On Tue, 21 Aug 2007 09:55:54 -0400 (EDT)
Alicia da Conceicao <alicia@engine.ca> wrote:

> Greetings:
> 
> Does anyone know if there is any type of application proxy for ipfilter
> and SIP on NetBSD?  Ipfilter has an application proxy for outgoing active
> mode FTP, and Linux has a SIP application proxy that works with its
> IPTables, but I cannot find any solution for NetBSD.  The Linux Shorewall
> distribution is able to do this right out of the box, so hopefully some
> solution exists for NetBSD.
> 
> I have a Cisco 7960 IP phone (SIP based) with a vonage soft account,
> which accesses the Internet via a NetBSD router (running NetBSD 3.1,
> ipfilter & ipnat).  The IP phone does not have any difficulties calling
> out, but more than 80% of the incomming calls are blocked by ipfilter.
> I can observe the blocked incoming UDP SIP packets using ipmon.  If I
> configure ipfilter to allow all incoming traffic, then the IP phone is
> able to receive all of the calls without any problems.  But neutralizing
> the firewall is not a secure option!
> 
> So other than using Linux, I considered using a lightweight SIP proxy,
> but neither asterisk nor openser could be considered lightweight or
> secure to put on a firewall.
> 
> Any suggestions would be greatly appreciated.
> 
> Thank you in advance,
> Alicia.
> 

Hi,

I could never get my SIP phone to work with ipfilter and NAT, however
I did manage to get it to work with pf(4), using the setup below.
The static-port keyword was the magic I needed.

ext_if = "tap0"
sip_ports = "{3478:3479, 5060:5061, 10000:10007}"
sip_ip = "172.18.1.66/32"
nat on $ext_if from $sip_ip to any -> $ext_if static-port
rdr on $ext_if proto udp from any to $ext_if port $sip_ports -> $sip_ip
pass in quick on $ext_if inet proto udp from any to any port $sip_ports

HTH,
-Tobias