Sip-Aware firewall


I use Shorewall as firewall in my asterisk box but I am having troubles with configuring the rules. The only way I found in order that all my sip calls work correctly is to allow all ports to be open, which I think is not acceptable.

I thought a good way to get rid of all these may be using a sip-aware firewall. Does anybody use any kind of sip-awares? or could somebody explain how to configure my shorewall to work fine while remaining risk-free?

thanks in advance


are you forwarding your RTP ports also?

You need to forward udp port 5060 (sip control channel) to the asterisk box, as well as a range of at least 100 udp ports that you can define in /etc/rtp.conf. Then set externip= and localnet= and you’re set.

Thanks for your reply.

As I said, the firewall is installed in the asterisk box, i.e., it’s a stand alone linux, asterisk and firwall machine. So, forwarding RTP ports to the same machine …?

In rtp.conf, the following are defined:


and even when I define

ACCEPT net fw udp 5060, 10001:20000

in /etc/shorewall/rules

it doesn’t work.

Any idea?


it’s been a long time since i even looked at shorewall …

should it be $FW ??

i also forward/accept UDP 5004, UDP & TCP 3478 for one provider, have you asked yours what ports you need to accept ?

If you dont have linux experience then best sip aware firewall is

if you have a spare machine to load linux on, then:

Gentoo(personal pref) + siproxy

Or you can use m0n0wall. In will fit on a 64MB CF card, and works with almost any hardware including USB nics. We have used it a few times with great success.