First of all, a little information about our network setup. The database and web servers are inside the network. The telephony servers have an internal network interface and an external network interface. Communication with the cluster and the agents happens on the internal connection and calls go out on the external connection. The external interface is set to the "external" zone in the firewall with the only allowed ports being UDP 10,000-20,000. (I configured the firewall using yast firewall. I have never tried working with iptables directly.) Inbound calls are handled by a separate server; this is all for outbound.
We have had problems on and off with a portion of our outbound calls being answered but having no audio. We brought this up with our carrier and they asked about our firewall settings. They said that they use to advise 10,000-20,000, but with increases in call usage on their vendors they have had to advise increasing the UDP port range to 6,000 to 60,000. I used netstat on a couple of the servers to see if there were any programs running that were listening in that range. There is a program called ip_relay that shows up for ports around 40,000, but that is all (aside from asterisk of course). I can't figure out exactly what ip_relay does, but it seems like it might be related to communication between servers. My questions are:
1) Does it present any additional security concerns having UDP 6,000-60,000 open on the firewall? Would this expose ip_relay or any other programs in a standard ViciBox installation?
2) Will it create a conflict with ip_relay or any other programs if asterisk tries to use these ports?
3) This is a separate question, but should I be using the "public" zone instead of the "external" zone on the firewall in order to take advantage of the VoIPBL and GeoBlock lists?
Thank you for any advice.
ViciBox v.9.0.3 | Version: 2.14-820a | BUILD: 210707-0731 | SVN Version: 3478 | DB Schema Version: 1638 | Asterisk 13.38.2-vici | Cluster Setup