Categories
Gateways Products

Vega VoIP digital gateways

The Most Resilient VoIP Digital Gateways in Their Class

Vega VoIP digital gateways are small appliances that seamlessly connect your legacy telephony infrastructure, made up of PRI (T1, E1) or BRI lines, to IP networks. They are great for businesses with legacy phone equipment (such as a TDM PBX) who want to connect to SIP trunking services without having to spend money altering their current network infrastructure. They are also great for businesses that are already VoIP enabled at the core (with an IP-PBX) that need PSTN connectivity and require a SIP-to-TDM converter. Simply place the Vega VoIP Digital Gateway at the edge of your network, plug in your existing internet cable for VoIP connectivity and E1,T1 or BRI cables from your phone system and let the Vega VoIP Digital Gateway automatically handle the SIP signalling and voice media conversion for seamless voice and T.38 Fax integration.

Advanced Web GUI
Features an intuitive Quick Wizard which does all the hard work for you for new deployments. Flexible dialplan to allow you to make your own routes, including automatic failure detection with failover routing.

Diagnostic Tools
Web GUI based PCAP tracing tool to capture full signaling and media, eliminating the need to connect equipment for line tracing, fully compatible with wireshark.

Low and High Density Models
The Vega 100G and Vega 200G are our low density models with a maximum capacity for 30 and 60 SIP-TDM simultaneous calls. The Vega 400G is our high density model and the most flexible field upgradable unit for a maximum capacity of 120 simultaneous SIP-TDM calls.

E1/T1 & BRI Interface
Each E1/T1 interface (for Vega 100G, 200G, 400G) and BRI interface (Vega 50 BRI) can be independently configured as network side or terminal side. The Vega gateway can therefore be connected to a PBX or the PSTN.

Built-in Local Survivability
In the event of a WAN failure, IP phones behind the Vega gateway can continue to call each other, be routed to a backup switch or connected directly to the PSTN.

Vega VoIP Digital Gateway Models


Vega VoIP Digital Gateways are one of the most reliable fault tolerant SIP-to-TDM media Gateways on the market, sized for your business needs. All Sangoma hardware carries a one year warranty with options to extend.

Vega 50 BRI

Sangoma’s Vega 50 BRI VoIP Digital Gateways are a 2-4-8 port BRI appliance for up to 16 simultaneous BRI calls

 

  • Web GUI for configuration and troubleshooting
  • Featuring Quick Wizard for rapid d
    eployment
  • Onboard DSP for media translation
  • Interoperable with most legacy and VoIP carriers worldwide
  • Advanced flexible call routing with automatic failover and bypass routing
  • Built in Local Suitability in the case of WAN failure

Vega 100G

Sangoma’s Vega 100G VoIP Digital Gateways are a single port T1/E1/PRI appliance supporting up to 30 simultaneous calls.

 

  • Web GUI for configuration and troubleshooting
  • Featuring Quick Wizard for rapid deployment
  • Onboard DSP for media translation
  • Interoperable with most legacy and VoIP carriers worldwide
  • Advanced flexible call routing with automatic failover and bypass routing
  • Built in Local Suitability in the case of WAN failure

Vega 200G

Sangoma’s Vega 200G VoIP Digital Gateways are a dual port T1/E1/PRI appliance supporting up to 60 simultaneous calls.

 

  • Web GUI for configuration and troubleshooting
  • Featuring Quick Wizard for rapid deployment
  • Onboard DSP for media translation
  • Interoperable with most legacy and VoIP carriers worldwide
  • Advanced flexible call routing with automatic failover and bypass routing
  • Built in Local Suitability in the case of WAN failure

Vega 400G

Sangoma’s Vega 400G VoIP Digital Gateways are a quad port T1/E1/PRI supporting up to 120 simultaneous calls.

 

  • Web GUI for configuration and troubleshooting
  • Field upgradable licensing
  • Dedicated bypass ports for High availability
  • Support for Private Wire or Point-to-Point applications
  • Onboard DSP for media translation
  • Interoperable with most legacy and VoIP carriers worldwide
  • Advanced flexible call routing with automatic failover and bypass routing

For me details see Here 

Categories
System Status

DNS issues affecting calls and routing

On 21-10-2016 there had been a widespread DDOS attack initially in the USA. This has affected service of some of our key voice and DNS service suppliers.

