Re: ipfilter and SIP

On Tue, 21 Aug 2007 09:55:54 -0400 (EDT)
Alicia da Conceicao <aliciaengine.ca> wrote:

> Greetings:
> 
> Does anyone know if there is any type of application
proxy for ipfilter
> and SIP on NetBSD?  Ipfilter has an application proxy
for outgoing active
> mode FTP, and Linux has a SIP application proxy that
works with its
> IPTables, but I cannot find any solution for NetBSD. 
The Linux Shorewall
> distribution is able to do this right out of the box,
so hopefully some
> solution exists for NetBSD.
> 
> I have a Cisco 7960 IP phone (SIP based) with a vonage
soft account,
> which accesses the Internet via a NetBSD router
(running NetBSD 3.1,
> ipfilter & ipnat).  The IP phone does not have any
difficulties calling
> out, but more than 80% of the incomming calls are
blocked by ipfilter.
> I can observe the blocked incoming UDP SIP packets
using ipmon.  If I
> configure ipfilter to allow all incoming traffic, then
the IP phone is
> able to receive all of the calls without any problems. 
But neutralizing
> the firewall is not a secure option!
> 
> So other than using Linux, I considered using a
lightweight SIP proxy,
> but neither asterisk nor openser could be considered
lightweight or
> secure to put on a firewall.
> 
> Any suggestions would be greatly appreciated.
> 
> Thank you in advance,
> Alicia.
> 

Hi,

I could never get my SIP phone to work with ipfilter and
NAT, however
I did manage to get it to work with pf(4), using the setup
below.
The static-port keyword was the magic I needed.

ext_if = "tap0"
sip_ports = "{3478:3479, 5060:5061, 10000:10007}"
sip_ip = "172.18.1.66/32"
nat on $ext_if from $sip_ip to any -> $ext_if
static-port
rdr on $ext_if proto udp from any to $ext_if port $sip_ports
-> $sip_ip
pass in quick on $ext_if inet proto udp from any to any port
$sip_ports

HTH,
-Tobias

Tobias Nygren wrote:
> On Tue, 21 Aug 2007 09:55:54 -0400 (EDT)
> Alicia da Conceicao <aliciaengine.ca> wrote:
>
> > Greetings:
> > 
> > Does anyone know if there is any type of
application proxy for ipfilter
> > and SIP on NetBSD?  Ipfilter has an application
proxy for outgoing active
> > mode FTP, and Linux has a SIP application proxy
that works with its
> > IPTables, but I cannot find any solution for
NetBSD.  The Linux Shorewall
> > distribution is able to do this right out of the
box, so hopefully some
> > solution exists for NetBSD.
> > 
> > I have a Cisco 7960 IP phone (SIP based) with a
vonage soft account,
> > which accesses the Internet via a NetBSD router
(running NetBSD 3.1,
> > ipfilter & ipnat).  The IP phone does not have
any difficulties calling
> > out, but more than 80% of the incomming calls are
blocked by ipfilter.
> > I can observe the blocked incoming UDP SIP packets
using ipmon.  If I
> > configure ipfilter to allow all incoming traffic,
then the IP phone is
> > able to receive all of the calls without any
problems.  But neutralizing
> > the firewall is not a secure option!
> > 
> > So other than using Linux, I considered using a
lightweight SIP proxy,
> > but neither asterisk nor openser could be
considered lightweight or
> > secure to put on a firewall.
> > 
> > Any suggestions would be greatly appreciated.
> > 
> > Thank you in advance,
> > Alicia.
> > 
>
> Hi,
>
> I could never get my SIP phone to work with ipfilter
and NAT, however
> I did manage to get it to work with pf(4), using the
setup below.
> The static-port keyword was the magic I needed.
>
> ext_if = "tap0"
> sip_ports = "{3478:3479, 5060:5061,
10000:10007}"
> sip_ip = "172.18.1.66/32"
> nat on $ext_if from $sip_ip to any -> $ext_if
static-port
> rdr on $ext_if proto udp from any to $ext_if port
$sip_ports -> $sip_ip
> pass in quick on $ext_if inet proto udp from any to any
port $sip_ports
>   

The only part that IPFilter is incapable of here is
expressing
the above in so few rules.

Darren