[Asterisk-Dev] How IAX workd behind the firewall

Rich Adamson radamson at routers.com
Mon Jul 12 06:28:18 MST 2004

> > > That's H.323 I believe, SIP just uses one RTP port as stated in SDP payloads
> > 
> > Sip 'will' require three ports for most calls...
> >  - udp5060 for the sip protocol (eg, handshaking)
> >  - udpXXXX for outbound rtp audio (specific port selected by *)
> >  - udpYYYY for inbound rtp audio (specific port selected by the remote device)
> > 
> ..deleted
> > The values of XXXX and YYYY are not specified in any RFC, and therefore
> > are left up to the implementor to select a specific range of ports.
> > Cisco uses a different range then does Xten, then does Grandstream, etc.
> Actually, there are RFC-specified limitation on XXXX and YYYY. RFC 1889
> (RTP) contains the following in chapter 10:
> "For UDP and similar protocols, RTP uses an even port number and the
> corresponding RTCP stream uses the next higher (odd) port number. If an
> application is supplied with an odd number for use as the RTP port, it
> should replace this number with the next lower (even) number."
> And RFC 1890 says the following in chapter 7:
> "Applications need not have a default [port pair] and may require that
> the port pair be explicitly specified. The particular port numbers were
> chosen to lie in the range above 5000 to accomodate port number
> allocation practice within the Unix operating system, where port numbers
> below 1024 can only be used by privileged processes and port numbers
> between 1024 and 5000 are automatically assigned by the operating system."
> But these limits only apply to the advertised ports on which RTP is to
> be received - there are actually no limitations on the ports that can be
> used to *send* RTP data. So in fact, RTP can use up to 4 ports - two
> sockets for receiving, and two seperate sockets for sending.

So, to answer the original poster's question, configuring a firewall
for sip is much more difficult then iax mostly due to the need for
multiple udp ports required for a sip session (that are selected based on 
specific vendor implementations), verses a single udp port required
for iax.

More information about the asterisk-dev mailing list