Since the SIP signaling port is included in the SIP packets, the only way this would work is if the router fixes the SIP packets on the fly as they pass thru the router. That’s what a SIP ALG does, and they are notoriously poor at it.
The PBX Firewall with responsive enabled works fine. With Intrusion detection configured in System Admin, that’s a solid second line of defense. You could add a dynamic blacklist as another layer of security.