tech-net: Re: ipfilter and SIP

Subject: Re: ipfilter and SIP
To: Stephen Borrill <netbsd@precedence.co.uk>
From: Darren Reed <darrenr@netbsd.org>
List: tech-net
Date: 08/22/2007 02:50:43
Stephen Borrill wrote:
> On Tue, 21 Aug 2007, Darren Reed wrote:
>> Tobias Nygren wrote:
>>> On Tue, 21 Aug 2007 09:55:54 -0400 (EDT)
>>> Alicia da Conceicao <alicia@engine.ca> wrote:
>>>
>>> > Greetings:
>>> > > Does anyone know if there is any type of application proxy for 
>>> ipfilter
>>> > and SIP on NetBSD?
> [snip]
>>> I could never get my SIP phone to work with ipfilter and NAT, however
>>> I did manage to get it to work with pf(4), using the setup below.
>>> The static-port keyword was the magic I needed.
>>>
>>> ext_if = "tap0"
>>> sip_ports = "{3478:3479, 5060:5061, 10000:10007}"
>>> sip_ip = "172.18.1.66/32"
>>> nat on $ext_if from $sip_ip to any -> $ext_if static-port
>>> rdr on $ext_if proto udp from any to $ext_if port $sip_ports -> $sip_ip
>>> pass in quick on $ext_if inet proto udp from any to any port $sip_ports
>>
>> The only part that IPFilter is incapable of here is expressing
>> the above in so few rules.
>
> Darren, can you give us a quick recipe-book entry based on the above 
> so that it'll be here if people Google for it later?

The only real dilemma is matching the IP# for the rdr rule, but that won't
be a problem forever...

For ipnat.conf, you can use:
map tap0 from 172.18.1.66/32 to any -> 0/32
rdr tap0 from any to tap0-ip# port 3477><3480 -> 172.18.1.66 udp
rdr tap0 from any to tap0-ip# port 5059><5062 -> 172.18.1.66 udp
rdr tap0 from any to tap0-ip# port 9999><10008 -> 172.18.1.66 udp

If you're using a "map tap0 ... portmap ... tcp/udp" style rule then you 
may want
to put these up the very top:
map tap0 from 172.18.1.66/32 port 3477><3480 to any -> 0/32 udp
map tap0 from 172.18.1.66/32 port 5059><5062 to any -> 0/32 udp
map tap0 from 172.18.1.66/32 port 9999><10008 to any -> 0/32 udp

For ipf.conf, you can use:
pass in quick on tap0 proto udp from any to any port 3478:3479 keep state
pass in quick on tap0 proto udp from any to any port 5060:5061 keep state
pass in quick on tap0 proto udp from any to any port 10000:10007 keep state

If you wanted you could use $ext_if, like this:

ext_if="tap0";
pass in quick on $ext_if proto udp from any to any port 3478:3479 keep state
pass in quick on $ext_if proto udp from any to any port 5060:5061 keep state
pass in quick on $ext_if proto udp from any to any port 10000:10007 keep 
state

but I'm not always sure it is a worthwhile change.

But it's obvious that ipnat.conf needs to be taught "portlow:porthigh".

Cheers,
Darren