Subject: Re: ipfilter and SIP
To: Tobias Nygren <tnn@NetBSD.org>
From: Darren Reed <darrenr@netbsd.org>
List: tech-net
Date: 08/21/2007 23:11:39
Tobias Nygren wrote:
> On Tue, 21 Aug 2007 09:55:54 -0400 (EDT)
> Alicia da Conceicao <alicia@engine.ca> wrote:
>
> > Greetings:
> > 
> > Does anyone know if there is any type of application proxy for ipfilter
> > and SIP on NetBSD?  Ipfilter has an application proxy for outgoing active
> > mode FTP, and Linux has a SIP application proxy that works with its
> > IPTables, but I cannot find any solution for NetBSD.  The Linux Shorewall
> > distribution is able to do this right out of the box, so hopefully some
> > solution exists for NetBSD.
> > 
> > I have a Cisco 7960 IP phone (SIP based) with a vonage soft account,
> > which accesses the Internet via a NetBSD router (running NetBSD 3.1,
> > ipfilter & ipnat).  The IP phone does not have any difficulties calling
> > out, but more than 80% of the incomming calls are blocked by ipfilter.
> > I can observe the blocked incoming UDP SIP packets using ipmon.  If I
> > configure ipfilter to allow all incoming traffic, then the IP phone is
> > able to receive all of the calls without any problems.  But neutralizing
> > the firewall is not a secure option!
> > 
> > So other than using Linux, I considered using a lightweight SIP proxy,
> > but neither asterisk nor openser could be considered lightweight or
> > secure to put on a firewall.
> > 
> > Any suggestions would be greatly appreciated.
> > 
> > Thank you in advance,
> > Alicia.
> > 
>
> Hi,
>
> I could never get my SIP phone to work with ipfilter and NAT, however
> I did manage to get it to work with pf(4), using the setup below.
> The static-port keyword was the magic I needed.
>
> ext_if = "tap0"
> sip_ports = "{3478:3479, 5060:5061, 10000:10007}"
> sip_ip = "172.18.1.66/32"
> nat on $ext_if from $sip_ip to any -> $ext_if static-port
> rdr on $ext_if proto udp from any to $ext_if port $sip_ports -> $sip_ip
> pass in quick on $ext_if inet proto udp from any to any port $sip_ports
>   

The only part that IPFilter is incapable of here is expressing
the above in so few rules.

Darren