Re: SOLVED: Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2022-08-18 Thread Jonathan Thornburg 
In message 
I described how I'm using an OpenBSD firewall (pf) to protect a VOIP
phone system.  A small correction:

I wrote:
> The firewall
> also runs unbound to provide caching DNS service to the VOIP box and the
> local computers, and to do secure DNS-over-TCP to an upstream DNSSEC
> provider.  (That way I don't need to trust the ISP box's DNS service.)

Oops, /dev/brain parity error there -- that should have been "DNS-over-TLS".
Sorry for any confusion,

-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   on the west coast of Canada, eh?
   "Why would we install sewers in London?  Everyone keeps getting cholera
again and again so there's obviously no reason to install sewers.  We
just need to get used to this as the new normal."
 -- 2022-07-25 tweet by "Neoliberal John Snow"

SOLVED: Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2022-08-15 Thread Jonathan Thornburg 
In message 
(date 2021-07-05) I wrote:
> Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
> phone system from internet attacks?  If so, how did you do it?  More
> generally, how do people protect VOIP phone systems (regardless of brand)
> from internet attacks?

There were various helpful replies in that thread, but I wasn't able
to complete my firewall upgrade at that time.  I've recently returned
to this project, and after a bit of fiddling around I'm please to report
a successful outcome.  For the benefit of anyone else trying to protect
a similar VOIP system, here's a summary of what I've done.

My network topology is this:

 +---+
  (internet) | ISP-provided ADSL |
 | modem/router  |
 +---+
|
|
   +--++---+
   | OpenBSD  || Omma Telo |.. analog
   | firewall || VOIP box  |   telephones
   +--++---+
 |  |
  ++ |  |
  | Wifi   |-+  +-- wired client
  | access |(or network switch for
  | point  | multiple wired clients)
  ++

One of my overall goals in trying to design this system is to not trust
either the ISP-provided ADSL modem/router (the "ISP box") or the Ooma Telo
VOIP box any more than necessary -- they're both probably running out-of-date
embedded Linux systems, and could well be hacked at some point.  Notably,
I'd rather not trust the ISP box's DNS service, and I'd like to prevent
either the ISP box or the VOIP box from being able to probe or attack
my other local computers.

Therefore, the OpenBSD firewall (a PC Engines apu4d4) has separate physical
network interfaces to talk to the ISP box, the VOIP box, a wifi access point
(for other local computers that want internet access) and a wired client
(another local computer or computers that wants internet access).

The firewall gets a dynamic address on its "outside" interface via DHCP
from the ISP box.  The firewall assigns distinct /26 subnets of the
192.168.*.* address space to clients connecting via its three internal
interfaces ("wired", "wifi", and "voip").  The firewall runs dhcpd to
assign dynamic IP addresses within those subnets, and to advertise itself
as a DNS server to all the local clients and the VOIP box.  The firewall
also runs unbound to provide caching DNS service to the VOIP box and the
local computers, and to do secure DNS-over-TCP to an upstream DNSSEC
provider.  (That way I don't need to trust the ISP box's DNS service.)

The Ooma VOIP documentation says it uses the following ports:
  outgoing UDP/TCP 53, 1194, 1294
  outgoing TCP 80, 110, 443
  outgoing UDP 67, 123, 3480
  incoming UDP 1 to 3
but doesn't have much to say about NAT-vs-dynamically-chosen-ports issues.
I was pleasantly surprised to find that it works fine through the firewall's
NAT.

I give the relevant parts of the firewall's /etc/pf.conf below.  This
doesn't give perfect protection (e.g., the ISP box could still insert
nastygram packets into non-encrypted connections), but it does offer fairly
good protection, hopefully enough to protect me from typical "mass attacks".

Unless the ISP box meddles in the traffic quite heavily, the OpenBSD
firewall's NAT and "modulate state" should ensure that all traffic to/from
the outside world has high-entropy initial TCP sequence numbers and ports
(for improved resistance to TCP-sequence-guessing attacks).


