On 21/04/15 11:04 AM, GG GG wrote: > Hello, > > what do you think about opening all RTP ports for rtpengine on Internet, > is it a bad practice ? > > I wonder if it's possible to use rtpengine with all ports closed.
Not sure what you mean with "ports closed." How would rtpengine, or any other RTP proxy/client for that matter, receive any media traffic if the ports are closed? > Maybe someone could explain how rtpengine learn the source address when > the SDP contains a local address. For the first 2-3 seconds after the media session has been established, it listens for incoming UDP packets and will learn the endpoint address from the source address of the received packets. After 2-3 seconds this learning stops and the endpoint is locked in place. > If your rtpengine server is under attack, could rtpengine choose the > wrong ip source for RTP ? If the attacker is fast enough, yes. You can disable learning of endpoint addresses using the asynchronous flag, but obviously this will break NAT'd media. You can also use the strict-source flag to make rtpengine drop packets received from a mismatched source address. Cheers _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
