What Are You Doing Right Now
-
@eddiejennings said in What Are You Doing Right Now:
Looking up what I open on my firewall for FreePBX.
Umm nothing?
-
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
Looking up what I open on my firewall for FreePBX.
Umm nothing?
Methinks VyOS is going to have fun dropping traffic unless I allow some inbound connections to my PBX
-
I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.
-
@eddiejennings said in What Are You Doing Right Now:
I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.
My point was why are you needing to open something INBOUND
-
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.
My point was why are you needing to open something INBOUND
The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?
-
@eddiejennings said in What Are You Doing Right Now:
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.
My point was why are you needing to open something INBOUND
The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?
Then you need 443, 5061, and some range of ports for RTP.
Obviously 443 should hit your reverse proxy. The rest are straight to your PBX.
For the RTP ports, I suggest setting a small range in your phone's config to force it to use a known set of port and then only forward those to reduce the exposure.
-
The PBX itself does not needs SSL installed (self signed is already there).
-
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.
My point was why are you needing to open something INBOUND
The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?
Then you need 443, 5061, and some range of ports for RTP.
Obviously 443 should hit your reverse proxy. The rest are straight to your PBX.
For the RTP ports, I suggest setting a small range in your phone's config to force it to use a known set of port and then only forward those to reduce the exposure.
That was the plan. I like the idea of reducing the range of ports for RTP.
-
@eddiejennings said in What Are You Doing Right Now:
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.
My point was why are you needing to open something INBOUND
The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?
Then you need 443, 5061, and some range of ports for RTP.
Obviously 443 should hit your reverse proxy. The rest are straight to your PBX.
For the RTP ports, I suggest setting a small range in your phone's config to force it to use a known set of port and then only forward those to reduce the exposure.
That was the plan. I like the idea of reducing the range of ports for RTP.
Note, I said 5061 and not 5060. That is the TLS port for PJSIP.
You don't' want your phone sending its login over clear text do you?
-
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.
My point was why are you needing to open something INBOUND
The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?
Then you need 443, 5061, and some range of ports for RTP.
Obviously 443 should hit your reverse proxy. The rest are straight to your PBX.
For the RTP ports, I suggest setting a small range in your phone's config to force it to use a known set of port and then only forward those to reduce the exposure.
That was the plan. I like the idea of reducing the range of ports for RTP.
Note, I said 5061 and not 5060. That is the TLS port for PJSIP.
You don't' want your phone sending it's login over clear text do you?
I do not, another good idea. On that note, will Yealink phones gripe about the fact that the PBX is presenting a self-signed cert?
-
@eddiejennings said in What Are You Doing Right Now:
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
@jaredbusch said in What Are You Doing Right Now:
@eddiejennings said in What Are You Doing Right Now:
I suppose I could attach the NIC of FreePBX to the NIC on my host using macvtap, and bypass my firewall VM.
My point was why are you needing to open something INBOUND
The IP phone at my home will need to grab a configuration over the Internet. Also, it will send traffic outbound (inbound to the PBX) to register the extension, will it not?
Then you need 443, 5061, and some range of ports for RTP.
Obviously 443 should hit your reverse proxy. The rest are straight to your PBX.
For the RTP ports, I suggest setting a small range in your phone's config to force it to use a known set of port and then only forward those to reduce the exposure.
That was the plan. I like the idea of reducing the range of ports for RTP.
Note, I said 5061 and not 5060. That is the TLS port for PJSIP.
You don't' want your phone sending it's login over clear text do you?
I do not, another good idea. On that note, will Yealink phones gripe about the fact that the PBX is presenting a self-signed cert?
No.
-
Signing up as a new user & typing this!
-
Headed to Syracuse office today to install network gear
-
Good morning!
-
An observation: I don't know how folks effectively tested stuff before there were VMs. It's so nice to make a change, and if something breaks, apply a snapshot.
-
@eddiejennings said in What Are You Doing Right Now:
An observation: I don't know how folks effectively tested stuff before there were VMs. It's so nice to make a change, and if something breaks, apply a snapshot.
We had second hardware.
-
@eddiejennings said in What Are You Doing Right Now:
VMs. It's so nice to make a change, and if something breaks, apply a snapshot.
That's a storage thing, not a VM thing. VMs didn't give us snapshots. We used snapshots the same before VMs.
-
@eddiejennings said in What Are You Doing Right Now:
An observation: I don't know how folks effectively tested stuff before there were VMs. It's so nice to make a change, and if something breaks, apply a snapshot.
We use to setup a small recovery partition in case we needed to do a restore.
We also used software like deep freeze too.
Having a second computer help with testing as well.
-
So yeah... we got power back about an hour ago finally. And now I have a dev server's RAID card acting up. Hopefully the rebuild will go well.
Also, eat a dick Georgia Power. Clumsy bastards.
-
Just got a wazuh server up and verified that a client actually connected to it. Tomorrow I get to do the rest of the clients on the managed network.
