Basic firewall rules for beginners

Thank you but that's not what I'm looking for, there are no examples of basic rules for the firewall but it just explains what it's for. Should we establish IP, country, application rules? Close ports? Which ? Etc...
 
Upvote 0
The firewall rules are processed from the top of the list to the bottom. When a match is made then that action is taken and the processing stops. This firewall is stateful, meaning for you that you only have to enter rules based on the originating connection: where it started and where it aims to get to. You don't have to have rules for the replies from the destination back to the originator (source).

The further down the firewall policy a rule is, the more processing load is required to get a match. So put the most used rules at the top and end with a deny all at the bottom (but remember that if you hit the deny all without having rules for you to access the NAS, you will be locked out). This approach works well but you may have to prioritise some blocking rules near the top (e.g. country blocks) if you want to use an allow all to service X later on.

Regarding country blocking, this can be evaded by people using VPN services to breakout in a permitted country. But it should at least block some traffic.

The objective of the firewall is to allow only the minimum necessary access that you are willing to accept. I would not use the auto-rule feature as you won't learn what you are doing. If you do use this feature then go and review the new rules and adapt them to limit access and place them in the list where is more appropriate. Likewise, don't use the UPnP router config feature (disable it in your router). These auto features blow holes in security policies to allow access to services: you may as well have had a wide open security policy since when not running the services there is nothing to be exposed or attacked, but when you do run a new service and auto rules are added it's just the same as not adding rules but have a open policy.
 
Upvote 1
Generically you would.
1. Allow specific IPs/Ports from your local LAN
2. Allow specific IP/Port for VPN access (if applicable)
3. Allow your local country if access outside your LAN is necessary, limited by expected IP ranges and specific ports of entry.
4. Finally... Deny all.
 
Upvote 1

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

If you create a rule: Source interface: LANs Source IP: 192.168.0.0/16 Destination interface: Any...
Replies
4
Views
399
Thank you, Birdy for the QC White paper!! Had a smattering of info on it.. Your link filled in the blanks.
Replies
8
Views
383
Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
1,932

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top