[Asterisk-Dev] RTP and firewalls -- a suggestion

[Brian Cuthie]

Hi all,

Ran into an interesting problem (probably old hat for some of you) this 
week with two SIP phones trying to talk to each other through an 
Asterisk box sitting behind a firewall. 

Basically, the call setup worked fine but once the call was established 
no audio was passing between the two phones. After looking at the packet 
trace it became obvious that the RTP packets going to Asterisk from each 
of the SIP devices was being blocked by the firewall. Now normally, 
Asterisk would send packets from the same ports thus creating a 
temporary hole in the firewall that allows incoming packets through. But 
since both SIP devices were remote, and Asterisk had no reason to 
generate any RTP traffic on its own (in this type of call setup it's 
just passing RTP traffic through to the SIP devices) no hole was ever 
established in the firewall.

Now this presents a real problem. As far as I can tell, iptables doesn't 
accommodate rules for large ranges of ports. So it's difficult to 
establish a set of firewall rules that would pass packets to Asterisk in 
the range of UDP ports configured for RTP.

So I have a suggestion, and am wondering what people think about this 
idea:  Could we send a single dummy RTP packet upon the establishment of 
a call to establish a whole through the firewall.

Cheers,

Brian