We monitor many sites and run monitoring ourselves and receive status updates from suppliers.

Below are some of the recent ones and some sites reporting the issue

http://www.diario4v.com/tendencias/2016/10/21/ataque-hacker-afecta-twitter-amazon-spotify-reddit-11816.html (you will need to translate)

http://money.cnn.com/2016/10/21/technology/ddos-attack-popular-sites/

https://www.dynstatus.com/incidents/nlr4yrr162t8

Update
Dyn Managed DNS advanced service monitoring is currently experiencing issues. Customers may notice incorrect probe alerts on their advanced DNS services. Our engineers continue to monitor and investigate the issue.

Customers with questions or concerns are encouraged to reach out to our Technical Support Team.
Posted 4 minutes ago. Oct 21, 2016 - 18:23 UTC
Update
Our engineers continue to investigate and mitigate several attacks aimed against the Dyn Managed DNS infrastructure.
Posted 34 minutes ago. Oct 21, 2016 - 17:53 UTC
Update
This DDoS attack may also be impacting Dyn Managed DNS advanced services with possible delays in monitoring. Our Engineers are continuing to work on mitigating this issue.
Posted about 2 hours ago. Oct 21, 2016 - 16:48 UTC
Investigating
As of 15:52 UTC, we have begun monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Our Engineers are continuing to work on mitigating this issue.
Posted about 2 hours ago. Oct 21, 2016 - 16:06 UTC

Gradwell:

Our upstream supplier is investigating a DNS issue, which is believed to be causing the problem.

Magrethea

We are now able to confirm that two nodes on our network where impacted by DNS issues between 17:13 and 17:45 today. As many of you will be aware there have been some major DOS attacks today which impacted a number of key sites at this time so we are attributing this issue to that attack.

We will continue to monitor and apologise for the inconvenience this outage has caused our customers.

As can be seen this is out of our control and is affecting many users worldwide.

Categories
Blog Knowledge Base

BT outage on 20th July 2016

BT have confirmed that their recent outage has been ‘resolved and services restored’.

We can also confirm this as we have slowly seen all customer alarms clearing. As many customers are aware that we operate a 24×7 monitoring platform so saw this issue start and checked that there was nothing we could do in most cases but also contacted key customers to warn them that they might be issues.
Therefore, any issues that Customers have experienced this morning when connecting to services using BT connectivity (including quality issues) should now be resolved. In the event that issues are still occurring, please reboot equipment on the BT line such as Firewalls or Routers and retest. Nagios monitor screen

If you have any questions whatsoever please do not hesitate to contact us, Also if you are a
Asterisk / Freepbx reseller or user and would like affordable monitoring please get in touch as we provide Asterisk Monitoring from £25 per year.

Categories
Knowledge Base Technical

Fortigate issues such as one way audio on Call Pickup With Hosted Asterisk and other problems.

We have noted that with some Fortigate routers and firewalls come with SIP helpers enabled by default.

The customer may initially not think that there is any issue and inbound and outbound calls work as expected, But we had noted on one customer site that when they did a call pickup on another phone that was ringing in the office they would not be able to hear the caller. The caller could hear them and if they put the call on and off hold they could speak normally.

On further  investigation with wireshark we noted that the RTP port changed when the pickup took place. We tested this on other sites not using the Fortigate hardware and did not have this issue.

Below are listed the commands to clear the SIP helper settings from the Fortigate hardware.

  1. Open the Fortigate CLI from the dashboard.
  2. Enter the following commands in FortiGate’s CLI:
    • config system settings
    • set sip-helper disable
    • set sip-nat-trace disable
    • reboot the device
  3. Reopen CLI and enter the following commands – do not enter the text after //:
    • config system session-helper
    • show    //locate the SIP entry, usually 12, but can vary.
    • delete 12     //or the number that you identified from the previous command.
  4. Disable RTP processing as follows:
    • config voip profile
    • edit default
    • config sip
    • set rtp disable
  5. And finally:
    • config system settings
    • set default-voip-alg-mode kernel-helper based
    • End

on a fortigate 200D the following is the method to use

Step 1) Removing the session helper.

