asterisk users - Jul 2007 - open up firewall ports for Asterisk - safe?

Right now I've been working on setting up an Trixbox server on our 
internal network.  Its behind the firewall, but I'd like to open up the 
firewall to it because we sometimes have developers working off site and 
I'd like them to be able to connect.

Is this safe to do?  I've got the "Allow Anonymous Inbound SIP
Calls"
box unchecked in freePBX.  Is there anything else I need to do?   Isn't 
there an issue with the extension/secret being passed in clear text?

It looks like I need to open port 5060, and whatever ports are inbetween 
the rtpstart/rtpend values in /etc/asterisk/rtp.conf.  Is that right?  
Right now thats 9999 ports, I've read that you can chop that down to 20 
ports for just a few calls.  We want to have 5-6 simultaneous calls, so 
if I set rtpstart to 10001 and rtpend to 10100, then open up those 
ports, is that adequate?

Thanks for any help.
-Ryan

Also the, the firewall does NAT for the server, it sounds like this may 
cause some issues for my SIP clients? 

-Ryan

Ryan Stille wrote:
> Right now I've been working on setting up an Trixbox server on our 
> internal network.  Its behind the firewall, but I'd like to open up the
> firewall to it because we sometimes have developers working off site and 
> I'd like them to be able to connect.
>
> Is this safe to do?  I've got the "Allow Anonymous Inbound SIP
Calls"
> box unchecked in freePBX.  Is there anything else I need to do?   Isn't
> there an issue with the extension/secret being passed in clear text?
>
> It looks like I need to open port 5060, and whatever ports are inbetween 
> the rtpstart/rtpend values in /etc/asterisk/rtp.conf.  Is that right?  
> Right now thats 9999 ports, I've read that you can chop that down to 20
> ports for just a few calls.  We want to have 5-6 simultaneous calls, so 
> if I set rtpstart to 10001 and rtpend to 10100, then open up those 
> ports, is that adequate?
>
> Thanks for any help.
> -Ryan
>
>

On 7/19/07, Ryan Stille <ryan at cfwebtools.com>
wrote:
>
> Right now I've been working on setting up an Trixbox server on our
> internal network.  Its behind the firewall, but I'd like to open up the
> firewall to it because we sometimes have developers working off site and
> I'd like them to be able to connect.

How many developers? And what kind of developers? If they're developing
things for your phone system, then you may want them on their own
development boxes instead. If you're a software shop and they're just
users,
then that's different.

Is this safe to do?  I've got the "Allow Anonymous Inbound SIP
Calls"
> box unchecked in freePBX.  Is there anything else I need to do?   Isn't
> there an issue with the extension/secret being passed in clear text?

I'm not the most knowledgable on what freePBX does, as far as the check box.
My guess is that it's just tweaking the SIP users/peers in the
sip.conffile. This gives only a minimal level of security, in my
opinion.

It looks like I need to open port 5060, and whatever ports are
inbetween
> the rtpstart/rtpend values in /etc/asterisk/rtp.conf.  Is that right?
> Right now thats 9999 ports, I've read that you can chop that down to 20
> ports for just a few calls.  We want to have 5-6 simultaneous calls, so
> if I set rtpstart to 10001 and rtpend to 10100, then open up those
> ports, is that adequate?

If it were me, and I had 20 remote users or less, I would create a VPN and
have them join my network that way. Then, no SIP ports would be open to the
world. And the NAT problems would pretty much disappear. You may have a
slight reduction in sound quality, depending on how you set up the VPN. I
really haven't had major problems with it, but again, it depends on your
type of VPN. We're using a site-to-site hardware-accelerated IPSec VPN for
each of our remote sites (including my house), and I have not had any
problems. Except when the underlying medium (the Intarweb) has
latency/jitter problems. But then, straight SIP would have issues too...
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20070719/e13ad503/attachment.htm