In <https://marc.info/?l=openbsd-misc&m=162550822403762&w=1> I asked for advice on using an OpenBSD firewall to protect a VOIP box from network attacks.
Several people have suggesting isolating the VOIP box in a separate sublan. This is a good idea. In fact, the network topology I'm planning > > +--------------+ > (internet) --------| $ISP DSL | > | modem/router | > +--------------+ > | > | > +----------+ +-----------+ > | OpenBSD |----| Omma Telo |.......... analog > | firewall | | VOIP box | telephones > +----------+ +-----------+ > | | > +--------+ | | > | Wifi |-----+ +------ wired client > | access | (or network switch for > | point | multiple wired clients) > +--------+ already does this. The firewall has separate network ports for * uplink to $ISP DSL modem/router * the wifi access point * the wired client (or, in the future, a network switch connected to multiple wired clients) * the VOIP box so it's easy for the firewall's pf ruleset to keep the subnets' traffic separate. The harder problem, which I don't yet know how to solve, is how to appropriately firewall the VOIP box from the (hostile) outside world. Here there is some legitimate traffic (carrying phone calls and/or Ooma software updates), and the problem is how to best configure the the firewall so as to block as large a range of "nastygram" packets from the outside world as possible, while still passing the legitimate traffic. -- -- "Jonathan Thornburg [remove color- to reply]" <[email protected]> on the west coast of Canada, eh? "There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time." -- George Orwell, "1984"