Run the following commands:

config system session-helper
  show

Amongst the displayed settings will be one similar to the following example:

    edit 13
        set name sip
        set protocol 17
        set port 5060

In this example the next commands would be:

delete 13
end
Step 2) Change the default –voip –alg-mode.

Run the following commands:

config system settings
set default-voip-alg-mode kernel-helper based
end
Step 3) Either clear sessions or reboot to make sure changes take effect

a) To clear sessions

The command to clear sessions applies to ALL sessions unless a filter is applied, and therefore will interrupt traffic.

diagnose system session clear

Taken from

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36405

Categories
Blog Knowledge Base

Planning for a Successful VoIP deployment

Before you deploy voice-over-IP or a Hosted PBX service in your office there are a few considerations you must first address.  Switching from traditional telephone service to voice-over-IP (VoIP) requires sufficient bandwidth, a proper switch and router, and a good battery backup solution to protect you from power failures.

The key voice-over-IP requirements discussed in this article are:

Bandwidth – Determining how much bandwidth you will need for voice-over-IP in your office is your first step.

The Router – Choosing a low quality or under performing router is a costly mistake which will degrade your call quality.

Quality of Service – You must decide whether voice traffic will be separated from regular internet users or if it will share the same network.

VoIP Equipment – There are many digital office phones, soft phones, headsets and telephone adapters on the market to choose from.

Power Failures – Voice over IP does not work when the power goes out so you should install a battery backup system and possibly a Power-over-Ethernet switch if your budget permits it.

How much bandwidth do I need?
Voice over IP needs a certain amount of bandwidth in order to keep your conversations clear and free of disruptions.  Bandwidth is the amount of information which your internet connection can send and receive in a certain period of time.  Your first step should be to use an online speed test to find out what your maximum upload stream and download stream is.  We suggest you do this test using a fixed connection to the internet rather than using your wifi (wireless) connection to get accurate results.  Try to use numerous tests during different times of the day to get a good average of what you can expect from your internet connection.  Bandwidth is normally measured in kbps or kilobits per second.
You will need to have a high speed (broadband) connection to use voice-over-IP.  A typical DSL connection will be rated at 600 kbps for the upload stream and 5000 kbps on the download stream.  You will notice that your upload stream is almost always smaller than your download stream which becomes your limiting factor for using VoIP service.
Your next step is to determine how many people in your office are likely going to be using the phone at the same time.  For instance, having ten people on the phone will require ten times as much bandwidth as having one person on the phone.  Below is a chart which will help you calculate how many people can be on the phone at one time:
Ask your voice-over-IP service provider what audio codecs they offer as there is a trade off between audio quality and bandwidth usage…

Full Quality Audio (G711 Codec)\- Uses 87 kbps for each concurrent phone call (NEB)
Compressed Audio (G729 Codec)\- Uses 33 kbps for each concurrent phone call (NEB)

So the calculation for a typical DSL connection would be:

DSL connection:600 kbps upload / 5000 kbps download
Gives us (Full Quality):600 kbps / 87 kbps = 6 concurrent calls
Gives us (Compressed Quality):600 kbps / 33 kbps = 18 concurrent calls

Notice we used the upload bandwidth in our calculation as this is the limiting factor for voice-over-IP.  You also don’t want to push your connection to the limit as most cable and DSL connections do not have guarantees in terms of how much bandwidth they will deliver.  If you Internet connection drops in bandwidth at some point during the day you don’t want your call quality to be affected.  Other factors affecting voice-over-IP are the latency of your connection and how much packet loss there is on it.

