I started this topic with the hopes that I can get an answer as to all the TCP and UDP ports needed by not only the FreePBX distro, but also the remote SIP clients as well. And even including the modules ( Google Voice Motif especially )
When locking down the cloud install with only considering TCP 5060 and UDP 10000-20000 I have 2 issues:
Incoming audio does not work on SIP client ( not sure if even outgoing audio works either )
Google voice trunk does not connect
Has anyone had any experience in configuring a cloud install and trying to come up with firewall rules/methodology?
For now I’ll go with a “IP list” methodology which works, but knowing more about what Google voice trunk ports that are needed would help. I’m using it as a backup outgoing line.
Basically I’ll be connecting “remote extensions” exclusively which seems to not be a common deployment.
This is fairly common. There are many cloud based deployments of FreePBX out there. It is important to lock down port 5060/UDP especially but if you can try to lock everything down as much as is possible. If you can lock 5060/UDP and 10000-20000/UDP to specific IP addresses using iptables all the better.
If you are using stock FreePBX ISOs then this will include fail2ban which will help. If not then make sure you have fail2ban installed and setup to monitor Asterisk /var/log/asterisk/full activity to prevent breakin attempts.
Also make sure that you lock down all other ports. Open up port 80/TCP and 22/TCP only to a very limited number of addresses also as they are open to attack if you don’t and having the management of the PBX and the SIP open to the World it makes things doubly difficult for you.
There are other ports to consider as well (here are some but not an exhaustive list):
4569/UDP for IAX2 traffic
5038/TCP for Asterisk Management Interface (if used remotely)
84/TCP for phone provisioning (if you are using end point manager)
3306/TCP for MySQL (if accessing any databases remotely)
There are quite a few more that are used for very specific functions.