server up and verified that a client actually connected to it. Tomorrow I get to do the rest of the clients on the managed network.

scottalanmiller

Been a crazy busy day here, just poured some whiskey.

EddieJennings

Following https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27 and actually understanding why the steps are what they are

JaredBusch

@eddiejennings said in What Are You Doing Right Now:

Following https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27 and actually understanding why the steps are what they are

That is why I put in explanations.

EddieJennings

@jaredbusch said in What Are You Doing Right Now:

@eddiejennings said in What Are You Doing Right Now:

Following https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27 and actually understanding why the steps are what they are

That is why I put in explanations.

Yep. Helps affirm my understanding.

siringo

Scratching my head wondering what Mangolassi means?
Could it be a Scottish woman eating a mango?

JaredBusch

@siringo said in What Are You Doing Right Now:

Scratching my head wondering what Mangolassi means?
Could it be a Scottish woman eating a mango?

I honestly never thought of that one!

JaredBusch

@siringo said in What Are You Doing Right Now:

Scratching my head wondering what Mangolassi means?
Could it be a Scottish woman eating a mango?

To answer your question I tried to dig up a post with the answer but cannot find one.