I've been doing some research this evening whilst trying to get SIP working
reliably over NAT through a client's asterisk server. The aim was to try and
work out exactly how wide a port range needs to be open for enough RTP
streams for their needs.

Whilst playing around with different port ranges I noticed that disabling a
firewall rule and hitting apply doesn't appear to disable it immediately.
If, for example, I kill the rule allowing port 5060 inbound (SIP), it stands
to reason I shouldn't be able to make any inbound calls successfully. This
isn't the case - inbound calls work perfectly despite the rule not being
present.

Any idea what's causing this? The only thing I can think of is that the sip
registration done with the remote server in asterisk is below the timeout on
the NAT state mapping, hence it's constantly being renewed at the same
source and destination ports (using 1:1 NAT).

I note that if I do the same thing, to for example, a webserver (firewall
allowing port 80 inbound), it stops working from the outside immediately.

(oh, if anyone can answer the original point of all this - how wide an RTP
range does one need - I'd be most grateful)

Regards,

Chris
-- 
C.M. Bagnall, Director, Minotaur I.T. Limited
Tel: (07010) 710715   Mobile: (07811) 332969   Skype: minotaur-uk
ICQ: 13350579   AIM: MinotaurUK   MSN: msn at minotaur dot cc   Y!: Minotaur_Chris
This email is made from 100% recycled electrons