If you consider your voip box as a host which could be compromised because it
runs old and/or insecure software, packet filtering can (in theory) help you a
little bit by reducing the amount of exposed services, but it won't do more
than that.
Allowing traffic on network ports which corresponds to insecure services will
obviously leave those services unprotected and exploitable.
In my opinion, if this is your initial assumption, the matter here is how to
protect your network from your voip box, as you'll never be able to trust this
host even with the help of pf.
The config you propose may fit:
1. as long as you don't configure network interfaces connected to your OpenBSD
host to work as a switch;
2. and as long as your pf rules are semantically correct (which normally
implies they're few and clear).
In my opinion, if your external modem/router allows you to packet filter,
keeping your initial configuration and packet filtering your voip box by your
modem/router is not much worst than filtering it by your OpenBSD host; and as a
bonus this allows you to keep your OpenBSD configuration simpler (and safer).
With your actual configuration, in the worst case scenario, you can end up with
an exploited voip box, which is kept apart from your lan by OpenBSD.
If this is still a problem for you, i'd suggets an external packet filter you
trust (OpenBSD, OpenWRT or anything else) which sits between your modem/router
and your voip + OpenBSD host.
This would allow you to have a proper perimeter network filtered by a device
(your ext packet filter) you trust and keeping your internal OpenBSD router
configuration simpler and safer.
