There is a lot you can do with firewalls. A lot of them try to also manipulate your sip headers these days. Usually that's a bad idea, so what you will want is a firewall that can allow your sip packets to pass, without rewrting them or mangling them in any way. At the same time, your outbound NAT method is very important, because you'll want to make sure the NAT stays symmetric for proper media connection.
Here's a blog post on how to make this happen with pfsense:
"Most firewalls randomize ports (rewrite the source port) of outbound traffic. This is problematic for some protocols (like PPTP, IPSEC and SIP). sipXbridge needs static port NAT, or symmetric signalling in order to work properly. This means when sipXbridge makes an media connection at port 30001, it must be sent out on port 30001 (not rewritten by the firewall), and also come back on the same port. This is done by choosing “Firewall>NAT>Outbound” and selecting “Manual (AON)”. I’ve tried to make it easy by providing a sample setup which can be edited in a word process or (like Wordpad) and uploading to the system."
Read the whole article... http://blog.myitdepartment.net/?p=37
For pfSense version 2, remote provisioning of phones via FTP is functional, though you must add a system tunable by going to System -> Advanced -> System Tunables and entering the tunable debug.pfftpproxy with a value of 1.