# SIP Trunk Port Range (VOIP)



## Keith7WA (Aug 13, 2012)

I've recently set up a PC-based IP PBX in our small business which uses a SIP Trunk for up to 3 simultaneous voice calls.

Ports needed to operate include 5060 (SIP-UDP) and then a huge range of high-number UDP ports which I believe is for the 'media' or audio. Let's call the range UDP 49,152 to 64,512. I only know a little about the SIP protocol but my understanding is that each call will randomly use a few ports from this range across which will pass audio.

My question is this: Is there a need to have such a wide range of ports open? If my SIP trunk is only capable of 3 simultaneous calls then it seems only 9 or so of those open ports could get used at once. Could I not just open, say a range of 100 ports and be fine, thereby reducing the security risk?

On the other hand, if that particular range of high-number ports poses no or little security risk, then I guess I don't care.

Any info appreciated!!


----------



## Wand3r3r (Sep 17, 2010)

This would be a question best asked of the PBX software provider.

You only want to open ports you have to.


----------



## Troy_Jollimore (Dec 31, 2007)

Was that you that was asking the question of the Cisco router? I remember those port ranges...

Since you're going to be directly port-forwarding those requests to your PBX server, I wouldn't be too concerned about it.


----------



## Wand3r3r (Sep 17, 2010)

actually one of the biggest scams is with phones. hackers take control and route international calls thru your pbx and you don't have a clue until you get the thousands of dollars end of the month bill.

You protect your phone system the same way you protect your data network.

Voice Mail Fraud | FCC.gov

There are other scams besides this one.


----------



## Troy_Jollimore (Dec 31, 2007)

I saw that with the VoiceMail thing...our system won't let you route a call from voicemail to an outside number (unless it's defined in the system), so we were safe from that one. Scary, though.

Since most of those aren't 'directly accessing' the PBX through the network, you're still pretty safe. But even though this is probably Linux-based, you never know...


----------