--- begin firewall /etc/pf.conf ---
# uncomment one of the following two lines
# to configure logging for the main wired/wifi subnets
MAYBE_LOG_MAIN  = ""# uncomment for no logging
#MAYBE_LOG_MAIN = "log" # uncomment for logging

# uncomment one of the following two lines
# to configure logging for the voip subnet
MAYBE_LOG_VOIP  = ""# uncomment for no logging
#MAYBE_LOG_VOIP = "log" # uncomment for logging

# uncomment one of the following two lines
# to configure logging for the default block rule
MAYBE_LOG_BLOCK = ""# uncomment for no logging
#MAYBE_LOG_BLOCK= "log" # uncomment for logging



if_outside  = "em0"
if_wired= "em1"
if_wifi = "em2"
if_voip = "em3"
if_internal = "{" $if_wired $if_wifi $if_voip "}"
if_all  = "{" $if_outside $if_wired $if_wifi $if_voip "}"

# last byte of ip address:
#   /25 /26 /27 /28 /29 /30 /31 /32
#   128  64  32  16   8   4   2   1
# so a /26 has a netmask of 255.255.255.192 = 0xffc0
subnet_wired= "192.168.144.0/26"# .0 to .63
subnet_wifi = "192.168.144.64/26"   # .64 to .127
subnet_wired_or_wifi=

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2021-07-07 Thread Jonathan Thornburg 
Hi Stuart,

On Tue, Jul 06, 2021 at 08:23:06AM +1000, Stuart Longland wrote:
> One thing the OpenBSD host cannot know, is what specific port in that
> 1:3 range, is being used at any particular time.  I note they
> don't ask you to expose port 5060/udp, so presumably the device is
> _not_ receiving SIP traffic directly from incoming callers, but rather
> tunnels it via some sort of STUN-type arrangement or VPN (port 1194
> smells like OpenVPN).

A bit more web serching found some discussions
  https://forums.ooma.com/viewtopic.php?t=15326#p106898
  https://www.dslreports.com/forum/r28676066-Ooma-uses-SIP
  https://forums.ooma.com/viewtopic.php?t=7553#p53035
  https://forums.ooma.com/viewtopic.php?t=15072
where people claim that Ooma does in fact use an OpenVPN tunnel to
their own cloud infrastructure.


> What also we don't know, is whether the RTP traffic (the 1:3/udp
> range) is going to come from a single subnet, or from global addresses.
>  If you can find this information out, then it's possible to just
> expose yourself to your VSP (voice service provider) and be closed to
> everybody else.

Hopefully it only comes from Ooma's own IP addresses.  I will try to
run some experiments next week to see what the traffic actually looks
like.

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2021-07-06 Thread Nicola Dell'Uomo 
If you consider your voip box as a host which could be compromised because it 
runs old and/or insecure software, packet filtering can (in theory) help you a 
little bit by reducing the amount of exposed services, but it won't do more 
than that.
Allowing traffic on network ports which corresponds to insecure services will 
obviously leave those services unprotected and exploitable.
In my opinion, if this is your initial assumption, the matter here is how to 
protect your network from your voip box, as you'll never be able to trust this 
host even with the help of pf.
The config you propose may fit:
1. as long as you don't configure network interfaces connected to your OpenBSD 
host to work as a switch;
2. and as long as your pf rules are semantically correct (which normally 
implies they're few and clear).
In my opinion, if your external modem/router allows you to packet filter, 
keeping your initial configuration and packet filtering your voip box by your 
modem/router is not much worst than filtering it by your OpenBSD host; and as a 
bonus this allows you to keep your OpenBSD configuration simpler (and safer).
With your actual configuration, in the worst case scenario, you can end up with 
an exploited voip box, which is kept apart from your lan by OpenBSD.
If this is still a problem for you, i'd suggets an external packet filter you 
trust (OpenBSD, OpenWRT or anything else) which sits between your modem/router 
and your voip + OpenBSD host.
This would allow you to have a proper perimeter network filtered by a device 
(your ext packet filter) you trust and keeping your internal OpenBSD router 
configuration simpler and safer.

