Hi, May I ask what ports are necessary for SIP communication through a firewall? I read somewhere that UDP/5060 alone is enough. Some recommends more ports to be opened for RTP. Regards, Norman Zhang
On Saturday 18 December 2004 10:17, Norman Zhang wrote:> Hi, > > May I ask what ports are necessary for SIP communication through a > firewall? I read somewhere that UDP/5060 alone is enough. Some > recommends more ports to be opened for RTP.Both the above statements are correct. SIP uses port 5060 RTP uses multiple ports, typically in the range 10000-20000 Remember that SIP and RTP are different - SIP is used to set up the call; RTP is used to carry the audio once the call has been set up. Regards, Antony. -- Anything that improbable is effectively impossible. - Murray Gell-Mann, Nobel Prizewinner in Physics Please reply to the list; please don't CC me.
>>May I ask what ports are necessary for SIP communication through a >>firewall? I read somewhere that UDP/5060 alone is enough. Some >>recommends more ports to be opened for RTP. > > Both the above statements are correct. > > SIP uses port 5060 > > RTP uses multiple ports, typically in the range 10000-20000 > > Remember that SIP and RTP are different - SIP is used to set up the call; RTP > is used to carry the audio once the call has been set up.Thanks. May I ask what security control can be applied to RTP besides reducing the opened range? Are there stateful inspection can be done on this? Regards, Norman Zhang
Norman Zhang <norman.zhang@rd.arkonnetworks.com> writes:> May I ask what ports are necessary for SIP communication through a > firewall? I read somewhere that UDP/5060 alone is enough. Some > recommends more ports to be opened for RTP.For outgoing call establishment, you must pass traffic out from your device to UDP port 5060 on the target address, or, if you need to be able to call any system, UDP port 5060 on any address. For incoming call establishment, you likewise need to allow your communication partners (or the world at large) to reach your UDP port 5060. Then, there's RTP. The RTP communication will be set up between a UDP port on each system, the numbers of which are determined at run time. Since both ends will start transmitting RTP packets, and each sends *to* the port that the other sends *from*, all that's needed is that your firewall allows outgoing UDP traffic from your SIP device to your communication partners (or the world), and "keeps state", as it is known in the parlance, so that packets coming back in from the address and port you're sending to will be allowed through. My home firewall allows my Asterisk PBX to send any UDP traffic to anyone, and keeps state, so they can answer. It also specifically allows anyone to connect to UDP port 5060 on the PBX. -tih -- Tom Ivar Helbekkmo, Senior System Administrator, EUnet Norway Hosting www.eunet.no T +47-22092958 M +47-93013940 F +47-22092901 FWD 484145