Hello everyone,
This is a simple PF test. A router, a PF firewall and a NPT server. Since only the router WAN interface is a public IP, NAT is enabled on the PF.
The purpose is to allow the NTP server to synchronize with the Internet time server. It also allows the firewall to synchronize with the local NTP server.
Below is the configuration of the PF firewall, which looks a bit confusing. Do some places need to be simplified or modified?
The name resolution of the Internet time server is not considered here.
pass out on $ext_if proto udp from
Can it be modified to
pass out on $ext_if proto udp from
Which is correct?
pass out on $ext_if proto udp from $ext_if to any port 123
pass out on $ext_if inet from $int_if:network to any nat-to $ext_if
Should they be reversed in order?
Thanks.
This is a simple PF test. A router, a PF firewall and a NPT server. Since only the router WAN interface is a public IP, NAT is enabled on the PF.
The purpose is to allow the NTP server to synchronize with the Internet time server. It also allows the firewall to synchronize with the local NTP server.
Below is the configuration of the PF firewall, which looks a bit confusing. Do some places need to be simplified or modified?
The name resolution of the Internet time server is not considered here.
Code:
ext_if = "em0"
int_if = "em1"
ntp_1 = "10.0.0.2"
set skip on lo0
set reassemble yes no-df
block all
antispoof quick for $ext_if
antispoof quick for $int_if
block in quick on $ext_if from { no-route, urpf-failed } to any
pass inet proto icmp all icmp-type 8 code 0
pass in on $int_if proto udp from $ntp_1 port 123 to any port 123
pass out on $ext_if proto udp from $ext_if to any port 123
#Translation
pass out on $ext_if inet from $int_if:network to any nat-to $ext_if
pass out on $int_if proto udp from $int_if port 123 to $ntp_1 port 123
pass out on $ext_if proto udp from
$ext_if
to any port 123Can it be modified to
pass out on $ext_if proto udp from
$ntp_1 port 123
to any port 123Which is correct?
pass out on $ext_if proto udp from $ext_if to any port 123
pass out on $ext_if inet from $int_if:network to any nat-to $ext_if
Should they be reversed in order?
Thanks.
Last edited: