On Wednesday 19 November 2008 09:07:31 you wrote: > > OpenBSD PF firewall consisting of ext, DMZ, internal/private interfaces. > > VOIP server sitting in the DMZ. > > Multiple (pick any number, 5, 10, 100) SIP phones in the private LAN. > > Multiple mobile (pick any number, 5, 10, 100) SIP phones anywhere in the > > USA. (NOTE: Mobile means they are carried and plugged in anywhere, but > > are programmed with the static IP gateway address. > > > > How would you create a working pf.conf file so everything 'just works'.
Here we go > What do you mean exactly by "just works"? Are the external phones > supposed to talk with the internal phones? Not directly, they go through the server > Do the internal phones have > public or private addresses? Private interface so private address > Are you using RTP/RTCP for audio? Are the > audio streams phone-to-phone or are you using media anchoring on your > VoIP server? The server is currently in the private lan, but if we wan't to take outside calls, we need to move it into the DMZ. > What VoIP server are you using? Asterisk, test server > Does it use TCP and/or > UDP for SIP signalling? What is the port range used on the SIP phones > for RTP/RTCP? Standard ports. The SIP phones register with the asterisk box. > There's a lot more info required before one can draw up some > appropriate pf configuration file. Also, AFAIK there is currently now > ftp-proxy-like application available for SIP for pf, so you won't be > able to use pf as an ALG or dynamic firewall for your SIP traffic. > You'll have to determine all your possible call flows, analyze the > potential ports used (SIP and RTP/RTCP) for each of these call flows, > and then prepare a pf.conf that caters to all of these. Sounds like a lot of work. I need to go and hit the asterisk list. I'll let you know if I find anything out.