For FreePBX versions 2.5 or newer, we have a simple module included in FreePBX called "SIPStation," which makes setting up your trunks a breeze. You can view this wiki on how to use the SIPStation module.
We recommend forwarding ports UDP/5060 and UDP/10000-20000 for standard FreePBX/Asterisk-based installs. If using newer versions of FreePBX, port 5160 is the default port for ChanSIP so that may be the port you need to forward. Check Asterisk SIP Settings for the bind port of ChanSIP. It may be possible to get your service working without port forwarding, but optimal service will be obtained with the above mentioned ports. You can lock down port UDP/5060 or UDP/5160 depending on bind port of ChanSIP to the trunk1.freepbx.com and trunk2.freepbx.com FQDNs for additional security, but please note, we do from time to time change the IP addresses associated with these FQDNs. Therefore it is best to use the FQDN and not an IP Address. You cannot lock down UDP/10000-20000 to any specific IP address, since the media of a phone call can come from hundreds of different IP addresses.
If you are using SIPstation module in FreePBX/PBXact you will need to allow traffic from push2.schmoozecom.com for the module to work.
You can lock down port 5060/UDP to trunk1.freepbx.com and trunk2.freepbx.com. You cannot lock down the media ports because the media servers vary and change. Most security issues that are reported are usually related to manufacturer vulnerabilities in their SIP stack, port 5060. By locking down this signaling port, you should be able to address almost all potential issues.
Review our wiki on Standard versus Premium trunking here for Codec options. Difference Between Standard and Premium Trunking