Can Others More Experienced Check My Rule Logic, Please

Started by House Of Cards, October 02, 2024, 06:52:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 02, 2024, 06:52:09 AM Last Edit: October 02, 2024, 01:38:47 PM by House Of Cards
Good day,

I have a NAT Redirect Rule to port forward any NTP traffic originating from an Alias consisting of all internal networks...

192.168.0.1/24
192.168.1.1/24
192.168.2.1/24

That rule uses an inverted match of the same Alias as a destination, which as I understand, means it would be destined for an IP outside the local network (server on the internet)...

It then forwards that request to 192.168.0.1 NTP to be handled by my internal NTP server.

Does that sound reasonable?  My goal is to allow the interface rules to permit NTP traffic locally, but use this redirection to protect against hardcoded devices using an address of their own liking.  I intend to do a similar approach with other things, such as DNS...  So I want to make sure I'm not insane.

Thanks for the help!
October 02, 2024, 07:21:53 PM #1
Quote from: House Of Cards on October 02, 2024, 06:52:09 AM
That rule uses an inverted match of the same Alias as a destination, which as I understand, means it would be destined for an IP outside the local network (server on the internet)...
I cannot think of any reason, why not using "any" as destination, as long as you don't have multiple local NTP servers.

If you have multiple though, I'd recommend to use an RFC 1918 alias for the destination with invert checked.
This alias should include all private network ranges. So you're still save, after you do some changes in your local network.

I use such alias as well for the source in NAT rules for similar purposes.
October 03, 2024, 03:39:59 AM #2
Thanks,

I just want to make sure my understanding is sane...

I'm setting rules for things that pass as normal, and the reason I was doing it this way is to allow me to log the redirection rules to see which devices are trying to circumvent my internal NTP (and DNS, etc...). If a device is requesting something from my internal servers, fine...  They pass with no problems.  If something hard codes a different server, I want a log entry saying so.

That's my thinking, I just want to make sure this makes sense in terms of normal firewall procedures.  I figured I'd ask to see if there was anything wrong with doing it this way...

So I'm assuming this is fine functionally?  Thanks for the advice, I'm by no means an expert.  Better to get second opinions.   8)

October 03, 2024, 01:26:21 PM #3
Yes, for the sake of getting log entries if devices requests other server than internal, this makes sense.

As you have multiple internal subnets, you can them to an interface group (Firewall > Groups) and define the rule here.
October 03, 2024, 06:34:32 PM #4
Thank you for the help!
Print
Go Up Pages1
User actions