[Asterisk-Users] Open Ports

Rich Adamson radamson at routers.com
Sat Dec 18 04:22:00 MST 2004


> >>May I ask what ports are necessary for SIP communication through a
> >>firewall? I read somewhere that UDP/5060 alone is enough. Some
> >>recommends more ports to be opened for RTP.
> > 
> > Both the above statements are correct.
> > 
> > SIP uses port 5060
> > 
> > RTP uses multiple ports, typically in the range 10000-20000
> > 
> > Remember that SIP and RTP are different - SIP is used to set up the call; RTP 
> > is used to carry the audio once the call has been set up.
> 
> Thanks. May I ask what security control can be applied to RTP besides 
> reducing the opened range? Are there stateful inspection can be done on 
> this?

Not really.  If you are heavy into firewall configurations, you might roughly
equate sip-rtp to ftp sessions, where the port numbers are negotiated up
front.

The sip standards never defined specific port numbers for rtp, therefor
each phone manufacturer picked a range of ports they use. Asterisk
happens to use 10000-20000 while cisco phones use a different range.
The specific rtp ports to be used for a specific voip call are negotiated
using the sip protocol when _each_ call is set up.

Some firewall vendors have included code to watch the sip negotiation
and open the udp ports necessary for each rtp session. Look at the doc
for Cisco's PIX as an example (eg, sip fixup). Some firewalls do a pretty
good job while others are less then reliable.

As far as 'stateful packet inspection', rtp uses the udp protocol which
is basically stateless (for the most part).






More information about the asterisk-users mailing list