[Asterisk-Users] Incoming SIP Address?
Rich Adamson
radamson at routers.com
Sat Dec 4 05:48:51 MST 2004
> > >I assume ports 5060 and 10000-20000 need to be opened
> > >in the firewall too.
>
> > I don't know much about SIP and firewalls, but opening ten thousand
> > ports doesn't sound good, you've just knocked 1/6 of your firewall down
>
> That's what I thought but I was told it was the only way to get incoming
> SIP working when Asterisk was behind a firewall/NAT. I was told it was
> not a security risk to do this.
>
> Any thoughts anyone?
"If" your configuration and firewall actually require you to open a
group of ports to *, then take a look at limiting the rtp ports that
are actually used.
Examples:
- in /etc/asterisk/rtp.conf, look at changing rtpstart and rtpend
- for cisco 7960's, look in SIPDefault.cnf for start_media_port and
end_media_port
- other sip phones often times use other rtp ports, some of which
are configurable (and some phones not). Each sip phone vendor use
a different range of rtp ports.
To reduce the security exposures, one can also use firewall filters
to allow only certain external IP addresses (if your firewall supports
that function), and/or sip.conf definitions that include something
like:
deny=0.0.0.0/0.0.0.0
permit=47.136.1.129/255.255.255.0
If you really need to do this, you will almost always need a packet
sniffer to "see" what is actually happening on the inside edge of
your firewall and on the outside edge. Without such packet traces
changing parameters is nothing more then a guessing game.
More information about the asterisk-users
mailing list