[Asterisk-Users] Newbie-Firewalls?

[Michael Graves]

On Mon, 13 Dec 2004 22:29:16 -0800 (PST), Gianni Veloce wrote:

>Hi all,
>I plan to install Asterisk at home and would like to
>ask some question re firewalls(perhaps it sounds
>stupid for experts, sorry
.)
>
>I plan to connect Asterisk box to a ADSL line.
>What Router/Firewall system to buy?
>I think I need a "VoIP capable" device for this. Any
>advice?

You'll need something that accomodates port forwarding and some form of
QoS or traffic shaping.

Don't need to buy anything if you prefer. Use something like m0n0wall
running on an old PC with two network cards as a router/firewall. 

>But, really should Asterisk be placed behind the
>Firewall? What ports to open? Need port forwarding?
>Or perhaps place it in the DMZ?  
>Does * need a REAL Internet IP address? Do I need to
>ask more IP subnets from the provider?

No, * does not need a real IP. You can port forward to its internal IP
without any issues. Placing its in the DMZ might have advantages but in
my mind it on exposes the server to a greater extent.

For IAX2 you open only port 4569. For SIP there are a number of ports
that you have to open includes 5060, 5061 and a large series of ports
designates for RTP streams, usually 10000-20000. This is one reason why
I use termination providers that offer IAX based services. I use four
separate providers who all squeeze through one open port. 

See www.voip-info.org for greater detail. 

I only have one fixed IP. All traffic to port 4569 on my fixed ip is
forwarded to my * server. I also forward an arbitrary port through my
m0n0wall to the * box, port translating to reach the SSH port on *. In
this way I can remote manage the server.

Michael
--
Michael Graves                           mgraves at pixelpower.com
Sr. Product Specialist                          www.pixelpower.com
Pixel Power Inc.                                 mgraves at mstvp.com

o713-861-4005
o800-905-6412
c713-201-1262