Ryan Stille
2007-Jul-19 13:55 UTC
[asterisk-users] open up firewall ports for Asterisk - safe?
Right now I've been working on setting up an Trixbox server on our internal network. Its behind the firewall, but I'd like to open up the firewall to it because we sometimes have developers working off site and I'd like them to be able to connect. Is this safe to do? I've got the "Allow Anonymous Inbound SIP Calls" box unchecked in freePBX. Is there anything else I need to do? Isn't there an issue with the extension/secret being passed in clear text? It looks like I need to open port 5060, and whatever ports are inbetween the rtpstart/rtpend values in /etc/asterisk/rtp.conf. Is that right? Right now thats 9999 ports, I've read that you can chop that down to 20 ports for just a few calls. We want to have 5-6 simultaneous calls, so if I set rtpstart to 10001 and rtpend to 10100, then open up those ports, is that adequate? Thanks for any help. -Ryan
Ryan Stille
2007-Jul-19 14:02 UTC
[asterisk-users] open up firewall ports for Asterisk - safe?
Also the, the firewall does NAT for the server, it sounds like this may cause some issues for my SIP clients? -Ryan Ryan Stille wrote:> Right now I've been working on setting up an Trixbox server on our > internal network. Its behind the firewall, but I'd like to open up the > firewall to it because we sometimes have developers working off site and > I'd like them to be able to connect. > > Is this safe to do? I've got the "Allow Anonymous Inbound SIP Calls" > box unchecked in freePBX. Is there anything else I need to do? Isn't > there an issue with the extension/secret being passed in clear text? > > It looks like I need to open port 5060, and whatever ports are inbetween > the rtpstart/rtpend values in /etc/asterisk/rtp.conf. Is that right? > Right now thats 9999 ports, I've read that you can chop that down to 20 > ports for just a few calls. We want to have 5-6 simultaneous calls, so > if I set rtpstart to 10001 and rtpend to 10100, then open up those > ports, is that adequate? > > Thanks for any help. > -Ryan > >
David Gomillion
2007-Jul-19 14:24 UTC
[asterisk-users] open up firewall ports for Asterisk - safe?
On 7/19/07, Ryan Stille <ryan at cfwebtools.com> wrote:> > Right now I've been working on setting up an Trixbox server on our > internal network. Its behind the firewall, but I'd like to open up the > firewall to it because we sometimes have developers working off site and > I'd like them to be able to connect.How many developers? And what kind of developers? If they're developing things for your phone system, then you may want them on their own development boxes instead. If you're a software shop and they're just users, then that's different. Is this safe to do? I've got the "Allow Anonymous Inbound SIP Calls"> box unchecked in freePBX. Is there anything else I need to do? Isn't > there an issue with the extension/secret being passed in clear text?I'm not the most knowledgable on what freePBX does, as far as the check box. My guess is that it's just tweaking the SIP users/peers in the sip.conffile. This gives only a minimal level of security, in my opinion. It looks like I need to open port 5060, and whatever ports are inbetween> the rtpstart/rtpend values in /etc/asterisk/rtp.conf. Is that right? > Right now thats 9999 ports, I've read that you can chop that down to 20 > ports for just a few calls. We want to have 5-6 simultaneous calls, so > if I set rtpstart to 10001 and rtpend to 10100, then open up those > ports, is that adequate?If it were me, and I had 20 remote users or less, I would create a VPN and have them join my network that way. Then, no SIP ports would be open to the world. And the NAT problems would pretty much disappear. You may have a slight reduction in sound quality, depending on how you set up the VPN. I really haven't had major problems with it, but again, it depends on your type of VPN. We're using a site-to-site hardware-accelerated IPSec VPN for each of our remote sites (including my house), and I have not had any problems. Except when the underlying medium (the Intarweb) has latency/jitter problems. But then, straight SIP would have issues too... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20070719/e13ad503/attachment.htm