On a fresh install the default SIP configuration is to disallow anonymous, allow guests:
This default doesn’t make sense to me so I am looking to the community for reasons why this might be useful. If none I will submit a ticket to request it be changed to No/No (which I think makes the most sense).
It seems reasonable to me, at least for an initial install. Calls that don’t match a trunk get an audible error announcement, making for easier debugging. However, there is no access to ‘regular’ dial plan, which might have errors allowing fraudulent calls.
If your firewall is whitelist based, it’s probably ok to leave it this way indefinitely. If other constraints force a blacklist based firewall, Allow SIP Guests can be a problem, because attempted attacks will use a lot of resources.
I’ve wondered this as well. It’s a really old setting, and looking at the context from-sip-external, I think it might have been set up this way in order to create a log line with the source IP of the invite in order for fail2ban to act on the INVITE attempt. Without this, you’re relying on Asterisk to block the INVITE which would be more resource intensive.