Solved [Solved] OpenNTPD and Pf firewall

fred974

fred974

Hello everyone,

Could you please confirm that I can replace the following two lines of code and achieve the same outcome?
Code: 
pass out on $ext_if proto tcp to $HOSTS port ntp
pass out on $ext_if proto udp to $HOSTS port ntp
with
Code: 
pass out on $ext_if proto { tcp, udp } to $HOSTS port ntp
Do I also need to do a pass in?
Code: 
pass in on $ext_if proto { tcp, udp } to $HOSTS port ntp
This is my current setup
Code: 
ext_if="lagg0"

IP_FREEBSD_HOST="192.168.0.155"
IP_WEB="192.168.0.125"
SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB "}"

PORT_SSH="{22,1913}"

table <workssh> { 192.168.0.1/24,218.146.158.224}
table <sshguard> persist

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [filtering]
pass out all
block in all

# block all IPs from  sshguard-pf blocklist without any further evaluation
block drop in log quick on $ext_if inet from <sshguard> to any

# Allow ssh traffic from authorise hosts only
pass log on $ext_if inet proto tcp from <workssh> to $SSH_HOSTS port $PORT_SSH \
    flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, \
     overload <sshguard> flush global)

Thank you
 
Re: OpenNTPD and Pf firewall

fred974 said:
Could you please confirm that I can replace the following two lines of code and achieve the same outcome?
Code: 
pass out on $ext_if proto tcp to $HOSTS port ntp
pass out on $ext_if proto udp to $HOSTS port ntp
with
Code: 
pass out on $ext_if proto { tcp, udp } to $HOSTS port ntp
Click to expand...
Both will result in the same rules.

Do I also need to do a pass in?
Click to expand...
No, PF is a stateful firewall.
 
Re: OpenNTPD and Pf firewall

Thank you @SirDice
So do I actully need to add this rule in my pf.conf file?
 
Last edited by a moderator:
No, you already have a "pass out all" that allows outgoing NTP requests.
 
You must log in or register to reply here.
Back
Top