# SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT

# IAX2- the IAX protocol
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

# IAX - most have switched to IAX v2, or ought to
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

# RTP - the media stream
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

# MGCP - if you use media gateway control protocol in your configuration
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT

# iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
# iptables -A INPUT -p tcp --syn -j DROP

Get this one http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-sip-conntrack-nat and follow the docs :)

# Your inet interface
ext = rl0

# SIP (TCP)
voip_tcp = "5060"
# SIP, IAX2, IAX, RTP, MGCP (UDP)
voip_udp = "{5060, 4569, 5036, 9999 >< 20001, 2727}"

pf pass in on $ext inet proto tcp from any to any port $voip_tcp flags S/SA keep state
pf pass out on $ext inet proto tcp all flags S/SA keep state
pf pass in on $ext inet proto udp from any to any port $voip_udp keep state
pf pass out on $ext proto udp all keep state

#### macros ####
ext_if="xl0" # 172.16.0.2
int_if="xl1" # 10.0.0.1
lan_net = "10.0.0.0/24"
table <blocked> persist
table <routed> persist
##machines
ext_ip = "172.16.0.2"
siphost = "172.16.0.3"
voip = "10.0.0.4"
#### options ####
set skip on lo0
set optimization conservative
set block-policy drop
set loginterface $ext_if
scrub in all
#### QoS stuff #######
altq on $ext_if priq bandwidth 520Kb queue { q_pri, q_def, q_bulk, q_crap }
queue q_pri priority 7
queue q_def priority 5 priq(default)
queue q_bulk priority 1
queue q_crap priority 0
#####    NAT   ####
nat on $ext_if from <routed> -> $ext_ip

#####  rules  ####
block drop out quick on $ext_if proto { udp, icmp, tcp } from any to <blocked>
block drop in quick on $ext_if proto { udp, icmp, tcp } from <blocked> to any
block drop in on $ext_if from any to any
pass in on $ext_if from $lan_net to any

## basic
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in on $int_if proto icmp all keep state

## asterisk
pass in from any to $siphost
pass in quick proto udp from any to any port 4569 \
                keep state queue (q_pri)
pass out quick proto udp from any to any port 4569 \
                keep state queue (q_pri)
                                                                        
## default
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
       keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
       keep state queue (q_def, q_pri)

# Firewall comand
fwcmd="/sbin/ipfw -q"

# Interface setup
# Outside interface
oip="<your external ip address>"

# * pbx ip
pbxip="<your * internal ip>"

# VoIP Traffic - SIP & IAX
${fwcmd} add pass tcp from ${oip} to ${pbxip} 5060 keep-state in
${fwcmd} add pass tcp from ${pbxip} to any 5060 keep-state out
${fwcmd} add pass udp from ${oip} to ${pbxip} 5060 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 4569 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 2727 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 9999-20001 keep-state in
${fwcmd} add pass udp from ${pbxip} to any keep-state out

# Your NAT & Firewall section should have this line
natd_flags="-redirect_address <your * internal ip> <your external ip address>"

Follow these steps:

• Download the SPIPF.VBS script from www.generationd.com
• Copy to any directory on the ISA Server.
• Edit the file with any text editor - if you want to modify the log file parameters, etc.
• Run the script by double clicking it
• Wait and relax while the ports are opened. Be warned - it can take a while!