Firewall what ports need to be open what not ?

Discussion in 'General' started by ictdude, Aug 13, 2009.

  1. ictdude

    Joined:
    Aug 12, 2009
    Messages:
    23
    Likes Received:
    0
    Firewall what ports need to be open what not ?

    I need some information so i can secure my Elastix box. I will use shorewall firewall to secure my server where Elastix is running. Is there a list of all knowing ports for Elastix to
    operate ? And also what function those ports have ? What udp and tcp ports. I only like
    to open ports that are realy needed to operate Elastix voip. Other remote functions and tools go over a IPsec or ptpp. So i really like to secure the box. What can give me the right info ? B)

    Gues this is the answer: http://www.voip-info.org/wiki/view/Asterisk+firewall+rules

    :) :)

    # SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
    iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT

    # IAX2- the IAX protocol
    iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

    # IAX - most have switched to IAX v2, or ought to
    iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

    # RTP - the media stream
    iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

    # MGCP - if you use media gateway control protocol in your configuration
    iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
     
  2. danardf

    Joined:
    Dec 3, 2007
    Messages:
    8,069
    Likes Received:
    12
    Really.. do you use all these ports?

    If you use sip, you can only open :
    UDP -> 506O and
    UDP -> 10000 to 20000

    Do you use really the IAX2 and MGCP prtocol?
     
  3. haamed

    Joined:
    Jul 23, 2007
    Messages:
    251
    Likes Received:
    0
    For SIP you should open 5061 too, On both TCP and UDP B)
     
  4. danardf

    Joined:
    Dec 3, 2007
    Messages:
    8,069
    Likes Received:
    12
    Why open TCP?
    Asterisk don't use the SIP TCP (Just for Asterisk 1.6.x).
    In my case, I use only 5060 Udp, and that work fine.

    I agree with you for 5061, but it's not the real port SIP.
    After, yes, you can use every port that you want as for example 5070!
     
  5. haamed

    Joined:
    Jul 23, 2007
    Messages:
    251
    Likes Received:
    0
    you are right Danard :)
     
  6. ictdude

    Joined:
    Aug 12, 2009
    Messages:
    23
    Likes Received:
    0
  7. kdacosta

    Joined:
    Apr 12, 2013
    Messages:
    28
    Likes Received:
    0
    Thanks again for this info danardf!
     
  8. jordanlcn

    Joined:
    Mar 18, 2009
    Messages:
    141
    Likes Received:
    0
    About the RTP range I would also suggest lowering that a bit to something a lot less. That is still 10K ports open.

    In theory the best way to secure is not to have open ports at all. But only trusted IP addresses.

    Then if you have external/roaming phones use vpn.
     

Share This Page