VoIP - Dynamic Pinholes for RTP - SIP ALG

ken leland kenleezle at gmail.com
Sat Dec 4 21:17:42 UTC 2010


Hello,

I work at an ITSP where we use Juniper Firewalls.  We would like to
move our firewals over to PF, (pfSense specifically), but there is a
feature missing.  I am writing to engage the development community to
gather feedback on implementing this feature.  Myself and two other
developers are interested in working for the freebsd project to
contribute this feature, and we have already begun preliminary
research.

Here is a technical summary of the feature:

The media stream for a SIP call uses dynamically assigned port
numbers. These port numbers can change several times during the course
of a call. The dynamic nature of these port numbers makes it
impossible to create a static policy to control media traffic. Any
attempt at a static policy will either be too permissive or too
restrictive. Instead the policy needs to be dynamic, hence the term
"Dynamic Pinholes." pfsense should read the SIP messages and their SDP
content and extract the port-number information it needs to
dynamically open pinholes to let the media stream traverse the
firewall. An internal table should be maintained, and when the call is
signalled to end, the pinhole should be closed, ie: the dynamic rule
created to permit the media stream should be removed. The mechanism
responsible for creating the pinhole, hereto referred as d'pinholer,
needs to concern itself with SIP packets containing SDP's. When a SIP
packet is permitted, d'pinholer checks to see if it includes an SDP,
and if it does it should extract and record the IP addresses and port
numbers.

I have already engaged the pfsense community and our discussion is
documented here:
http://redmine.pfsense.org/issues/1064

I will be following up with a proposed implementation.

Ken Leland III


More information about the freebsd-pf mailing list