[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vonage w pf?



I've had my Vonage VoIP modem up and working for exactly a month(1,500
minutes) now without the slightest problem. Man, do I love this service! My
usual long distance/local phone bill runs $150-200 and now I barely ever use
that PacBell line. I've had three referred friends sign up with Vonage, so
my next 3 months are free.

I did have to configure DHCP on my firewall(just follow the FAQ), but that
actually was so simple it took a few minutes  (it took another 5 days to
realize there was something wrong with my Win2000 client).

My OpenBSD 3.2 firewall doing NAT/PF did not require any modfication in the
least. I just plugged the Vonage modem into the 4-port hub that is connected
to my OpenBSD firewall and was able to make phone calls in under 10 seconds.

Here's my PF ruleset:

#	$OpenBSD: pf.conf,v 1.2 2001/06/26 22:58:31 smart Exp $
#
# See pf.conf(5) for syntax and examples

# pass all packets in and out (these are the implicit last two rules)
# pass in all
# pass out all

# set up variables
EXTIF="ep0"		# External Interface
IntNet="ne3"		# Internal Network
spoofed="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }"

# Clean up fragmented and abnormal packets
scrub in all

# block everything by default
block  out on $EXTIF  all
block  in  on $EXTIF  all

# block fake return packets
block  return-rst  out on $EXTIF proto tcp all
block  return-rst  in  on $EXTIF proto tcp all
block  return-icmp out on $EXTIF proto udp all
block  return-icmp in  on $EXTIF proto udp all

# silently drop broadcasts (cable modem noise)
block in quick on $EXTIF from any to 255.255.255.255

# drop spoofed packets
block in  quick on $EXTIF from $spoofed to any
block out quick on $EXTIF from any to $spoofed

# finally lock the rest down with a default deny
block in quick on $EXTIF from any to any

# ICMP

# Pass out/in certain ICMP queries and keep state (ping)
# State matching is done host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass out quick on $EXTIF inet proto icmp all icmp-type 8 code 0 keep state

# UDP

# Pass out all UDP connections and keep state
pass out quick on $EXTIF proto udp all keep state

# TCP

# pass out all TCP connections and modulate state
pass out on $EXTIF proto tcp all modulate state


And my NAT.conf is really simple:

nat on ep0 from 192.168.1.0/24 to any -> my-Cox-DHCP-address

-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org]On Behalf Of
Jameel Akari
Sent: Friday, March 28, 2003 9:27 AM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Vonage w pf?


Is anybody using Vonage VoIP service through a OpenBSD/pf firewall?

( http://www.vonage.com )

They require you to have some sort of "broadband router" (NAT box with
DHCP like a Linksys or Netgear) which means it will probably work like any
other service thru pf.  I can't hink of any reason why it wouldn't, but if
anyone has experience one way or another, I'd like to know before I call
Verizon and tell them to stuff it. ;)


--
#!/jameel/akari
sleep 4800;
make clean && make breakfast