> > >I assume ports 5060 and 10000-20000 need to be opened > > >in the firewall too. > > > I don't know much about SIP and firewalls, but opening ten thousand > > ports doesn't sound good, you've just knocked 1/6 of your firewall down > > That's what I thought but I was told it was the only way to get incoming > SIP working when Asterisk was behind a firewall/NAT. I was told it was > not a security risk to do this. > > Any thoughts anyone?
"If" your configuration and firewall actually require you to open a group of ports to *, then take a look at limiting the rtp ports that are actually used. Examples: - in /etc/asterisk/rtp.conf, look at changing rtpstart and rtpend - for cisco 7960's, look in SIPDefault.cnf for start_media_port and end_media_port - other sip phones often times use other rtp ports, some of which are configurable (and some phones not). Each sip phone vendor use a different range of rtp ports. To reduce the security exposures, one can also use firewall filters to allow only certain external IP addresses (if your firewall supports that function), and/or sip.conf definitions that include something like: deny=0.0.0.0/0.0.0.0 permit=47.136.1.129/255.255.255.0 If you really need to do this, you will almost always need a packet sniffer to "see" what is actually happening on the inside edge of your firewall and on the outside edge. Without such packet traces changing parameters is nothing more then a guessing game. _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
