Hi all,
so i dont usually deal with pbx’s behind NAT who want offsite access.
I am using port knocker to access the freepbx device, it works, with 5060 sip signalling, but does not work with rtp, eg 10000:20000
it still only opns up 5060 despite it being a -m multiport command in iptables.If I seperate rule that always allows the RTP range audio works
So curious, is there much of a risk permenantly openin RTP ports to the world, just relying on port knocking for 5060 protection?
and before someone raises it, no, vpn is not an option
Agreed, it’s safe, although I shy away from this if at all possible, I’ve done this a couple of time (clients are too scared and by their own admission too tech-dumb and just want stuff “to work” so get scared when you say vpn) but I’d strongly suggest narrowing your RTP range, 10000-20000 is overkill, pure overkill - especially if you’re behind NAT. I’d strongly recommend reducing that port range.
Consider each call will use IIRC (I’m sure someone will point out if I’m wrong) 4 UDP ports per call.
So if you have 100 calls active, that’s only 400 ports, but I like randomness so try 10000-14000 … I don’t see that as a problem, but that said, as I mentioned earlier I do try avoid this type of setup, so again I may be wrong
Which means there’s only 200 ports for people to randomly inject audio into.
The whole point of having such a large range of RTP ports is to make it much harder for attackers to inject fraudulent audio. Leave it 10,000 ports wide.
