<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body>
So if I have 2 networkcards,on for the inernal lan and one for the publick
ip,I only need to open IAX2's ports on publick interface not ony RTP ports.This
will happen between the internal interface and the phones?<br>
<br>
<br>
Matthew Boehm wrote:<br>
<blockquote type="cite"
cite="mid004701c4a62c$5c059ca0$1b00000a@cytelcom.com">
<pre wrap="">The SIP signaling and RTP transmission only occur between the phone and *
right?
So as long as all ports to/from the phones (ie: firewall) and the * box are
open, there shouldn't be any problems right?
Matthew
----- Original Message -----
From: "Benjamin on Asterisk Mailing Lists" <a class="moz-txt-link-rfc2396E" href="mailto:benjk.on.asterisk.ml@gmail.com"><benjk.on.asterisk.ml@gmail.com></a>
To: "Asterisk Users Mailing List - Non-Commercial Discussion"
<a class="moz-txt-link-rfc2396E" href="mailto:asterisk-users@lists.digium.com"><asterisk-users@lists.digium.com></a>
Sent: Wednesday, September 29, 2004 8:29 AM
Subject: Re: [Asterisk-Users] secure
</pre>
<blockquote type="cite">
<pre wrap="">On Wed, 29 Sep 2004 14:17:10 +0200, Altus Syman <a class="moz-txt-link-rfc2396E" href="mailto:altus@stormcorp.co.za"><altus@stormcorp.co.za></a>
</pre>
</blockquote>
<pre wrap=""><!---->wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">My question is how do I secure asterisk/sip.
I got a firewall only allowing tcp/udp 5060?
</pre>
</blockquote>
<pre wrap="">In that case you are blocking the voice traffic.
Although SIP is advertised as a VoIP protocol, it doesn't handle any
voice at all. It only handles signalling. Voice is handled by another
protocol, RTP, and by default the ports RTP uses for the voice traffic
are determined at random.
Therefore, you will need to either customise your setup and fix the
RTP ports at both ends or you will have to open up all ports that RTP
could possibly be using (typically 10000-20000, sometimes 5000-8000).
Personally, if you are concerned about security, I would recommend you
don't use SIP over the WAN. Use IAX between the servers.
Alternatively, use IPsec and build a tunnel between the two servers.
See also my other post in another thread called "NAT Traversal" or
something like that.
rgds
benjk
--
Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya,
Tokyo, Japan.
NB: Spam filters in place. Messages unrelated to the * mailing lists
may get trashed.
_______________________________________________
Asterisk-Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Asterisk-Users@lists.digium.com">Asterisk-Users@lists.digium.com</a>
<a class="moz-txt-link-freetext" href="http://lists.digium.com/mailman/listinfo/asterisk-users">http://lists.digium.com/mailman/listinfo/asterisk-users</a>
To UNSUBSCRIBE or update options visit:
<a class="moz-txt-link-freetext" href="http://lists.digium.com/mailman/listinfo/asterisk-users">http://lists.digium.com/mailman/listinfo/asterisk-users</a>
</pre>
</blockquote>
<pre wrap=""><!---->
_______________________________________________
Asterisk-Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Asterisk-Users@lists.digium.com">Asterisk-Users@lists.digium.com</a>
<a class="moz-txt-link-freetext" href="http://lists.digium.com/mailman/listinfo/asterisk-users">http://lists.digium.com/mailman/listinfo/asterisk-users</a>
To UNSUBSCRIBE or update options visit:
<a class="moz-txt-link-freetext" href="http://lists.digium.com/mailman/listinfo/asterisk-users">http://lists.digium.com/mailman/listinfo/asterisk-users</a>
</pre>
</blockquote>
<br>
</body>
</html>