> OpenBSD PF firewall consisting of ext, DMZ, internal/private interfaces. > VOIP server sitting in the DMZ. > Multiple (pick any number, 5, 10, 100) SIP phones in the private LAN. > Multiple mobile (pick any number, 5, 10, 100) SIP phones anywhere in the USA. > (NOTE: Mobile means they are carried and plugged in anywhere, but are > programmed with the static IP gateway address. > > How would you create a working pf.conf file so everything 'just works'.
What do you mean exactly by "just works"? Are the external phones supposed to talk with the internal phones? Do the internal phones have public or private addresses? Are you using RTP/RTCP for audio? Are the audio streams phone-to-phone or are you using media anchoring on your VoIP server? What VoIP server are you using? Does it use TCP and/or UDP for SIP signalling? What is the port range used on the SIP phones for RTP/RTCP? There's a lot more info required before one can draw up some appropriate pf configuration file. Also, AFAIK there is currently now ftp-proxy-like application available for SIP for pf, so you won't be able to use pf as an ALG or dynamic firewall for your SIP traffic. You'll have to determine all your possible call flows, analyze the potential ports used (SIP and RTP/RTCP) for each of these call flows, and then prepare a pf.conf that caters to all of these. Regards, -Martin
