By port closed, I mean that ports are normally closed, but when rtpengine send the first rtp packets to the client, it opens a pinhole in the firewall, and the matching incoming packets from the client will make the connection established,related in iptables. I think symmetric nat permits that.

But now I'm thinking that it's impossible for rtpengine to know the client's destination port at the learning phase if the client's rtp packets can't reach rtpengine.

Rtpengine can learn the IP Address from kamailio through the --sip-source CLI switch, but can't guess the port, right ?

So, playing with established,related is not possible.

> If the attacker is fast enough, yes. You can disable learning of
> endpoint addresses using the asynchronous flag, but obviously this will
> break NAT'd media. You can also use the strict-source flag to make
> rtpengine drop packets received from a mismatched source address.

So if I don't use strict-source flag, an attacker could merge any garbage of data in an existing RTP stream ?

Thanks.