I have the fake server working to the modems, I will have a go on my own at doing the fake server to the main LAN using approximately the same technique. I am assuming that if I just spot UDP port 123 traffic coming in off the LAN to the Firebrick, where it will be addressed to one of the usual addresses that the Brick publishes to the LAN, then that will be good enough.
I’m thinking, rule needs to have the following conditions to match against
IF
source-interface=IF-LAN
destination-interface=SELF
protocol=UDP
port=123
THEN
set destination address=time.aa.net.uk
These aren’t the correct Firebrick XML config attributes, I haven’t bothered to look them up.
I’m hoping that the SELF thing is correct, for ‘going to the Brick’ as I’ve seen this used elsewhere for what looks like the right kind of scenario. I’ll look that up. Will someone shout if this is wrong?
I decided I definitely need this extra check condition, because I don’t want to catch such traffic going to all addresses. I know some people do exactly this, catching all outgoing email, but this is evil. Even though it’s well-intentioned if the idea is just to help misconfigured systems, and perhaps defensible as a rather fascist security measure, it can confuse people who suddenly end up getting replies from the wrong server, and apps could even fail because of this. I don’t know whther or not it is ok in this case for NTP, it would save me from having to round up systems and reconfigure them properly but it doesn’t feel right somehow. What do you think? Enforced catch-all?
Who is to say that UDP port 123 is definitely always NTP? Perhaps another reason why I should be going there. Opinions?
Do I need a set-NAT action? I don’t see why, unless I’m missing something. I think that would rewrite the source address, but do I even need this?
I should point out that I never use NAT. The tricky stuff with my modems which are using RFC1918 addresses and do not have proper network config set up at their end (because it’s incomplete unfortunately) is about the first time I have used NAT in ten years. All my systems live in globally-routable static IPv4 and IPv6 address ranges. This means the source address coming in off the LAN here will be fine anyway, globally routable, without any tweaking needed. So am I right, forget about a set-nat action?