Choosing a router
A router is the device that connects all your computers and network equipment to your Internet connection.  It is an often overlooked piece of the puzzle that can have a major impact on the success or failure of your voice-over-IP implementation.  There are many routers on the market, some are very cheap (less than $40) and others can cost you thousands of dollars.  There is nothing worse than putting a poor quality or underpowered router in your office which could cause an otherwise good VoIP installation to go bad.
Your router needs to be powerful enough to handle the number of phones you will have in your office and should also work flawlessly with voice-over-IP equipment.  A good place to start when deciding on your router is to speak with your voice-over-IP service provider. We also recommend checking to make sure that your router is compatible with voice-over-IP services.
The following is a list items which will help you to determine whether your router is right for voice-over-IP:
How many voice-over-IP phones will you be connecting to the router? The more phones you will be connecting, the more powerful the router needs to be. Don’t use a £40 router to run an office with 10 IP Telephones.
Will your voice-over-IP phones have their own dedicated Internet connection? If not, a router with a quality of service (QoS) setting to prioritize voice traffic over regular traffic is an absolute must. Without QoS you will encounter poor quality telephone calls regularly.
What other functions will the router need to perform? You might need your router to handle VPN connections, allow wifi (wireless) connections or perform other tasks.
Make sure you can bridge your router to your modem. Routers that are not bridged can cause problems with voice-over-IP installations.
Never use more than one router or nat gateway on the network at a time as this will cause problems for IP Telephones when they attempt to do NAT.
Make sure your router is compatible.
It is always best to get a recommendation from your voice-over-IP service provider as some routers are known to perform very poorly with VoIP phones.

Quality of service
Call quality is a function of your network and the public internet. Some delays and network congestion cannot be avoided due to information traveling over the public internet while other types can be avoided. Good network design is critical to a stable and reliable voice-over-IP implementation.
Quality of service (QoS) refers to the ability for your router to prioritize voice traffic (VoIP) differently than regular internet traffic on your network or the separation of voice traffic.  Voice over ip is a real-time protocol which means that if information is lost or delayed it will result in a noticeable drop in call quality or a complete loss of it. Symptoms of network congestion include garbled audio, dropped calls and echo.   When setting up voice-over-IP in your office there are three possible ways handle voice traffic. Some customers report perfectly good results without any quality of service (especially in a small 1-2 person office) and others report worse results with quality of service enabled on their router as some routers do a poor job of implementing this. Generally speaking however the best way to deliver reliable voice-over-IP service is through a dedicated internet connection that is only used by the voice-over-IP equipment rather than sharing the internet with computers. Below are the different methods of doing quality of service:

No QoS – Voice traffic and regular internet traffic in your office are sharing the same internet connection.  No prioritization of voice traffic over regular traffic is being performed and thus there is the high potential that voice quality could be degraded if there is insufficient bandwidth for both voice and regular traffic. Some customers experience very few problems using this method while others report a high frequency of poor quality calls, dropped calls and garbled voices. It all depends on how much network congestion your office has. Most internet connections are more likely to be upload bound which generally results in people not being able to hear you, because all of your upload bandwidth is being consumed by something on your network.

Router enabled QoS – Voice traffic and regular internet traffic in your office are sharing the same internet connection, but your router is able to distinguish between voice traffic and regular internet traffic and give the voice traffic a higher priority.  The problem with this method is that routers can only prioritize upload bandwidth which means your voice will be clear but the router cannot ensure that download bandwidth will be prioritized. If employees on your network are downloading often this will cause a noticeable drop in call quality but this method is better than no quality of service. Some internet providers can prioritize the download bandwidth using TOS or COS methods from their end which will create an end to end quality of service solution. Most customers find that even prioritising upload bandwidth for voice-over-IP offers a dramatic improvement in call quality because most internet connections are limited by their upload bandwidth and have lots of download bandwidth free.

Separated Traffic – Voice traffic and regular internet traffic are separated onto two different internet connections and networks. This is especially critical for larger offices with 5 or more employees.  Voice traffic is carried on one internet connection and data from computers is carried on the other connection. In this case no prioritization is required by your router because voice traffic has its own dedicated internet connection.  This is the best way to ensure clear voice communications and the method we generally recommend customers whenever possible.

The method you decide on largely depends on how much bandwidth you have, what you are using your internet connection for besides voice-over-IP and the level of call quality desired.  Many offices report perfectly good results without using any QoS, while others find that it makes a major difference in the quality of their calls.

