Date: Sat, 4 Dec 2010 15:48:04 -0500 From: ken leland <kenleezle@gmail.com> To: freebsd-pf@freebsd.org, Janet <janet.leland@gmail.com>, Remi Quezada <remiquezada@gmail.com>, cmb@pfsense.org Subject: VoIP - Dynamic Pinholes for RTP - SIP ALG Message-ID: <AANLkTi=qUJs=xnxfH0w7d9Ez3KbAamj1vFtV=1rf4KOK@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I work at an ITSP where we use Juniper Firewalls. We would like to move our firewals over to PF, (pfSense specifically), but there is a feature missing. I am writing to engage the development community to gather feedback on implementing this feature. Myself and two other developers are interested in working for the freebsd project to contribute this feature, and we have already begun preliminary research. Here is a technical summary of the feature: The media stream for a SIP call uses dynamically assigned port numbers. These port numbers can change several times during the course of a call. The dynamic nature of these port numbers makes it impossible to create a static policy to control media traffic. Any attempt at a static policy will either be too permissive or too restrictive. Instead the policy needs to be dynamic, hence the term "Dynamic Pinholes." pfsense should read the SIP messages and their SDP content and extract the port-number information it needs to dynamically open pinholes to let the media stream traverse the firewall. An internal table should be maintained, and when the call is signalled to end, the pinhole should be closed, ie: the dynamic rule created to permit the media stream should be removed. The mechanism responsible for creating the pinhole, hereto referred as d'pinholer, needs to concern itself with SIP packets containing SDP's. When a SIP packet is permitted, d'pinholer checks to see if it includes an SDP, and if it does it should extract and record the IP addresses and port numbers. I have already engaged the pfsense community and our discussion is documented here: http://redmine.pfsense.org/issues/1064 I will be following up with a proposed implementation. Ken Leland III
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=qUJs=xnxfH0w7d9Ez3KbAamj1vFtV=1rf4KOK>