If you don't trust your voip box you should not install it in your lan zone. You should have a perimeter network; maybe your actual configuration is less dangerous than the one you propose.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ Il lunedì 5 luglio 2021 7:58 PM, Jonathan Thornburg <jthorn4...@gmail.com> ha scritto: > Short summary: > > Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP > > phone system from internet attacks? If so, how did you do it? More > > generally, how do people protect VOIP phone systems (regardless of brand) > > from internet attacks? > > Details: > > My current home network topology is > > +--------------+ > > (internet) --------| $ISP DSL | > > | modem/router | > > +--------------+ > > | | > > | | > > +----------+ +-----------+ > > | OpenBSD | | Omma Telo |.......... analog > > | firewall | | VOIP box | telephones > > +----------+ +-----------+ > > | | > > +--------+ | | > > | Wifi |-----+ +------ wired client > > | access | (or network switch for > > | point | multiple wired clients) > > +--------+ > > The OpenBSD firewall's pf is setup to NAT all the outbound traffic > > and to block any incoming traffic except replies to previous outbound > > traffic. > > This works, but isn't as secure as I'd like, because the OpenBSD pf only > > protects our computers; the Ooma Telo VOIP box is outside the firewall > > and is only "protected" by the $ISP DSL modem/router (whose security I > > don't at all trust). That is, I suspect that both the $ISP-provided > > DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small > > embedded Linux boxes running less-than-fully-patched 10-year-old software, > > and are thus quite vulnerable to attack from the internet. > > So, as part of a forthcoming upgrade of the OpenBSD firewall hardware, > > I would like to move the Ooma box inside the firewall-protected network > > by switching to the following network topology: > > +--------------+ > > (internet) --------| $ISP DSL | > > | modem/router | > > +--------------+ > > | > > | > > +----------+ +-----------+ > > | OpenBSD |----| Omma Telo |.......... analog > > | firewall | | VOIP box | telephones > > +----------+ +-----------+ > > | | > > +--------+ | | > > | Wifi |-----+ +------ wired client > > | access | (or network switch for > > | point | multiple wired clients) > > +--------+ > > This design would allow pf to protect the Ooma box as well as the > > local computers. > > The problem is that (as is pretty standard for VOIP systems) the Ooma > > Telo carries voice traffic on UDP packets, and the UDP port numbers > > can span a wide (dynamically-chosen) range, rather like ftp. The > > Ooma documentation says it needs the following ports: > > https://support.ooma.com/home/advanced-connections-and-service-ports/ > > outgoing UDP/TCP 53, 1194, 1294 > > outgoing TCP 80, 110, 443 > > outgoing UDP 67, 123, 3480 > > incoming UDP 10000 to 30000 > > So, there are the usual problems of NAT with dynamically-chosen ports. > > And, the range of incoming ports (10000 to 30000) is much broader than > > I would like to leave open to the whole world. I can (will) try to > > restrict by IP source addresses, but Ooma offers no documentation on > > what IP addresses from their network may need to send me UDP packets > > for normal operation (notably, I don't know how incoming phone calls > > are signalled), so I will need to do some reverse engineering here > > (tcpdump to start with). If I'm lucky the incoming UDP packets will > > always come from IP addresses to which I've previously sent outgoing > > traffic (so that the normal pf state table will grok them). > > In any case, IP source addresses can be forged, so relying on them > > alone gives somewhat limited security. I don't know of an easy way > > to work around this. Do I need a full-fledged SIP proxy somewhere > > (either on the firewall or on a separate dedicated machine)? > > Overall, I would rather not have to re-invent the wheel here. What > > are other OpenBSD users doing to protect VOIP phone systems from > > incoming "nastygram" attacks? > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > -- "Jonathan Thornburg [remove color- to reply]" jthorn4...@pink-gmail.com > > on the west coast of Canada, eh? > > "There was of course no way of knowing whether you were being watched > > at any given moment. How often, or on what system, the Thought Police > > plugged in on any individual wire was guesswork. It was even conceivable > > that they watched everybody all the time." -- George Orwell, "1984"