(Sorry for the slow response - Christmas and all getting in the way...)
On Sat, Dec 23, 2006 at 03:40:50PM -0700, Bob DeBolt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joachim Schipper wrote:
>
> Hi Joachim
>
> > I don't really get what you want to do. What connects to what, and which
> > IP address are we talking about (does the phone get an address from the
> > firewall? The firewall from the ISP?)? From which traffic should the IP
> > be extracted? Are you aware that this is almost certainly not very
> > secure?
>
> The VOIP phone is connnected to a D-Link router which is connected to an
> ISP via DHCP. This is connected through the Internet to the head office
> firewall which uses a static IP specifically for the VOIP phone.
>
> The VOIP phone is hardwired to call home to the allocated firewall IP at
> head office and it uses specific ports to boot and stay alive so they
> are easily detected when the phone calls home.
>
> The address of the DHCP Dlink router will change at some point so I want
> to be able to detect the IP change at the firewall and automatically
> insert the new DLink router IP address into a table on the firewall so
> connnectivity is uninterrupted or a least minimized.
So, if the router gets a new IP address, the firewall should still allow
traffic to pass uninterrupted. Not trivial, and not usually necessary -
is the router really tied to a DHCP server that is sufficiently
braindead to return random IP addresses? It should, at least as long as
it's on, have the same IP.
> What I am hoping to be able to do seamlessly is extract the IP from the
> phone traffic when it calls home, basing it on port number and insert
> the IP into a table.
>
> I would like to run something like authpf using the $userip macro but
> the workstation at the VOIP phone office is an HP terminal.
>
> I had setup an OpenVPN box which worked very well but it was unplugged
> for unknown reasons as it is not my network.
And how would you authenticate this? OpenVPN would work, but otherwise
you are deeply in VOIP-implementation land. Not something I know much
about, and not something I'd be inclined to rely on either.
It's fairly easy to clobber something together from tcpdump, pfctl -T,
and some scripting language (sh, perl, or whatever). That does not
necessarily make it a good idea, though. You could even take a look at
ftp-proxy for some ideas, if you want to rise a little above the level
of dirty hack. Or use one of the VOIP proxies available.
> A little extra info:
>
> Once the traffic gets through the firewall it is then connected to a
> control unit that reads the embedded MAC of the VOIP phone and if it
> matches it then moves on to setup a full connection.
>
> The VOIP phone MAC supplied by the phone during the phone boot phase.
> If the MAC doesn't match, no connection.
This might not be the best setup either, but I assume you know what you
are doing...
Joachim
