From owner-freebsd-pf@FreeBSD.ORG Sat Dec 4 21:17:42 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDE77106564A for ; Sat, 4 Dec 2010 21:17:42 +0000 (UTC) (envelope-from kenleezle@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 81FFD8FC14 for ; Sat, 4 Dec 2010 21:17:42 +0000 (UTC) Received: by gyf3 with SMTP id 3so5672748gyf.13 for ; Sat, 04 Dec 2010 13:17:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=8/vIWpPK31hWpCJMbQ82fjci+hH3liop7n4WcSTvgMk=; b=Hxo5Ag+CAqPsKtqsjrmLb5pixi4eBF2rdIloorPFDhnq0U5KTgL22umpScYgwIysSE 0G3B+0kTWmBlDOVb1YqkFWX+jBdVDsWe7OtHHc53SWQTrLATO3weHYss1iFnAJc8X68h WhsrWnk05IqllEK34E1/3q41UNO6pvV1VaeMw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=ozxWbb9bcU0IHbBUFTKUj6NW0BJmwC8ZYnye1KsIkKGLWURq0dZrgDjZJMXMpxN3Dw hyKxXRPC6szgn35bDKyszG21zbbzklWKqUcrPFo9J0rx6F3Dw0+WKs1b0ZSovc+QTrDb LGKgIMTjY01WQGL0LsfLKOxA1RNoCzWSXP/Go= MIME-Version: 1.0 Received: by 10.90.91.16 with SMTP id o16mr5225454agb.173.1291495684948; Sat, 04 Dec 2010 12:48:04 -0800 (PST) Received: by 10.236.103.11 with HTTP; Sat, 4 Dec 2010 12:48:04 -0800 (PST) Date: Sat, 4 Dec 2010 15:48:04 -0500 Message-ID: From: ken leland To: freebsd-pf@freebsd.org, Janet , Remi Quezada , cmb@pfsense.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: VoIP - Dynamic Pinholes for RTP - SIP ALG X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2010 21:17:42 -0000 Hello, I work at an ITSP where we use Juniper Firewalls. We would like to move our firewals over to PF, (pfSense specifically), but there is a feature missing. I am writing to engage the development community to gather feedback on implementing this feature. Myself and two other developers are interested in working for the freebsd project to contribute this feature, and we have already begun preliminary research. Here is a technical summary of the feature: The media stream for a SIP call uses dynamically assigned port numbers. These port numbers can change several times during the course of a call. The dynamic nature of these port numbers makes it impossible to create a static policy to control media traffic. Any attempt at a static policy will either be too permissive or too restrictive. Instead the policy needs to be dynamic, hence the term "Dynamic Pinholes." pfsense should read the SIP messages and their SDP content and extract the port-number information it needs to dynamically open pinholes to let the media stream traverse the firewall. An internal table should be maintained, and when the call is signalled to end, the pinhole should be closed, ie: the dynamic rule created to permit the media stream should be removed. The mechanism responsible for creating the pinhole, hereto referred as d'pinholer, needs to concern itself with SIP packets containing SDP's. When a SIP packet is permitted, d'pinholer checks to see if it includes an SDP, and if it does it should extract and record the IP addresses and port numbers. I have already engaged the pfsense community and our discussion is documented here: http://redmine.pfsense.org/issues/1064 I will be following up with a proposed implementation. Ken Leland III