Neither SAIL, nor Asterisk are firewall aware.
No, i know Asterisk isn't, but doesn't SAIL open the SIP, RTP and IAX2 ports? Although maybe that's at installation time...
However, your point about allowing/denying access at the carrier level is interesting. Our question is... How do you achieve this with your existing asterisk system? What firewall rules did you implement ...and where is/was your firewall? ...onboard with the asterisk instance or elsewhere?
I've got a script (called rc.iptables) which runs at boot time. I do stuff like:
# sipgate.co.uk - 217.10.79.219
iptables -A INPUT -i $IEXT -s 217.10.79.219 -p udp --dport 5060 -m state --state NEW,INVALID -j LOG --log-level debug --log-prefix "FW ASTERISK "
iptables -A INPUT -i $IEXT -s 217.10.79.219 -p udp --dport 5060 -m state --state NEW,INVALID -j ACCEPT
2) Trunklines: It seems to be a mistake to have the identifier for a service set automatically from its username. For a start, this makes the incorrect assumption that these are always going to be unique. Secondly, it makes it very hard to identify which service you're working with.
We really aren't sure we've understood this so if we're answering the wrong question, please bear with us. There are two "user" names to deal with. The SIP/IAX user name (which is almost always a DID number in the case of a Trunk - only siblings use name strings)
Almost always, yes - but not
always always! My Voipgate (IAX) account username is a name string.
and the account user name which is used for account validation.
I'm talking about the label which begins the sip.conf/iax.conf config stanza - e.g.,
[1432324]Peer name or line: 1432324
However, while i was having a look a few seconds ago to try and work out exactly which field of the config page that comes from, i realised that these labels come from
DID/SIP User Name: and
SIP/IAX Peer Name: in the "New Trunk" page. I didn't really know what the significance of those fields in that page were, so i'd set them all to the username - obviously not necessarily the right thing to do...
Maybe i should have read the SARK/SAIL Documentation Pages
before i did the configuration - or at least before i posted a message complaining about what appears to be a non-existent problem!