It is always best to restrict access to your PBX system to only those authorized and needing to do so.

Below is a table that shows what ports need to be allowed access for your VoIP asterisk/FreePBX based system to operate.

 Port  Allowed From  Note
 5060/udp  Service providers, peered PBX systems This should only be enabled from everywhere if you require remote users over insecure networks. If this is the case you should consider deploying VPN technology to connect your remote locations.
 5060/tcp  Service providers, peered PBX systems This is used for SIP over TCP, not all providers support this yet, but many are starting to.
 10000:20000/udp  Everywhere/ANY  RTP Port range. This allows AUDIO to be received from joined peers. In most cases these port ranges must be allowed from all sources to accommodate VoIP providers routing calls to you.
 4569/udp  Peered PBX or Supported Providers  IAX2 is a special codec used by Asterisk based systems for interconnectivity communications. Some providers also support this service. It should only be allowed access if you are using IAX services for peering with other PBX systems.
 22/tcp  Authorized hosts  This should only be allowed access to your system by your PBX administrator. there is no reason this port should ever be exposed to unauthorized IP addresses.

FreePBX Specifics

Port Allowed From Note
80/tcp Users requiring access to UCP or Admin console You should consider redirecting this to port 443 and installing a valid SSL certificate.
443/tcp Users requiring access to UCP or Admin console
Assign a DNS name to your PBX and install a matching SSL Certificate. 

Third Party tools and add-ons

Some 3rd party tools may operate using alternative ports. Consult the documentation for those specific products to determine what ports they actually require to operate. Be extremely cautious and suspicious of any configuration that instructs you to allow access from 'anywhere'. In almost every case this is simply not true. An exception is the RTP port range.

Protecting your VoIP enabled PBX is a very straight forward process. If you are uncomfortable making firewall changes or configuration changes to your existing firewall, or if you have a firewall that is not capable of providing proper security settings, VOICE1 is able to offer programming assistance, and verification of your configuration for most manufactures firewalls. Additionally VOICE1 is a registered reseller of pfSense based firewall appliances, and we are happy to configure and support them for your organization.