DID security issue

I just got a DID number from ipkall and i was able to get calls to Asterisk box, but the problem is that i have to change context=from-sip-external for unknowing sip callers to context=from-internal which is used by all extensions or it will not work. even if i use inbound routing insted or if i Insert this line under [from-sip-external] context of extensions.conf
exten => 360xxxxxxx,1,Goto(ext-local,200,1) . when i look at the CLI it only passes the ip address of IPKALL like SIP/
. the problem is that i don’t want any sip phone from puplic internet to get access to my server and dial out. is there any recommendations to solve this issue?
by the way i want the DID to ring specific extension only. i’m using AAH 2.2

was this reply no good then ??