Safe on Port 10000-20000


#1

Is it safe to allow all incoming traffic on port 10000-20000 for asterisk?
Is it best practice to allow so many open ports on your server?
I tried to allow certain ip/port but it appears many sip providers have many ip/port within their route.


#2

In a secure enviroment incoming traffic should be subjected to a whitelist, anyway if you cant filter all the incoming connections at least apply this security practice http://blogs.digium.com/2009/03/28/sip-security/


#3

Thank you for the link. I was using centos 7 firewalld to block all incoming connections and white listing what i needed but I notice my sip trunk provider ip kept changing base on the /var/log/messages. Some call would not come through or only one way audio. When i allowed 10000-20000 UDP i dont have problem but I felt it was insecure to allow such wide range of open ports. Thus, I asked the question here. I wish there was something similar to port triggers in router whereas it only allow to communicate back if I sent information out.


#4

You need to allow the complete range specified in rtp.conf.