Choosing VoIP phones and equipment
Before deploying voice-over-IP in your office you will need to decide how each employee will be connected to your voice-over-IP provider.  There are many choices on the market today.
Digital IP Telephones – These types of phones look just like regular multi-line business telephones except that they connect directly to your internet connection using a network cable.
Soft Phones – A soft phone is a software program running on your computer that looks and feels just like a real telephone.  This requires you to purchase a USB headset which connects to your desktop or laptop so you can make and receive calls.
Wifi Phones – A wifi phone looks and feels very much like a regular cell phone except that it connects to your wireless router in the office.
Analog Telephone Adapters (ATA) – An ATA is a small box which connects to your router and allows you to plug in regular analog telephones so they can work with voice-over-IP.  ATAs are generally low cost alternatives to digital office phones and are easy to take with you when you travel.
Battery backup and Power-over-Ethernet
With voice-over-IP and most office telephone systems you must consider what happens when the power goes out.  For some offices this can be a regular occurrence and for others it might happen with a very low frequency.  Once of the things you will need to decide is whether or not you will install a battery backup system.
Here are a few important terms your should know:
Power over Ethernet (PoE) – Is a technology that allows VoIP over ip telephones to be powered using regular network cables rather than power adapters which plug into the wall.  This has the advantage that you can power all the phones in your office from a single source and makes installing a battery backup unit much easier.
Uninterruptible Power Supply (UPS) – Is a device that powers your equipment when you lose power at the office.  The system has a built in battery which keeps your network devices operational when the power goes out.
The easiest way to protect your phone system from a power outage is to power all the phones using a Power-over-Ethernet switch that would normally be connected in the back room where your router and cable/DSL modem is located.  This has the advantage that all your phones are drawing power from a single source which you can backup using an uninterruptible power supply (UPS).  All you need to do is plug in your PoE switch, router, and DSL/cable modem into a sufficiently powerful UPS device so that when the power goes out all your phones remain up and running.

Categories
Asterisk Support Elastix Support Knowledge Base Security

Keeping the Bots at bay out and allowing your friends in

Recently we have seen an upsurge in Bots attacking Asterisk servers, Interestingly its not good old sipvicious anymore but a Windows program called sipcli and originating mainly from the US and Germany.

Normally our iptables firewalls are updated but for some reason these keep getting through, So we have now based rules on the User-Agent in iptables as well

Here are a few examples to get rid of many of the favourites

-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipcli" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP

Also its worth adding these ranges as little good will ever come from them

# Ponytelecom ranges
-A INPUT -s 62.210.0.0/16 -j DROP
-A INPUT -s 195.154.0.0/16 -j DROP
-A INPUT -s 212.129.0.0/18 -j DROP
-A INPUT -s 62.4.0.0/19 -j DROP
-A INPUT -s 212.83.128.0/19 -j DROP
-A INPUT -s 212.83.160.0/19 -j DROP
-A INPUT -s 212.47.224.0/19 -j DROP
-A INPUT -s 163.172.0.0/16 -j DROP
-A INPUT -s 51.15.0.0/16 -j DROP
-A INPUT -s 151.115.0.0/16 -j DROP

# VITOX TELECOM
-A INPUT -s 77.247.109.0/255.255.255.0 -p udp -j DROP 
-A INPUT -s 185.53.88.0/24 -p udp -j DROP 
-A INPUT -s 185.53.89.0/24 -p udp -j DROP 
-A INPUT -s 37.49.224.0/24 -p udp -j DROP 
-A INPUT -s 37.49.230.0/24 -p udp -j DROP 
-A INPUT -s 37.49.231.0/24 -p udp -j DROP 
-A INPUT -s 77.247.110.0/255.255.255.0 -p udp -j DROP

