"Our testing confirms that simply blocking incoming RTP traffic on your firewall solves the problem without any Asterisk patch. In short, RTP traffic cannot originate from anonymous sources on the Internet. Simply remove or comment out the INPUT rule that looks like this and restart IPtables: -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT"
Does anyone see any issue with this approach using:
FreePBX 13.0.190.7
Asterisk Version: 13.7.2
Unless I am misreading this, the person who wrote this probably has limited experience in dealing with the requirements of some VoIP providers…
I know of at least one well-known provider you cannot do that with, Flowroute…
With Flowroute you establish the SIP communication with servers you know the IPs of but once the communication is established, the RTP traffic comes from a different IP.
I believe one of my other providers also does this but I am not a 100% sure… This is not specific to Flowroute though so while the suggestion will work with many providers, it won’t work with all of them, something the author should have said but probably did not know…
Having to pass audio through a server a thousand miles away typically doesn’t make sense
Resources, it takes additional overhead (even if trivial per user) to proxy media.
Many of you may have noticed the most recent security release for
correcting a potential RTP hijacking vulnerability when strictrtp is
enabled in conjunction with certain nat settings. In reality, it’s
very challenging to get gain and plunder from the bug due to several
mitigation strategies used in Asterisk (random rtp port selection and
large default rtp port range). ~ Matt Fredrickson (Asterisk project lead, engineering manager, fast food advocate, and sometimes engineer at Digium)
tl;dr the risk is minor, Also just update asterisk