Putting Sippy Softswitch behind external firewall often makes sense to increase security and provide better protection against DDoS attacks, port scanning, etc. The following guidelines should be taken into consideration when configuring a firewall.
Incoming:
The Sippy Softswitch requires the following ports to be open for incoming connections from the public networks:
- UDP destination default port 5060 (SIP) - and/or other ports configured for SIP/UDP;
- UDP destination ports range 10,000 - 65,000 (RTP) - for the case RTPProxy is used;
- TCP destination default ports 5060 and 5061 for TCP and TLS respectively - and/or other ports configured for SIP/TLS
- UDP destination port 4569 (IAX only);
Incoming connections to the following ports are not required for the normal operation of the software, but may be selectively enabled for management purposes and could be limited to specific networks / IPs:
- TCP destination port 22 (SSH console);
- UDP destination port 69 (TFTP provisioning);
- TCP destination port 80 (Web management/self-care interfaces, redirect to port 443);
- UDP destination port 161 (SNMP monitoring)
- TCP destination port 199 (SNMP monitoring)
- TCP destination port 443 (Web management/self care interfaces HTTPS, XMLRPC API);
- TCP destination port 5432 (PostgreSQL ODBC);
Outgoing:
The following ports should be allowed to initiate connections to the public networks (could be applicable to particular scenarios however):
- UDP source port 5060,5061 (SIP outbound);
- UDP source ports range 5065-5071 (SIP outbound);
- UDP destination port 53 (lookups to DNS server)
- UDP source/destination port 123 (synchronization of time with NTP servers)
Please, allow on your external firewall all incoming and outgoing connections from all sub-domains of *.sippysoft.com in order to let us the possibility to access your server and provide the support of it.