Allowed Port Range In Firewall For RTP

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Allowed Port Range In Firewall For RTP

Postby green125 » Wed Oct 13, 2021 12:15 pm

First of all, a little information about our network setup. The database and web servers are inside the network. The telephony servers have an internal network interface and an external network interface. Communication with the cluster and the agents happens on the internal connection and calls go out on the external connection. The external interface is set to the "external" zone in the firewall with the only allowed ports being UDP 10,000-20,000. (I configured the firewall using yast firewall. I have never tried working with iptables directly.) Inbound calls are handled by a separate server; this is all for outbound.

We have had problems on and off with a portion of our outbound calls being answered but having no audio. We brought this up with our carrier and they asked about our firewall settings. They said that they use to advise 10,000-20,000, but with increases in call usage on their vendors they have had to advise increasing the UDP port range to 6,000 to 60,000. I used netstat on a couple of the servers to see if there were any programs running that were listening in that range. There is a program called ip_relay that shows up for ports around 40,000, but that is all (aside from asterisk of course). I can't figure out exactly what ip_relay does, but it seems like it might be related to communication between servers. My questions are:

1) Does it present any additional security concerns having UDP 6,000-60,000 open on the firewall? Would this expose ip_relay or any other programs in a standard ViciBox installation?

2) Will it create a conflict with ip_relay or any other programs if asterisk tries to use these ports?

3) This is a separate question, but should I be using the "public" zone instead of the "external" zone on the firewall in order to take advantage of the VoIPBL and GeoBlock lists?

Thank you for any advice.

ViciBox v.9.0.3 | Version: 2.14-820a | BUILD: 210707-0731 | SVN Version: 3478 | DB Schema Version: 1638 | Asterisk 13.38.2-vici | Cluster Setup
green125
 
Posts: 3
Joined: Wed Mar 17, 2021 8:39 pm

Re: Allowed Port Range In Firewall For RTP

Postby ambiorixg12 » Thu Oct 14, 2021 10:32 am

1) Does it present any additional security concerns having UDP 6,000-60,000 open on the firewall? Would this expose ip_relay or any other programs in a standard ViciBox installation?


Don't know why you need to keep such big range open, unless you will have big flow of call, and you don't want to run out of ports, usually the range is from 10k-30K which is fine, but you can customize it on your /etc/asterisk/rtp.conf file , when ever you open a socket on your system there is chance to get hacked.

2) Will it create a conflict with ip_relay or any other programs if asterisk tries to use these ports?


IP relay allows blind monitoring and loopback trunk connections you can see the port used by this script on the following ( note, I don't know if update that link)
https://github.com/h4ck3rm1k3/vicidial- ... ay_control

And answering your question to conflict with the ports, if the ip_relay script is running that port won't be used by any other app.


related to the question 3, that something you need to verify with your firewall admin as I dont know how it works
ambiorixg12
 
Posts: 453
Joined: Tue Sep 17, 2013 10:35 pm


Return to Support

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 94 guests