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2021-07-05 Thread Stuart Longland 
On Mon, 5 Jul 2021 17:50:27 -0700
Jonathan Thornburg  wrote:

> > Better yet, if you can, maybe consider setting up Asterisk or similar
> > directly on the OpenBSD router, then configure your ATA to talk to
> > that.  The Asterisk installation can then "sanitise" the traffic going
> > to your ATA, and is in your control for updates.  This is the approach
> > I've taken with my network here (with Internode NodePhone VoIP as VSP
> > and a handful of IP phones and one ATA).  By doing this, I better
> > shield the IP phones/ATA from the outside traffic since the border
> > router is transcoding the audio passed to these devices.  
> 
> One problem is that the Ooma VOIP box (ATA) is a "black box" appliance
> with no (documented) user-visible configuration interface.  So it has to
> "think" it's talking to whatever network infrastructure Ooma uses.

Ahh fun… yeah, you might be stuck with their crummy device talking to
their service then unless you can somehow "jailbreak" it, which is
really getting beyond the scope of what was originally intended.

Not familiar with these devices, clearly this is an ATA with some
"secret sauce" of unknown quality.
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2021-07-05 Thread Stuart Longland 
On Mon, 5 Jul 2021 10:58:52 -0700
Jonathan Thornburg  wrote:

>  +--+
>   (internet) | $ISP DSL |
>  | modem/router |
>  +--+
> |
> |
>+--++---+
>| OpenBSD  || Omma Telo |.. analog
>| firewall || VOIP box  |   telephones
>+--++---+
>  |  |
>   ++ |  |
>   | Wifi   |-+  +-- wired client
>   | access |(or network switch for
>   | point  | multiple wired clients)
>   ++
> 
> This design would allow pf to protect the Ooma box as well as the
> local computers.
> 
> The problem is that (as is pretty standard for VOIP systems) the Ooma
> Telo carries voice traffic on UDP packets, and the UDP port numbers
> can span a wide (dynamically-chosen) range, rather like ftp.  The
> Ooma documentation says it needs the following ports:
> https://support.ooma.com/home/advanced-connections-and-service-ports/
>   outgoing UDP/TCP 53, 1194, 1294
>   outgoing TCP 80, 110, 443
>   outgoing UDP 67, 123, 3480
>   incoming UDP 1 to 3
> 
> So, there are the usual problems of NAT with dynamically-chosen ports.

One thing the OpenBSD host cannot know, is what specific port in that
1:3 range, is being used at any particular time.  I note they
don't ask you to expose port 5060/udp, so presumably the device is
_not_ receiving SIP traffic directly from incoming callers, but rather
tunnels it via some sort of STUN-type arrangement or VPN (port 1194
smells like OpenVPN).

What also we don't know, is whether the RTP traffic (the 1:3/udp
range) is going to come from a single subnet, or from global addresses.
 If you can find this information out, then it's possible to just
expose yourself to your VSP (voice service provider) and be closed to
everybody else.

Finally, you don't mention if the service is operating on IPv4, IPv6 or
dual-stack, but the concepts are the same regardless.

You _could_ NAT the traffic seen by the ISP router, but I'm not
convinced much is gained by doing this, particularly for the Omma Telco
ATA.  VoIP protocols are notoriously bad at traversing NAT, so the fewer
layers you can put between you and your VSP, the better.  Packet filtering
will stop a lot of nasties, NAT behind the border router (ISP-supplied
in your case) is just "security" through obscurity.

I would do the following:

1. Set aside a private subnet address (RFC-1918 for IPv4, RFC-4193 for
   IPv6) that your ATA will "live" on.  Separate VLAN or physical Ethernet
   segment.
2. Configure your ATA and your OpenBSD router so they can ping each-other.
3. On your ISP-supplied border router, configure a static route to your
   ATA's subnet *via* your OpenBSD router.  Update its NAT rules to forward
   traffic to the ATA's new IP address.
4. Configure `pf` to pass through just the port ranges specified in the
   directions required.  Do *NOT* apply NAT in either direction: let the
   ISP-supplied router handle that.

Better yet, if you can, maybe consider setting up Asterisk or similar
directly on the OpenBSD router, then configure your ATA to talk to
that.  The Asterisk installation can then "sanitise" the traffic going
to your ATA, and is in your control for updates.  This is the approach
I've taken with my network here (with Internode NodePhone VoIP as VSP
and a handful of IP phones and one ATA).  By doing this, I better
shield the IP phones/ATA from the outside traffic since the border
router is transcoding the audio passed to these devices.

