On Thu, Nov 20, 2008 at 1:44 AM, marrandy <[EMAIL PROTECTED]>wrote: > On Wednesday 19 November 2008 09:07:31 you wrote: > > > OpenBSD PF firewall consisting of ext, DMZ, internal/private > interfaces. > > > VOIP server sitting in the DMZ. > > > Multiple (pick any number, 5, 10, 100) SIP phones in the private LAN. > > > Multiple mobile (pick any number, 5, 10, 100) SIP phones anywhere in > the > > > USA. (NOTE: Mobile means they are carried and plugged in anywhere, but > > > are programmed with the static IP gateway address. > > > > > > How would you create a working pf.conf file so everything 'just > works'. > Sounds like a lot of work. I need to go and hit the asterisk list. > > I'll let you know if I find anything out.
FWIW I run about 8 asterisk servers behind openbsd firewalls. I have found the most non-problematic way to run them has been by using the asterisk servers as a SIP proxy for your SIP clients and making sure that canreinvite in asterisk is turned off, this increases your load on the asterisk server, but I haven't found that to be a real problem. Your external SIP clients are going to have to connect to something. You need to define what you want to say are valid RTP ports, it's "usually" in the 10000-20000 range, but you need to set this up on your asterisk server appropriately. Then on the firewall, using rdr rules you can redirect incomming SIP and RTP ports to your asterisk box internally. Outgoing from the asterisk server is usually a no brainer, you might want to set pf to be conservative on reclaiming idle states though, I've found on occasion a disconnected sip line as all the activity happens on the RTP side. You'll need incomming redirections on your SIP from your sip provider, or if you can, use IAX2, it handles firewalls much more gracefully. Something like authpf can be used to open up the allow rules on the redirect. Or you could use VPNs and make the "external" sip clients appear on your internal network avoiding the whole redirect problem all together. Though you would want to test this for phone quality. I haven't tried this myself, but can't see why it wouldn't work. YMMV and of course... tweak it to your own requirements. Mikel