-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 1/12/07 4:03 PM, Chris 'Xenon' Hanson wrote: > Bob DeBolt wrote: >> I have been trying numerous configs trying to out smart >> the inability of VOIP to transfer to UDP encapsulated RTP. >> A very common problem as anyone who deals with NAT and VOIP knows. > > Hmm. Maybe not. > > I use VOIP behind NAT (Sipura and Grandstream phones talking to an > off-site Asterisk server) without any problems. I was using an OBSD PF > firewall. It's booted into Linux right now due to driver problems with > my ADSL NIC, but it the VOIP part worked fine under either OS/firewall. > > What, specifically is your issue? >
One huge issue has to do with pf and SIP protocol design. SIP signaling messages go over a well-known port (5060/tcp), but the media traffic (the actual voice packets) go over some random port negotiated during call setup. The pf+voip documents I've seen give config examples that just open up a large range of ports [0]. Yikes. What's really needed is either: a. ditch SIP and use IAX instead since at least signaling and media both run over a well known port (and thus it's much easier to firewall and NAT); or b. create a pf proxy that understands SIP. A SIP proxy would need to do the following: - - look into the SIP's SDP sublayer to grok the port number that media traffic will use on a call - - dynamically create a pass rule allowing access on that port number - - dynamically tear down access on that port when the call terminates If there is such a beast for pf, please let me know. thanks dn 0. See for example: http://www.aetherwide.com/articles/voip-pf.html http://www.bastard.net/~kos/pf-voip.html Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFqDqJyPxGVjntI4IRAiL1AJ9Gg04zVUMY4INSVJoxDb3RcevPXACg5UPo IuwYmfqpxfD58IGCgb8TlBU= =0C4V -----END PGP SIGNATURE-----