Can you take a look at my firewall settings?

71
7
NAS
DS718+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I'm running a vpn server on my DS (openvpn) and port forwarded from my router to the DS. It has been working fine but I wanted to check if others agreed with my settings. I tried to follow what babylonia posted here.

1 - Allow/Deny rules at the bottom of the image - just noticed that my WAN to LAN rule allowed all traffic unless specific rules blocked. That is probably not good so changed to deny. However, when I checked shields up with this option set at "deny" and "allow" it always said all my ports were stealth so not sure what this change does really.
2 - do my rules that try and block the ip camera do anything? I know, this is simple stuff for most. Confusing right now for me.
3 - am I making it harder by having the vpn at the ds vs the router? Initially, I put it on the DS since it has a better processor.

firewall settings at imgur
 
One thing, since you don't have any rule to allow LAN (192.168.1.0/24) access to SRM on TCP/443 then the firewall isn't stopping local access to SRM web interface.

This is what I wrote on 'the community' three weeks ago.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The firewall rules are applied from the top of the table to the bottom, until one matches the source/destination/protocol/port criteria and then the action is taken.

As such, it takes more processing to make a hit lower in the policy so if you have high volumes of connections of a particular type then try to place it high up. Obviously, do this without compromising the overall security of your device.

You don't want the first rule to be any/any/any/any = deny because that blocks every thing to the router (from inside and out [well probably inside, try it and report back if you had to reset the router!]). You can set the bottom four rules to do the blocking after you set the policy rules you want.

My home RT2600ac policy is set like this:
  1. Things I want to block from everywhere: at present I don't have any
  2. Local subnets can access, define as needed for LAN and VPN servers but these are the most they should be (we can guarantee these IP won't come from the Internet because of RFC 1918, but your ISP modem/router may use a subnet in these ranges to assign the SRM's Internet IP via DHCP):
    • 192.168.0.0/255.255.0.0 : TCP+UDP, All / All / All, Allow
    • 172.16.0.0/255.240.0.0 : TCP+UDP, All / All / All, Allow
    • 10.0.0.0/255.0.0.0 : TCP+UDP, All / All / All, Allow
  3. One or more rules for countries I want to block: Deny selected countries
  4. Everywhere to SRM for most apps, except VPN: Deny selected apps to SRM
  5. Inbound SMTP from my email host's SMTP servers: Allow SMTP ports to my server
  6. Inbound SMTP from any other SMTP servers: Deny SMTP ports to All
  7. VPN services (enabled only if I use them)
    • service that are listed: TCP+UDP, All / All / VPN apps, Allow
    • VPN Remote Desktop: TCP+UDP, All / All / my RD port, Allow
  8. Automatically added rules from the port forwarding page
  9. The four default rules all set to deny.

The Country block rules can go at the top if you like but local subnet rules get more hits.

The step 2 rules can be slimmed down to be just the subnets you actually use for your LAN/WLAN and VPN services. I use 192.168.0.0/255.255.240.0 to cover local services but it excludes the Virgin Media subnet on the outside of my SRM router.

Rules in step 2 take precedence over steps 3 and lower, so the LAN/WLAN clients can access the router and other home devices (including VPN clients that are connected). I don't want external access to the router, except from those Internet locations that haven't been blocked for VPN services.

The automatic rules added for port forwarding then allow the same type of filtered access as the SRM's VPN service (e.g. no access from countries I want to block), but for my internal servers as the destinations.

I add rules between 3 and 4 for specific IP and ranges that I see are being very active and need to be blocked. Often Threat Prevention is already dropping them and the firewall rule will block for alert-level threats that aren't dropped ... just to reduce the noise in TP log.
 
@fredbert - why do I need to specifically allow only certain LAN subnets? Is this so that if there is a subnet I don't want to have access to the SRM that it will be excluded? What would be the use case for this?

Any thoughts on my questions 2/3?
 
Purely a matter of how I have approached it. I haven't tested how SRM sees all the RFC 1918 subnets and if it allows access to these regardless of the firewall rules, but I think it may only allow access to the wired and wireless LAN but not guest WiFi (unless configured). I'm just used to firewalls that don't make any assumptions about their environment and use the security policy to know which interfaces are connected to what and then explicitly how to mediate all traffic. These home devices generally have set usage scenarios: e.g. this is the WAN/Internet port; these are all switch ports on the same LAN; LAN is trusted.

Anyway, a firewall policy is to open the minimum access that permits authorised usage ... we're not like network admins that allow any access and think it's working!

2. Does your IP camera use UPnP and have you disabled UPnP in SRM? There is no port forward rule explicitly to allow incoming connections to the camera. The IP camera looks like it shouldn't have Internet access from the 2nd camera rule. So the 2nd rule will add to the security policy, the 1st probably not.
3. VPN server: on DSM or SRM?
 
I think it may only allow access to the wired and wireless LAN but not guest WiFi (unless configured).
Right. That is what I was thinking too. I've read that the guest wifi is like a vlan. I've considered putting my iot devices on the guest network and not allowing it access to the main lan. I'd like to look in to vlan's more generally, though I don't think the synology router allows vlans yet (not including the guest).
Does your IP camera use UPnP and have you disabled UPnP in SRM?
I've disabled UPnP in both SRM and the ip camera.

Looking at this again: why doesn't the 1st camera rule stop me from accessing the camera when I type in 192.168.1.124 in my browser inside my LAN since I say all at source IP?

Thank you for your time. I'm slowly climbing the mountain:unsure:
 
As I was saying about the SRM being set for specific scenarios: I've not tested it but seems reasonable to consider the LAN (wired and wireless) devices to be connected together before the SRM firewall. That means that any LAN device can communicate together and there's no SRM firewall policy that can stop it.

Depending on the VPN service and its options then there could be routing applied to allow these other local segments onto the LAN, before firewall rules are applied.

The object SRM (available when creating rules) is a special case as it seems that 'SRM' includes all the IPs assigned to the router. This then makes it easier to define access without having to create individual rules per interface (physical and virtual) of the router.

When you consider what a firewall does, and the very basics are: router; NAT/PAT; traffic rules; even combine interfaces into switches, like home routers do. So knowing which function gets applied in what order is important. Does NAT happen before or after the traffic rules, so which IP addresses to use: pre- or post-NAT? Does the switched interfaces avoid all other mechanisms? When is routing determined: on entry to the incoming network stack or exiting the stack?

In the absence of detailed information, the best thing is to test the behaviour but, hopefully, don't block yourself in the process :)

As for Guest WiFi for Insecure of Things devices, yep I did that for the short period of time we tried a water leak detector. Obviously, set Guest network to not have access to the LAN. The detector was a noise generator and false alarm specialist, binned it, lucky it was a freebie.

If you want to play with VLANs then get a managed switch. Saw a decent discussion about setting up a TP-Link switch TP-Link TL-SG108E - VLANs to separate one device from all others
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

All. One minute I can see where to post then I look away and its gone (ok down off the page under...
Replies
0
Views
916
I was able to implement vlan network segmentation overnight while I was in another state remotely...
Replies
8
Views
243
With SMTP servers if they are where your domain is resolving to for mail then you can’t really block which...
Replies
4
Views
1,048
OK. I don't bother with QuickConnect for my router, there's nothing running on it that others need to have...
Replies
6
Views
2,746

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top