For Freepbx format add following to /etc/firewall-4.rules

-A fpbxreject -s 37.49.231.0/24  -m udp -p udp -j DROP
-A fpbxreject -s 37.120.129.0/19   -p udp -j DROP
-A fpbxreject -s 185.53.88.0/24  -p udp -j DROP
-A fpbxreject -s 185.53.89.0/24  -p udp -j DROP
-A fpbxreject -s 185.53.90.0/24  -p udp -j DROP
-A fpbxreject -s 185.53.91.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.224.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.225.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.227.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.228.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.229.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.230.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.231.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.108.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.109.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.110.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.111.0/24  -p udp -j DROP
-A fpbxreject -s 62.210.0.0/16 -p udp -j DROP
-A fpbxreject -s 195.154.0.0/16 -p udp -j DROP
-A fpbxreject -s 212.129.0.0/18 -p udp -j DROP
-A fpbxreject -s 62.4.0.0/19 -p udp -j DROP
-A fpbxreject -s 212.83.128.0/19 -p udp -j DROP
-A fpbxreject -s 212.83.160.0/19 -p udp -j DROP
-A fpbxreject -s 212.47.224.0/19 -p udp -j DROP
-A fpbxreject -s 163.172.0.0/16 -p udp -j DROP
-A fpbxreject -s 51.15.0.0/16 -p udp -j DROP
-A fpbxreject -s 151.115.0.0/16 -p udp -j DROP

If you are still getting problems check out a sip trace and look for the contact part of the

Contact: <sip:100@xxx.www.rrr.zzz:5070>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8                       <<<<<<<<<<<<<<<< here it is 
Content-Type: application/sdp
Below is a simple Bash script to create iptables entry for Linux. Create a script and paste the code in , if you just run it it created entries ready for Centos iptables id you run  ‘scriptname freepbx’ it created the entry for /etc/firewall-4.rules
#!/usr/bin/bash
SCANNERS='owenee Custom SIP gazllove pplsip sipcli sipvicious sip-scan sipsak sundayddr friendly-scanner iWar CSipSimple SIVuS Gulp sipv smap friendly-request VaxIPUserAgent VaxSIPUserAgent siparmyknife Test'
SYS=$1
if [ "$SYS" != "freepbx" ]
then
SYS=NOOP
fi
echo This is for a $SYS system
echo Copy and paste below
echo
PORTS='5060:5261'
PROTOS='udp tcp'
for scanner in $SCANNERS; do
for port in $PORTS; do
for proto in $PROTOS; do
if [ "$SYS" = "freepbx" ]
then
echo -A fpbxreject -p $proto -m $proto --dport $port -m string --string '"User-Agent:' $scanner'"' --algo bm --to 65535 -j DROP
else
echo -A INPUT -p $proto -m $proto --dport $port -m string --string '"User-Agent:' $scanner'"' --algo bm --to 65535 -j DROP
fi
done
done
done

In this case just set as we have in iptables and it will catch all versions.

Hope this helps you as much as it has helped us

Also this idea can be reversed to only allow user agents (phones) you want to accept.

Here are a few examples of common soft and hardphones

-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: Yealink" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: FPBX" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: Linphone" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT  -p udp -m udp --dport 5060 -m string --string "User-Agent: DX800" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT  -p udp -m udp --dport 5060 -m string --string "User-Agent: 3CX" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT  -p udp -m udp --dport 5060 -m string --string "User-Agent: Grand" --algo bm --to 65535 -j ACCEPT

Again to find others just do a sip trace and note down the user agent.

This can also be extended to make you system more secure by only allowing in devices that register to you FQDN and not just ip address

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#ssh moved from 22 to random port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 65432 -j ACCEPT
#Web interface moved to new port.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8765 -j ACCEPT
#drop sipvicious traffic
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p udp --dport 4569 -m state --state ESTABLISHED,RELATED -j ACCEPT
#only allow Yealink phones
-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: Yealink" --algo bm --to 65535 -j ACCEPT
#That register to your domain name directly
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:yoursip.yourdomain.co.uk" --algo bm -j ACCEPT 
#only allow iax from known server
-A INPUT -s xxx.xxx.xxx.0/22 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -j DROP
-A INPUT -i eth0 -p udp --dport 10000:20000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The above example should keep you secure. (but things and methods change so keep your eye on the ball)