Regards,
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2021-07-05 Thread Nicola Dell'Uomo 
If you don't trust your voip box you should not install it in your lan zone.
You should have a perimeter network; maybe your actual configuration is less 
dangerous than the one you propose.

‐‐‐ Original Message ‐‐‐

Il lunedì 5 luglio 2021 7:58 PM, Jonathan Thornburg  ha 
scritto:

> Short summary:
>
> Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
>
> phone system from internet attacks? If so, how did you do it? More
>
> generally, how do people protect VOIP phone systems (regardless of brand)
>
> from internet attacks?
>
> Details:
>
> My current home network topology is
>
> +--+
>
> (internet) | $ISP DSL |
>
> | modem/router |
>
> +--+
>
> | |
>
> | |
>
> +--+ +---+
>
> | OpenBSD | | Omma Telo |.. analog
>
> | firewall | | VOIP box | telephones
>
> +--+ +---+
>
> | |
>
> ++ | |
>
> | Wifi |-+ +-- wired client
>
> | access | (or network switch for
>
> | point | multiple wired clients)
>
> ++
>
> The OpenBSD firewall's pf is setup to NAT all the outbound traffic
>
> and to block any incoming traffic except replies to previous outbound
>
> traffic.
>
> This works, but isn't as secure as I'd like, because the OpenBSD pf only
>
> protects our computers; the Ooma Telo VOIP box is outside the firewall
>
> and is only "protected" by the $ISP DSL modem/router (whose security I
>
> don't at all trust). That is, I suspect that both the $ISP-provided
>
> DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small
>
> embedded Linux boxes running less-than-fully-patched 10-year-old software,
>
> and are thus quite vulnerable to attack from the internet.
>
> So, as part of a forthcoming upgrade of the OpenBSD firewall hardware,
>
> I would like to move the Ooma box inside the firewall-protected network
>
> by switching to the following network topology:
>
> +--+
>
> (internet) | $ISP DSL |
>
> | modem/router |
>
> +--+
>
> |
>
> |
>
> +--+ +---+
>
> | OpenBSD || Omma Telo |.. analog
>
> | firewall | | VOIP box | telephones
>
> +--+ +---+
>
> | |
>
> ++ | |
>
> | Wifi |-+ +-- wired client
>
> | access | (or network switch for
>
> | point | multiple wired clients)
>
> ++
>
> This design would allow pf to protect the Ooma box as well as the
>
> local computers.
>
> The problem is that (as is pretty standard for VOIP systems) the Ooma
>
> Telo carries voice traffic on UDP packets, and the UDP port numbers
>
> can span a wide (dynamically-chosen) range, rather like ftp. The
>
> Ooma documentation says it needs the following ports:
>
> https://support.ooma.com/home/advanced-connections-and-service-ports/
>
> outgoing UDP/TCP 53, 1194, 1294
>
> outgoing TCP 80, 110, 443
>
> outgoing UDP 67, 123, 3480
>
> incoming UDP 1 to 3
>
> So, there are the usual problems of NAT with dynamically-chosen ports.
>
> And, the range of incoming ports (1 to 3) is much broader than
>
> I would like to leave open to the whole world. I can (will) try to
>
> restrict by IP source addresses, but Ooma offers no documentation on
>
> what IP addresses from their network may need to send me UDP packets
>
> for normal operation (notably, I don't know how incoming phone calls
>
> are signalled), so I will need to do some reverse engineering here
>
> (tcpdump to start with). If I'm lucky the incoming UDP packets will
>
> always come from IP addresses to which I've previously sent outgoing
>
> traffic (so that the normal pf state table will grok them).
>
> In any case, IP source addresses can be forged, so relying on them
>
> alone gives somewhat limited security. I don't know of an easy way
>
> to work around this. Do I need a full-fledged SIP proxy somewhere
>
> (either on the firewall or on a separate dedicated machine)?
>
> Overall, I would rather not have to re-invent the wheel here. What
>
> are other OpenBSD users doing to protect VOIP phone systems from
>
> incoming "nastygram" attacks?
>
>

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2021-07-05 Thread Jonathan Thornburg 
In  I asked
for advice on using an OpenBSD firewall to protect a VOIP box from
network attacks.

