I’m a bit of a noob so please take it easy on me! In the last few weeks we started having intermittent issues with outgoing calls and not having any audio, incoming was never a problem. Our trunk to Flowroute was setup as chan sip, and there was no port forwarding required for our router. This configuration worked for years up until a few weeks ago. When these issues started coming up, I switched over to pjsip, added the port forwarding, but still had the same issues. Long story short, I had missed a setting they have on their setup page which states:
“To reduce latency, Flowroute uses Direct Media Delivery. To receive Direct Media, allow UDP packets from any source IP address with a destination port within your system’s RTP public media port range”
Now my question, isn’t this a giant security hole? I’m told by them that they cannot specify a network range as this is one of their peers. Is this normal to just allow everything on the internet within that port range into freepbx? Is there something I should do on the freepbx side to lock this down a little more? Should I be looking at another sip provider? Thanks.
On a properly configured system, nothing should be listening on UDP ports 10000-20000, other than Asterisk RTP. You can confirm this by issuing
netstat -4unlp
at a root shell prompt.
There was a bug that allowed an attacker to intercept RTP, fixed long ago in Asterisk; see https://www.rtpbleed.com/
Some folks believe that a significant vulnerability remains, see for example RTPbleed Security Alert: Asterisk Calls Can Be Intercepted – Nerd Vittles
IMO this is paranoia; there have been no reports of exploits in several years.
Note that not forwarding the RTP port range can cause problems unrelated to Flowroute (or any provider). For example, a call between two remote extensions will have no audio; Asterisk isn’t sending RTP because it isn’t receiving any, so the NAT association is never opened.
They can be used as transient ports by other applications. Strictly speaking, Asterisk only uses them as transient ports. It doesn’t maintain listeners on the whole range; it only listens when it has selected the port for a particular session.
So basically Asterisk is ignoring these ports unless it has already initiated something?
Same as anything that allocates random local ports.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.