Short summary: Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP phone system from internet attacks? If so, how did you do it? More generally, how do people protect VOIP phone systems (regardless of brand) from internet attacks?
Details: My current home network topology is +--------------+ (internet) --------| $ISP DSL | | modem/router | +--------------+ | | | | +----------+ +-----------+ | OpenBSD | | Omma Telo |.......... analog | firewall | | VOIP box | telephones +----------+ +-----------+ | | +--------+ | | | Wifi |-----+ +------ wired client | access | (or network switch for | point | multiple wired clients) +--------+ The OpenBSD firewall's pf is setup to NAT all the outbound traffic and to block any incoming traffic except replies to previous outbound traffic. This works, but isn't as secure as I'd like, because the OpenBSD pf only protects our computers; the Ooma Telo VOIP box is outside the firewall and is only "protected" by the $ISP DSL modem/router (whose security I don't at all trust). That is, I suspect that both the $ISP-provided DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small embedded Linux boxes running less-than-fully-patched 10-year-old software, and are thus quite vulnerable to attack from the internet. So, as part of a forthcoming upgrade of the OpenBSD firewall hardware, I would like to move the Ooma box inside the firewall-protected network by switching to the following network topology: +--------------+ (internet) --------| $ISP DSL | | modem/router | +--------------+ | | +----------+ +-----------+ | OpenBSD |----| Omma Telo |.......... analog | firewall | | VOIP box | telephones +----------+ +-----------+ | | +--------+ | | | Wifi |-----+ +------ wired client | access | (or network switch for | point | multiple wired clients) +--------+ This design would allow pf to protect the Ooma box as well as the local computers. The problem is that (as is pretty standard for VOIP systems) the Ooma Telo carries voice traffic on UDP packets, and the UDP port numbers can span a wide (dynamically-chosen) range, rather like ftp. The Ooma documentation says it needs the following ports: https://support.ooma.com/home/advanced-connections-and-service-ports/ outgoing UDP/TCP 53, 1194, 1294 outgoing TCP 80, 110, 443 outgoing UDP 67, 123, 3480 incoming UDP 10000 to 30000 So, there are the usual problems of NAT with dynamically-chosen ports. And, the range of incoming ports (10000 to 30000) is much broader than I would like to leave open to the whole world. I can (will) try to restrict by IP source addresses, but Ooma offers no documentation on what IP addresses from their network may need to send me UDP packets for normal operation (notably, I don't know how incoming phone calls are signalled), so I will need to do some reverse engineering here (tcpdump to start with). If I'm lucky the incoming UDP packets will always come from IP addresses to which I've previously sent outgoing traffic (so that the normal pf state table will grok them). In any case, IP source addresses can be forged, so relying on them alone gives somewhat limited security. I don't know of an easy way to work around this. Do I need a full-fledged SIP proxy somewhere (either on the firewall or on a separate dedicated machine)? Overall, I would rather not have to re-invent the wheel here. What are other OpenBSD users doing to protect VOIP phone systems from incoming "nastygram" attacks? -- -- "Jonathan Thornburg [remove color- to reply]" <jthorn4...@pink-gmail.com> on the west coast of Canada, eh? "There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time." -- George Orwell, "1984"