Several people have suggesting isolating the VOIP box in a separate
sublan.  This is a good idea.  In fact, the network topology I'm planning

> 
>  +--+
>   (internet) | $ISP DSL |
>  | modem/router |
>  +--+
> |
> |
>+--++---+
>| OpenBSD  || Omma Telo |.. analog
>| firewall || VOIP box  |   telephones
>+--++---+
>  |  |
>   ++ |  |
>   | Wifi   |-+  +-- wired client
>   | access |(or network switch for
>   | point  | multiple wired clients)
>   ++

already does this.  The firewall has separate network ports for
* uplink to $ISP DSL modem/router
* the wifi access point
* the wired client (or, in the future, a network switch connected to
  multiple wired clients)
* the VOIP box
so it's easy for the firewall's pf ruleset to keep the subnets' traffic
separate.

The harder problem, which I don't yet know how to solve, is how to
appropriately firewall the VOIP box from the (hostile) outside world.
Here there is some legitimate traffic (carrying phone calls and/or
Ooma software updates), and the problem is how to best configure the
the firewall so as to block as large a range of "nastygram" packets
from the outside world as possible, while still passing the legitimate
traffic.

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2021-07-05 Thread Sonic 
For starters use a separate vlan for the phones.

On Mon, Jul 5, 2021 at 2:02 PM Jonathan Thornburg  wrote:
>
> Short summary:
>
> Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
> phone system from internet attacks?  If so, how did you do it?  More
> generally, how do people protect VOIP phone systems (regardless of brand)
> from internet attacks?
>
>
> Details:
>
> My current home network topology is
>
>  +--+
>   (internet) | $ISP DSL |
>  | modem/router |
>  +--+
> ||
> ||
>+--++---+
>| OpenBSD  || Omma Telo |.. analog
>| firewall || VOIP box  |   telephones
>+--++---+
>  |  |
>   ++ |  |
>   | Wifi   |-+  +-- wired client
>   | access |(or network switch for
>   | point  | multiple wired clients)
>   ++
>
> The OpenBSD firewall's pf is setup to NAT all the outbound traffic
> and to block any incoming traffic except replies to previous outbound
> traffic.
>
> This works, but isn't as secure as I'd like, because the OpenBSD pf only
> protects our computers; the Ooma Telo VOIP box is outside the firewall
> and is only "protected" by the $ISP DSL modem/router (whose security I
> don't at all trust).  That is, I suspect that both the $ISP-provided
> DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small
> embedded Linux boxes running less-than-fully-patched 10-year-old software,
> and are thus quite vulnerable to attack from the internet.
>
> So, as part of a forthcoming upgrade of the OpenBSD firewall hardware,
> I would like to move the Ooma box inside the firewall-protected network
> by switching to the following network topology:
>
>  +--+
>   (internet) | $ISP DSL |
>  | modem/router |
>  +--+
> |
> |
>+--++---+
>| OpenBSD  || Omma Telo |.. analog
>| firewall || VOIP box  |   telephones
>+--++---+
>  |  |
>   ++ |  |
>   | Wifi   |-+  +-- wired client
>   | access |(or network switch for
>   | point  | multiple wired clients)
>   ++
>
> This design would allow pf to protect the Ooma box as well as the
> local computers.
>
> The problem is that (as is pretty standard for VOIP systems) the Ooma
> Telo carries voice traffic on UDP packets, and the UDP port numbers
> can span a wide (dynamically-chosen) range, rather like ftp.  The
> Ooma documentation says it needs the following ports:
> https://support.ooma.com/home/advanced-connections-and-service-ports/
>   outgoing UDP/TCP 53, 1194, 1294
>   outgoing TCP 80, 110, 443
>   outgoing UDP 67, 123, 3480
>   incoming UDP 1 to 3
>
> So, there are the usual problems of NAT with dynamically-chosen ports.
>
> And, the range of incoming ports (1 to 3) is much broader than
> I would like to leave open to the whole world.  I can (will) try to
> restrict by IP source addresses, but Ooma offers no documentation on
> what IP addresses from their network may need to send me UDP packets
> for normal operation (notably, I don't know how incoming phone calls
> are signalled), so I will need to do some reverse engineering here
> (tcpdump to start with).  If I'm lucky the incoming UDP packets will
> always come from IP addresses to which I've previously sent outgoing
> traffic (so that the normal pf state table will grok them).
>
> In any case, IP source addresses can be forged, so relying on them
> alone gives somewhat limited security.  I don't know of an easy way
> to work around this.  Do I need a full-fledged SIP proxy somewhere
> (either on the firewall or on a separate dedicated machine)?
>
> Overall, I would rather not have to re-invent the wheel here.  What
> are other OpenBSD users doing to protect VOIP phone systems from
> incoming "nastygram" attacks?
>
> --
> -- "Jonathan Thornburg [remove color- to reply]" 
>on the west coast of Canada, eh?
>"There was of course no way of knowing whether you were being watched
> at any given moment.  How often, or on what system, the Thought Police
> plugged in on any individual wire was guesswork.  It was even conceivable
> that they watched everybody all the time."  -- George Orwell, "1984"
>

