Putting Fly SIP Softswitch behind external firewall often makes sense to increase security and provide better protection against DDoS attacks, port scanning, etc. The following guidelines should be taken into consideration when configuring a firewall.
The Fly SIP requires the following ports to be open for incoming connections from the public networks:
- UDP destination port 5060 (SIP);
- UDP destination ports range 10,000 - 65,000 (RTP);
- TCP destination port 1720 (H.323 only);
- UDP destination port 4569 (IAX only);
The following ports should be allowed to initiate connections to the public networks:
- UDP source port 5061 (SIP outbound);
- UDP source ports range 5065-5071 (SIP outbound);
Incoming connections to the following ports are not required for the normal operation of the software, but may be selectively enabled for management purposes and could be limited to specific networks / IPs:
- TCP destination port 22 (SSH console);
- UDP destination port 69 (TFTP provisioning);
- TCP destination port 80 (Web management/self-care interfaces, redirect to port 443);
- TCP destination port 443 (Web management/self care interfaces HTTPS, XMLRPC API);
- TCP destination port 5432 (PostgreSQL ODBC);
Incoming connections from public networks to the following ports are required only if the Fly SIP VPN module is in use:
- UDP destination port 53;
- UDP destination port 1434;
- UDP destination port 5900;
- UDP destination port 40073;
- UDP destination port 21127;
- UDP destination port 36824;
- UDP destination port 51427;
- UDP destination port 65266.
Please, allow on your external firewall all incoming and outgoing connections from all sub-domains of *.flysip.com in order to let us the possibility to access your server and provide the support of it.