SIP Port Security / Firewall


We have an asterisk-server in our company, which runs really great… but now we have some new employees who work from their home office… with dynamic IPs… grrr

Till now, we had opened the sip ports (TCP/UDP 4569, UDP 10000-20000, TCP 8000-8010 and UDP 5060) at our firewall only to the static IPs of our branches.

But now, with the dynamic IPs, I don’t know from which IP they’re coming…

Is there another solution for this, because I don’t want to open these ports to everyone! :unamused:

We have Asterisk 1.0.7 with snom200-phones… I already read something about certificates, but don’t know how to do it… and isn’t this a security-hole for us?

Thanks in advance…


If you have to allow access to dynamic IP addresses, you should try and ascertain the likely range of addresses that each user will be connecting from and only allow access to those address ranges. Not very secure, still - but more secure than allowing the whole world in!

An important security step you must take if you’re doing anything like this is to set up asterisk so it runs as a non-root user. See … k+non-root

for details on how to do this.

I already had the idea with the ranges, but one of the customer has one of the biggest providers here… so the range would be VERY large… :frowning:

This info with the non-root-asterisk is good, I’ll have a look at this…



Thanks for taking the time to help, I really apprciate it.