how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

2021-07-05 Thread Jonathan Thornburg 
Short summary:

Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
phone system from internet attacks?  If so, how did you do it?  More
generally, how do people protect VOIP phone systems (regardless of brand)
from internet attacks?


Details:

My current home network topology is

 +--+
  (internet) | $ISP DSL |
 | modem/router |
 +--+
||
||
   +--++---+
   | OpenBSD  || Omma Telo |.. analog
   | firewall || VOIP box  |   telephones
   +--++---+
 |  |
  ++ |  |
  | Wifi   |-+  +-- wired client
  | access |(or network switch for
  | point  | multiple wired clients)
  ++

The OpenBSD firewall's pf is setup to NAT all the outbound traffic
and to block any incoming traffic except replies to previous outbound
traffic.

This works, but isn't as secure as I'd like, because the OpenBSD pf only
protects our computers; the Ooma Telo VOIP box is outside the firewall
and is only "protected" by the $ISP DSL modem/router (whose security I
don't at all trust).  That is, I suspect that both the $ISP-provided
DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small
embedded Linux boxes running less-than-fully-patched 10-year-old software,
and are thus quite vulnerable to attack from the internet.

So, as part of a forthcoming upgrade of the OpenBSD firewall hardware,
I would like to move the Ooma box inside the firewall-protected network
by switching to the following network topology:

 +--+
  (internet) | $ISP DSL |
 | modem/router |
 +--+
|
|
   +--++---+
   | OpenBSD  || Omma Telo |.. analog
   | firewall || VOIP box  |   telephones
   +--++---+
 |  |
  ++ |  |
  | Wifi   |-+  +-- wired client
  | access |(or network switch for
  | point  | multiple wired clients)
  ++

This design would allow pf to protect the Ooma box as well as the
local computers.

The problem is that (as is pretty standard for VOIP systems) the Ooma
Telo carries voice traffic on UDP packets, and the UDP port numbers
can span a wide (dynamically-chosen) range, rather like ftp.  The
Ooma documentation says it needs the following ports:
https://support.ooma.com/home/advanced-connections-and-service-ports/
  outgoing UDP/TCP 53, 1194, 1294
  outgoing TCP 80, 110, 443
  outgoing UDP 67, 123, 3480
  incoming UDP 1 to 3

So, there are the usual problems of NAT with dynamically-chosen ports.

And, the range of incoming ports (1 to 3) is much broader than
I would like to leave open to the whole world.  I can (will) try to
restrict by IP source addresses, but Ooma offers no documentation on
what IP addresses from their network may need to send me UDP packets
for normal operation (notably, I don't know how incoming phone calls
are signalled), so I will need to do some reverse engineering here
(tcpdump to start with).  If I'm lucky the incoming UDP packets will
always come from IP addresses to which I've previously sent outgoing
traffic (so that the normal pf state table will grok them).

In any case, IP source addresses can be forged, so relying on them
alone gives somewhat limited security.  I don't know of an easy way
to work around this.  Do I need a full-fledged SIP proxy somewhere
(either on the firewall or on a separate dedicated machine)?

Overall, I would rather not have to re-invent the wheel here.  What
are other OpenBSD users doing to protect VOIP phone systems from
incoming "nastygram" attacks?

-- 
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"