RTP isn’t always outbound. During a conversation, there will be two streams,1 in and 1 out, both on different ports.
In the case were asterisk is connecting to a ITSP, the SIP connection is outbound. RTP then uses the ports assigned by Asterisk for media stream. In the case of a external phone, the SIP and RTP are initiated by the Phone which is outside the local network, so the ports have to be opened and traffic directed to the PBX.
To block ports, normally you don’t have to do anything. Firewalls usually block ALL traffic by default, and YOU have to open ports.
Now as a point of detail, I am refering to an actual firewall device the would usually by connected to the Modem. Sometime also included are part of the Router/WIFI device most homes and SMBs now have. In my case, I have our ISP modem connected to a dedicated Firewall which controls bandwidth, Firewall, NAT (which is actually what this discussion is about - Network Address Translation), SPAM, etc…
If by trunk providers, you mean to connect to YOUR service provider, you do NOT need to open ports, THEY do. If YOU are the service provider, then YES you do… and you should learn more before selling the service.
Marc