Chapter 9

To firewall H.323, we need to permit incoming and outbound connections on ports 1720 TCP and UDP ports 5000-5014.

IAX

IAX is a lot more straightforward than either H.323 or SIP as it was designed with the limits imposed by NAT in mind. You can easily allow this traffic through your firewall NAT with minimal fuss.

IAX uses port 4569 UDP outbound and inbound for communication. The old IAX protocol, mentioned in an earlier chapter and succeeded by the current IAX (IAX2), used 5036 UDP.

IAX is also more powerful than either H.323 or SIP and has several features that make VoIP administration and use much easier. For example, it has enhanced signaling capabilities and separates signaling and data more effectively. Also as IAX is not a standard and therefore has no standards body monitoring the decision process, modifications can be made more easily.

RTP—The Real-Time Transport Protocol

RTP is the protocol often used to carry the audio data in a VoIP conversation; it is a standard developed by the IETF (Internet Engineering Task Force). It can also be used to carry video data and is designed specifically to handle this sort of real-time data. It attempts to guarantee that the data will be transmitted and received in a short period of time. Obviously latency in voice conversations can be problem, so RTP avoids this latency as much as possible and concentrates on timely delivery of data.

To allow RTP to function, we would have to allow the following ports inbound and outbound from our Asterisk server: 10000 to 20000 UDP

Controlling Administration of Asterisk

As we have set up Asterisk to access files owned by the root user and Asterisk group, this means that the Asterisk service can read and write only to the files it requires. We, however, may have to perform additional maintenance tasks such as adding extensions, creating new voicemail boxes and so on.

As Asterisk configuration is managed by modifying flat files, we manage this configuration by logging on to the server with an interactive session, at the local console or remotely. To follow best practice, we wouldn't login directly as the root user, but more likely as the Asterisk user. If we did need to edit any files the Asterisk user doesn't have privileges for, then we would switch user to root using the su command:

$ su -

Password:[root password]

151