Connect a DECT bridge

Security Firewall Rules
1

Set Outgoing Firewall to BLOCK.
RED is connected to the ISP-Router, so RED is Private-LAN (192.168…)
Now DECT-Phone is missing the connection.
I add

grafik
grafik699×33 2.27 KB

and
grafik
grafik699×33 2.16 KB

now telephon connection for incomming and outgoing calls is ok.
But now the incomming openVPN (UDP 1194) connections are routed to the PBX. I assume that is because I have ALL ports/protocols choosen in the rules for the telephone.
Which ports and protocols are needed for telephone only?

2

According to chatGPT v. 4

  • Port 5060 - Session Initiation Protocol (SIP) (unencrypted signaling) - TCP and UDP
  • Port 5061 - Session Initiation Protocol (SIP) (encrypted signaling) - TCP
  • Port 1720 - H.323 (call signaling and control) - UDP
  • Port 1731 - H.323 (call signaling and control) - UDP
  • Port 1719 - H.323 (call signaling and control) - UDP
  • Ports 16384 to 32767 - Real-Time Transport Protocol (RTP) (audio and video data transmission) - UDP

You can group them (e.g. VOIP group) before entering your firewall rules, making the process more efficient.

These are the most common ports used by VOIP, but there can be others according to different vendors. In case of problems, you can check the kernel logs by issuing this command in the console, while using the phone system:

tail -f  /var/log/messages

you will see in real time the packets flowing, with the ports indicated. Ctrl-c to exit.

2 Likes
3

Thx, for the ports!
And, yes if you want to get some info from this IPFire you have to use the CLI and ignore this ^#%$!$ WebUI … :face_vomiting:

4

That is because you told it to do so in the the second rule. You should of course not expose your entire PBX to the Internet.

2 Likes
5

Hm, I thought I restrict the related ports with the service group ‘VoIP’. This included the ports named by cfusco in the post above. But as you see this is not visible when IPFire displays the rules.

6

Not sure what you mean.

Screenshot_20230502-110223_Firefox
Screenshot_20230502-110223_Firefox1080×1309 176 KB

7

Just my two cents :slight_smile:
I think these are too many ports and I’d like to recommend you check the manual of the DECT bridge you are actually using. Opening more ports than necessary can be a security risk.

For example, a Gigaset bridge I recently set up uses only ports 5060 and 5004-5020 for RTP.

3 Likes