Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Basic firewall rules for beginners

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

 
Upvote 0
Thank you but that's not what I'm looking for, there are no examples of basic rules for the firewall but it just explains what it's for. Should we establish IP, country, application rules? Close ports? Which ? Etc...
 
Upvote 0
The firewall rules are processed from the top of the list to the bottom. When a match is made then that action is taken and the processing stops. This firewall is stateful, meaning for you that you only have to enter rules based on the originating connection: where it started and where it aims to get to. You don't have to have rules for the replies from the destination back to the originator (source).

The further down the firewall policy a rule is, the more processing load is required to get a match. So put the most used rules at the top and end with a deny all at the bottom (but remember that if you hit the deny all without having rules for you to access the NAS, you will be locked out). This approach works well but you may have to prioritise some blocking rules near the top (e.g. country blocks) if you want to use an allow all to service X later on.

Regarding country blocking, this can be evaded by people using VPN services to breakout in a permitted country. But it should at least block some traffic.

The objective of the firewall is to allow only the minimum necessary access that you are willing to accept. I would not use the auto-rule feature as you won't learn what you are doing. If you do use this feature then go and review the new rules and adapt them to limit access and place them in the list where is more appropriate. Likewise, don't use the UPnP router config feature (disable it in your router). These auto features blow holes in security policies to allow access to services: you may as well have had a wide open security policy since when not running the services there is nothing to be exposed or attacked, but when you do run a new service and auto rules are added it's just the same as not adding rules but have a open policy.
 
Upvote 1
The rules are built according to your needs. There’s no one size fits all.

If you care to share what you are trying to do and how's your NAS setup when it comes to remote access, I’m sure the forum will help.
When it comes to firewalls, less is more.
 
Upvote 1
Generically you would.
1. Allow specific IPs/Ports from your local LAN
2. Allow specific IP/Port for VPN access (if applicable)
3. Allow your local country if access outside your LAN is necessary, limited by expected IP ranges and specific ports of entry.
4. Finally... Deny all.
 
Upvote 1

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

  • Question Question
That’s good to know. 🙂 Thanks for your support and advice @Birdy. 👍
Replies
4
Views
175
Back in the day I had to complete vendor training and certification for our firewalls. Always were things...
Replies
8
Views
231
If you create a rule: Source interface: LANs Source IP: 192.168.0.0/16 Destination interface: Any...
Replies
4
Views
506
Thank you, Birdy for the QC White paper!! Had a smattering of info on it.. Your link filled in the blanks.
Replies
8
Views
608
Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
2,119

Thread Tags

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top