Basic firewall rules for beginners

Currently reading
Basic firewall rules for beginners

Thank you but that's not what I'm looking for, there are no examples of basic rules for the firewall but it just explains what it's for. Should we establish IP, country, application rules? Close ports? Which ? Etc...
 
Upvote 0
The firewall rules are processed from the top of the list to the bottom. When a match is made then that action is taken and the processing stops. This firewall is stateful, meaning for you that you only have to enter rules based on the originating connection: where it started and where it aims to get to. You don't have to have rules for the replies from the destination back to the originator (source).

The further down the firewall policy a rule is, the more processing load is required to get a match. So put the most used rules at the top and end with a deny all at the bottom (but remember that if you hit the deny all without having rules for you to access the NAS, you will be locked out). This approach works well but you may have to prioritise some blocking rules near the top (e.g. country blocks) if you want to use an allow all to service X later on.

Regarding country blocking, this can be evaded by people using VPN services to breakout in a permitted country. But it should at least block some traffic.

The objective of the firewall is to allow only the minimum necessary access that you are willing to accept. I would not use the auto-rule feature as you won't learn what you are doing. If you do use this feature then go and review the new rules and adapt them to limit access and place them in the list where is more appropriate. Likewise, don't use the UPnP router config feature (disable it in your router). These auto features blow holes in security policies to allow access to services: you may as well have had a wide open security policy since when not running the services there is nothing to be exposed or attacked, but when you do run a new service and auto rules are added it's just the same as not adding rules but have a open policy.
 
Upvote 1
Generically you would.
1. Allow specific IPs/Ports from your local LAN
2. Allow specific IP/Port for VPN access (if applicable)
3. Allow your local country if access outside your LAN is necessary, limited by expected IP ranges and specific ports of entry.
4. Finally... Deny all.
 
Upvote 1

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
770
  • Question
OOOps running SRM 1.3.1 Update 6
Replies
1
Views
862
You are right. I think I'm getting this error because I can't allow cloudflared.
Replies
2
Views
1,207
All 3 NAS's are set that way.... FIREWALL AND NOTIFICATIONS ARE CHECKED I have in the past seen and...
Replies
2
Views
1,066
QuickConnect Relay uses a client connection created from the NAS outbound to the Synology servers. This...
Replies
2
Views
3,592
Morning lads I'm having some issues with with an IP camera I recently bought (Reolink e1 pro), I've...
Replies
0
Views
1,365
here I have summarized the keyholes in the DSM native settings, including how to avoid them: I tried to...
Replies
9
Views
5,361

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top