[Asterisk-Users] Shorewall firewall rules

Rich Adamson radamson at routers.com
Sat Apr 2 06:47:29 MST 2005 

> I'm trying to get firewalling working but I am clueless as to which ports 
> I need to open, I keep opening more ports and it's not working :(
> 
> Basically I want SIP and IAX2 to work. IAX2 works fine, but SIP is giving 
> me a headache. It seems that the stateless firewall is not able to handle 
> SIP. I'm using shorewall as my firewall with these rules:
> 
> ACCEPT  net    fw    udp     4569
> ACCEPT  fw     net   udp     4569,5060,10000:20000
> 
> My rtp.conf says this:
> rtpstart=10000
> rtpend=20000
 
Others have already commented on the above. Here's a couple more items
to think about.

The udp ports required for rtp "varies" by sip phone vendor. In other
words, the exact ports required are not necessarily those shown above.
It also makes a difference as to which device initiates the first rtp
transmission. As noted, the rtpstart and rtpend are for asterisk only,
and are used as its source port when communicating with an exernal
sip device (phone or another asterisk).

If you look at the Xten documentation, you'll find that soft phone
uses rtp udp ports in the low 8000 range.

If you look at the Cisco 7960's, you'll find they use 16384 to 32768,
and those particular values can be seen/changed in SIPDefault.cnf file.

The exact rtp port to be used by each sip device never became a
standard in the rfc, so each vendor is allowed to chose whatever
udp port range they felt like using as their default.

Opening udp ports from 1024 to 64000 will likely help, but you might
as well dump the firewall if you're going to open everything like
that.

Also note that each line/conversation will use another udp port.
So, in the case of the xten product, the first line/conversation
may use port 8000. If you put that line on hold and start another
(second) rtp session, that line/conversation will use something
like 8002 (or whatever).

Use something like ethereal to sniff the packets on the outside of
your firewall, and you'll see the exact udp ports used for whatever
device you're trying to communicate with.

If you don't feel like implementing ethereal, then open all the ports
as someone suggested, then do a "netstat -an" during a real sip call,
and you'll see the exact udp ports in use. Once you're comfortable
with your understanding of what ports are actually used, then
adjust your firewall to support those ports.

More information about the asterisk-users mailing list