Chapter 2: System Settings
73
The motivation for the list is to provide the firewall type of functionality within the
system application and reduce the chance of unauthorized access to the system.
The access control is not limited to SIP only, but it also applies to all other protocols on
the system, including HTTP, TFTP, and SNMP. When the system acts as a client (for
example, when performing DNS requests), the rules do not apply. Using 0.0.0.0 in the
IP field specifies that everything will be accepted. In addition, if you are getting a lot of
requests from a particular source, the system will automatically add them to the access
control list and block them.
How the Access List Functions
When a packet reaches the system, the system checks the list of enabled and disabled
addresses for a match. If the request is ignored, the system discards the packet without
answering. When the system checks the list for matches, a match occurs if a “source
address” matches a “check address” with the mask. More specific addresses are checked
first, making it possible to define exceptions to the general rule. Also, the system checks
IPv4 and IPv6 addresses separately. If there is a match, the system checks for the type.
If the type is
Allow
, then the system accepts the packet. If the type is
Block
, then the
system blocks that request. If there is no match in the list, then the request is accepted.
If the list is empty, the access control is disabled. This is the default behavior after the
installation of the product.
For UDP-based requests, this is relatively easy—the request is just not answered. But
because the UDP port is open, there is no ICMP request sent to the origin, which
means if someone wants to attack the system, it might be possible for the attacker to
figure out that there is an open port. But since the system just discards these messages,
the damage is limited.
For TCP ports, the situation is more complicated. In Linux, there is no way for an
application to determine where a TCP connection is coming from until the connec-
tion is accepted. This is why the system first accepts the connection and then examines
whether the connection was allowed or not. If the connection was not allowed, then it
is turned down immediately. In Windows, there is a special system call that first checks
where the connection is coming from. If the source is not enabled, then the system does
not accept the connection. However, because the operating system has already answered
the TCP connection request with an acknowledge, in Windows it will be obvious that
an application is running on the ports.
Содержание ONE IP
Страница 4: ......
Страница 19: ...Part I Getting Started...
Страница 20: ...Part I Getting Started...
Страница 47: ...Part II Administering the System...
Страница 48: ...Part II Administering the System...
Страница 195: ...Deploying the snom ONE IP Telephone System 526...
Страница 201: ...Deploying the snom ONE IP Telephone System 532 Figure C 1 Trunk Settings for Configuration with Exchange 2007 2010 UM...
Страница 223: ......