SIP aware firewall - a must?


#1

Hello

I’m wondering about the fact of a SIP aware firewall, such as the ones insite start to market recently.

Do I really need this “bell and whistles” firewall or can I simply open 5060 tcp/udp and be done with that ?

Thank you.

p.s. What other ports do I need to open for asterisk to be able to communicate behind my firewall.


#2

You can do it but things will be much easier if the PBX is not behind NAT.


#3

If you can use IAX consider it, since you only need to tunnel udp/4569.


#4

Thank you both but I am asking specificly regarding SIP as this is the protocol I am intereset in.

Thank you.


#5

I was under the impression you had to forward a lot of ports to get inbound SIP to work.


#6

Yes and no … As a general rule you will have to forward two ports one to set up the sip connection and one to transfer the call. But, I believe that in a sip connection one port can transfer only one channel. So often the port that will carry the sound will be within a range of ports that has to be opened.

As an example asterisk@home is set up by default to use UDP port 5060 and the portrange UDP 10000-20000 (if I dont remember it wrong). They will all have to be forwarded.

But it is also possible to set up the way a klient works against a server so that the client will keep the way open out to the server all the time, so that all trafic from server to client will be concidered to be return trafic. In such a case the sip connection can travel trougt a nat firewall without any forwarding.

It’s difficult to give any answear that will be valid in any case because the connection might run differently from server to server.

Things are more easy and clear when one use the iax protocol. At least tehere is only one port to forward.


#7

By the way … don’t know what a sip awear firewall is. If it opens and forwards the sip ports automatically this sounds like a bit unsecure solution.

Some of the older types of firewalls used to have problems with sip even though the firewall might be correct configured. They still missed the connection (or could not set up a connection at all.) I belive that most (nat) firewalls today will handel a sip connection ok (when configured as required.)


#8

SIP servers behind NAT have the following problems.

  1. RTP ports (AKA the voice packets)
    Asterisk typically uses UDP ports 10000-20000. You can port forward these to your Asterisk box but it will limit other VOIP services/devices on your network.

  2. SIP messages.
    You can forward 5060 and 5061 to your Asterisk server, but that is only half the battle. You must also ensure that Asterisk is writing the proper public/outside IP in its headers destined to remote clients (use externip and localnet in sip.conf).

A SIP server behind NAT is possible but it things are easier if there is not NAT involved. IAX clients work well behind NAT, IAX servers do not.

All of that being said just put your Asterisk box in the DMZ and secure it with iptables or make it the firewall.


#9

how do IAX servers not do well behind NAT? from the whitepaper, they supposedly designed the protocol so eveything goes through port 4569, so i’m not clear why there would be an issue?


#10

was thinking one thing and typing another :wink:


#11

If the Asterisk server is a server good enough, i run it both as a sip server and a iax server, behind a nat firewall, without a problem.

It generally also works ok with nat in both ends at the client side and the server side. But the sip clients some times give problems when they are natted so I think the best chice is a Iax client (Softtelephone = idefiks with a USB headset.)

I have tried with the Asterisk box directely connected to the internet and behind a nat firewall.

According to my opinion the clearly best choice is to place it behind a nat firewall. There are zero disadvantages if things are configured the right way, as far as I have experienced and the averall security is bether behind the nat firewall.

Asterisk@home use the portrange 10000-20000 to carry the sound, but the need for such a range will depend on the amounts of simultinually calls.

For my home server use I have reconfigured it to use only the portrange 10000-10010, that means 10 ports ant not 10000. I have tested with 4-5 simultinious inn and outgoung calls and that is more than I’m normally can use.

(Dont remember for sure but I believe that the file for configuring the nuber of chanels for the sip sound carrier is something like rtp.conf It is just to reduce the bigger portnumber 20000 to 10010 or something like that.)

Asterisk will need only one port for the sip call initiation. If this port is configured to 5060 ther is no use for one more. (But of cource you need the iax port and the sip sound carrier ports.)