[asterisk-users] open up firewall ports for Asterisk - safe?

David Gomillion david.gomillion at gmail.com
Thu Jul 19 09:24:42 CDT 2007


On 7/19/07, Ryan Stille <ryan at cfwebtools.com> wrote:
>
> Right now I've been working on setting up an Trixbox server on our
> internal network.  Its behind the firewall, but I'd like to open up the
> firewall to it because we sometimes have developers working off site and
> I'd like them to be able to connect.


How many developers? And what kind of developers? If they're developing
things for your phone system, then you may want them on their own
development boxes instead. If you're a software shop and they're just users,
then that's different.

Is this safe to do?  I've got the "Allow Anonymous Inbound SIP Calls"
> box unchecked in freePBX.  Is there anything else I need to do?   Isn't
> there an issue with the extension/secret being passed in clear text?


I'm not the most knowledgable on what freePBX does, as far as the check box.
My guess is that it's just tweaking the SIP users/peers in the
sip.conffile. This gives only a minimal level of security, in my
opinion.

It looks like I need to open port 5060, and whatever ports are inbetween
> the rtpstart/rtpend values in /etc/asterisk/rtp.conf.  Is that right?
> Right now thats 9999 ports, I've read that you can chop that down to 20
> ports for just a few calls.  We want to have 5-6 simultaneous calls, so
> if I set rtpstart to 10001 and rtpend to 10100, then open up those
> ports, is that adequate?


If it were me, and I had 20 remote users or less, I would create a VPN and
have them join my network that way. Then, no SIP ports would be open to the
world. And the NAT problems would pretty much disappear. You may have a
slight reduction in sound quality, depending on how you set up the VPN. I
really haven't had major problems with it, but again, it depends on your
type of VPN. We're using a site-to-site hardware-accelerated IPSec VPN for
each of our remote sites (including my house), and I have not had any
problems. Except when the underlying medium (the Intarweb) has
latency/jitter problems. But then, straight SIP would have issues too...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20070719/e13ad503/attachment.htm 


More information about the asterisk-users mailing list