[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF, VoIP and SIP



I'm trying to get an IP phone to talk to our local office over my DSL
line. It's a SIP based phone (Cisco 7940) and I believe I have all the
right options opened in PF, but it's not quite working. Would someone
care to take a look at it and see if I missed something?
TIA,
Steve
## PF Ruleset--------------------------------------------------
#
## ------------------------------------------------------------
## Macros
ext_if = "fxp0"
int_if = "fxp1"
wi_if  = "fxp2"
external_addr = "x.x.x.x"
int_network   = "192.168.1.0/24"
int_gw        = "192.168.1.1/32"
wi_network    = "10.0.26.0/24"
wi_gw         = "10.0.26.1/32"
icmp_types    = "echoreq"
voip_tcp      = "5060"
voip_udp      = "{ 5060, 4569, 5036, 9999 >< 20001, 2727 }"
## Tables
# IANA reserved IP blocks as of 8/2004
# http://www.completewhois.com/iana-ipv4-addresses.txt
table <reserved> const { 0/8, 1/8, 2/8, 5/8, 7/8, 10/8, 14/8,  23/8,
27/8, 31/8, 36/8, 37/8, 39/8, 41/8, \
49/8, 50/8, 42/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 89/8,
90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 96/8,\
97/8, 98/8, 99/8, 100/8, 101/8, 102/8, 103/8, 104/8, 105/8, 106/8,
107/8, 108/8, 109/8, 110/8, 111/8, 112/8,\
113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
123/8, 124/8, 125/8, 126/8, 127/8, 173/8,\
174/8, 175/8, 176/8, 177/8, 178/8, 179/8, 180/8, 181/8, 182/8, 183/8,
184/8, 185/8, 186/8, 187/8, 189/8, 190/8,\
197/8, 223/8, 240/8, 241/8, 242/8, 243/8, 244/8, 245/8, 246/8, 247/8,
248/8, 249/8, 250/8, 251/8, 252/8, 253/8,\
254/8, 255/8  }
## Options
set block-policy return
set loginterface $ext_if
set optimization normal
## Scrub
scrub in on $ext_if all random-id fragment reassemble 
## Translation - NAT/RDR
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $wi_if:network  to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
## Filter rules
block in all
antispoof log quick for $ext_if inet
# drop dsl noise/broadcast packets
block in quick on $ext_if inet from any to { 255.255.255.255 }
# Block all reserved IP addresses.
block in  quick on $ext_if inet from <reserved> to any
block out quick on $ext_if inet from <reserved> to any
# block extra DNS replies
block return in on $ext_if inet proto udp from port=domain to port=domain
# Block NetBIOS traffic to the local LAN
block in  quick on $ext_if inet proto tcp from any to any port { 135,
137 >< 139, 445 }
block out quick on $ext_if inet proto tcp from any to any port { 135,
137 >< 139, 445 }
# block nmap attempts
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
# pass loopback traffic
pass in  quick on lo0 all
pass out quick on lo0 all
# pass SSH traffic 
pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA keep state
# pass VoIP traffic
pass in  on $ext_if inet proto tcp from any to any port $voip_tcp
flags S/SA keep state
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass in  on $ext_if inet proto udp from any to any port $voip_udp keep state
pass out on $ext_if proto udp all keep state
# allow internally generated traffic to pass
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any 
pass out on $int_if from any to $int_if:network
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state