If you consider your voip box as a host which could be compromised because it runs old and/or insecure software, packet filtering can (in theory) help you a little bit by reducing the amount of exposed services, but it won't do more than that.
Allowing traffic on network ports which corresponds to insecure services will obviously leave those services unprotected and exploitable.
In my opinion, if this is your initial assumption, the matter here is how to protect your network from your voip box, as you'll never be able to trust this host even with the help of pf.
The config you propose may fit:
1. as long as you don't configure network interfaces connected to your OpenBSD host to work as a switch;
2. and as long as your pf rules are semantically correct (which normally implies they're few and clear).
In my opinion, if your external modem/router allows you to packet filter, keeping your initial configuration and packet filtering your voip box by your modem/router is not much worst than filtering it by your OpenBSD host; and as a bonus this allows you to keep your OpenBSD configuration simpler (and safer).
With your actual configuration, in the worst case scenario, you can end up with an exploited voip box, which is kept apart from your lan by OpenBSD.
If this is still a problem for you, i'd suggets an external packet filter you trust (OpenBSD, OpenWRT or anything else) which sits between your modem/router and your voip + OpenBSD host.
This would allow you to have a proper perimeter network filtered by a device (your ext packet filter) you trust and keeping your internal OpenBSD router configuration simpler and safer.
No comments:
Post a Comment