Hi, Is it possible to have an incoming SIP address like someuser@sip.mydomain.com, where sip.mydomain.com points to a box running Asterisk? If so, please could someone give an example asterisk config snippet for this? If it is possible, I assume ports 5060 and 10000-20000 need to be opened in the firewall too. Thanks! --ian
Ian Chilton wrote:> I assume ports 5060 and 10000-20000 need to be opened > in the firewall too.I don't know much about SIP and firewalls, but opening ten thousand ports doesn't sound good, you've just knocked 1/6 of your firewall down :-(
> Hi, > > Is it possible to have an incoming SIP address likesomeuser@sip.mydomain.com, where sip.mydomain.com points to a box running Asterisk?> > If so, please could someone give an example asterisk config snippet forthis?> > If it is possible, I assume ports 5060 and 10000-20000 need to be openedin the firewall too.> > Thanks! > > --ianIan, you don't even have to create a subdomain for this. Include a 'SRV' entry in your DNS record and you can have someuser@mydomain.com http://www.voip-info.org/wiki-DNS+SRV Cheers Shane
Hi,> >I assume ports 5060 and 10000-20000 need to be opened > >in the firewall too.> I don't know much about SIP and firewalls, but opening ten thousand > ports doesn't sound good, you've just knocked 1/6 of your firewall downThat's what I thought but I was told it was the only way to get incoming SIP working when Asterisk was behind a firewall/NAT. I was told it was not a security risk to do this. Any thoughts anyone? --ian
Ian Chilton wrote:> That's what I thought but I was told it was the only way to get incoming > SIP working when Asterisk was behind a firewall/NAT. I was told it was > not a security risk to do this.If you *know* that only asterisk is listening on the relevant ports it's less of a risk, but it's such a wide range and (in theory at least) leaves plenty of scope for a trojan to listen on one of those ports. Perhaps SElinux can help here, does it allpw you to say that only a cerain process has access to the those ports? Arrghh, I hate the way to:, from: and reply-to: addresses get mangled by lists!
Hi Rick,> "If" your configuration and firewall actually require you to open a > group of ports to *, then take a look at limiting the rtp ports that > are actually used.How many do I need (or how do I find out?) and why does Asterisk specify so many by default? Thanks --ian