It is always best to restrict access to your PBX system to only those authorized and needing to do so.
Below is a table that shows what ports need to be allowed access for your VoIP asterisk/FreePBX based system to operate.
| Port | Allowed From | Note |
| 5060/udp | Service providers, peered PBX systems | This should only be enabled from everywhere if you require remote users over insecure networks. If this is the case you should consider deploying VPN technology to connect your remote locations. |
| 5060/tcp | Service providers, peered PBX systems | This is used for SIP over TCP, not all providers support this yet, but many are starting to. |
| 10000:20000/udp | Everywhere/ANY | RTP Port range. This allows AUDIO to be received from joined peers. In most cases these port ranges must be allowed from all sources to accommodate VoIP providers routing calls to you. |
| 4569/udp | Peered PBX or Supported Providers | IAX2 is a special codec used by Asterisk based systems for interconnectivity communications. Some providers also support this service. It should only be allowed access if you are using IAX services for peering with other PBX systems. |
| 22/tcp | Authorized hosts | This should only be allowed access to your system by your PBX administrator. there is no reason this port should ever be exposed to unauthorized IP addresses. |
FreePBX Specifics
| Port | Allowed From | Note |
| 80/tcp | Users requiring access to UCP or Admin console | You should consider redirecting this to port 443 and installing a valid SSL certificate. |
| 443/tcp |
Users requiring access to UCP or Admin console |
Assign a DNS name to your PBX and install a matching SSL Certificate. |
Third Party tools and add-ons
Some 3rd party tools may operate using alternative ports. Consult the documentation for those specific products to determine what ports they actually require to operate. Be extremely cautious and suspicious of any configuration that instructs you to allow access from 'anywhere'. In almost every case this is simply not true. An exception is the RTP port range.
Protecting your VoIP enabled PBX is a very straight forward process. If you are uncomfortable making firewall changes or configuration changes to your existing firewall, or if you have a firewall that is not capable of providing proper security settings, VOICE1 is able to offer programming assistance, and verification of your configuration for most manufactures firewalls. Additionally VOICE1 is a registered reseller of pfSense based firewall appliances, and we are happy to configure and support them for your organization.