[asterisk-users] open up firewall ports for Asterisk - safe?

Ryan Stille ryan at cfwebtools.com
Mon Jul 23 08:22:34 CDT 2007 

I would like to allow hardware devices to connect as well, so that 
pretty much puts a VPN out of the question.

I tried to figure out what ports need to be opened myself (see orig 
email below) but I'd really like to hear some input from veteran 
asterisk users before I start opening up ports.

Thanks,
-Ryan

David Gomillion wrote:
> On 7/19/07, *Ryan Stille* <ryan at cfwebtools.com 
> <mailto:ryan at cfwebtools.com>> wrote:
>
>     Right now I've been working on setting up an Trixbox server on our
>     internal network.  Its behind the firewall, but I'd like to open
>     up the
>     firewall to it because we sometimes have developers working off
>     site and
>     I'd like them to be able to connect.
>
>
> How many developers? And what kind of developers? If they're 
> developing things for your phone system, then you may want them on 
> their own development boxes instead. If you're a software shop and 
> they're just users, then that's different.
>
>     Is this safe to do?  I've got the "Allow Anonymous Inbound SIP Calls"
>     box unchecked in freePBX.  Is there anything else I need to do?  
>     Isn't
>     there an issue with the extension/secret being passed in clear text?
>
>
> I'm not the most knowledgable on what freePBX does, as far as the 
> check box. My guess is that it's just tweaking the SIP users/peers in 
> the sip.conf file. This gives only a minimal level of security, in my 
> opinion.
>
>     It looks like I need to open port 5060, and whatever ports are
>     inbetween
>     the rtpstart/rtpend values in /etc/asterisk/rtp.conf.  Is that right?
>     Right now thats 9999 ports, I've read that you can chop that down
>     to 20
>     ports for just a few calls.  We want to have 5-6 simultaneous
>     calls, so
>     if I set rtpstart to 10001 and rtpend to 10100, then open up those
>     ports, is that adequate?
>
>
> If it were me, and I had 20 remote users or less, I would create a VPN 
> and have them join my network that way. Then, no SIP ports would be 
> open to the world. And the NAT problems would pretty much disappear. 
> You may have a slight reduction in sound quality, depending on how you 
> set up the VPN. I really haven't had major problems with it, but 
> again, it depends on your type of VPN. We're using a site-to-site 
> hardware-accelerated IPSec VPN for each of our remote sites (including 
> my house), and I have not had any problems. Except when the underlying 
> medium (the Intarweb) has latency/jitter problems. But then, straight 
> SIP would have issues too...
>

More information about the asterisk-users mailing list