said by Trimline:
Never open 5060, or port forward 5060 unless you want a lot of trouble (hackers). UDP ports 10001 - 20000 can be port forwarded without issue - these are used for RTP streams (voice). This can be forwarded depending on your situation. On example would be one-way audio.
Unless you are experiencing call audio issues, I would leave well enough alone.
You can port forward the ports specifically to a ITSP or a dynamic dns if no static ip is present via rules.
I have all my SIP ports open to my ITSP with no issues due to the type of nat my firewall uses.
Depending on your router you may have to open the RTP ports... In some more restricted routers that use symmetric NAT will force you to hell before you can get some protocols to play nice while some more adopted nat like cone nat play very well and RTP or even sip in some cases dont have to be forwarded.
For got to mention that with proper security you can forward any port. in the VoIP world fail2ban and arno's firewall is one of the best tool in the arsenal to have.--