Cleanup of prior incorrect thinking...

Currently reading
Cleanup of prior incorrect thinking...

Jan Janowski

Jan Janowski

Trophy Media Resource Donator
1,317
262
NAS
DS 718+, 2x-DS 720+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
2 years ago, when 2600ac was new, and I was playing around with Firewall... I mis-interpreted Threat Prevention -- Statistics (World View) Events as countries to block in Firewall.. I now understand the two are Apples & Oranges. I mention this just to explain how some of the Firewall rules came about.... My Question is not about TP, but Firewall Rules...

This left me (with the 15 region limit per rule) with a few rules denying some but not all countries scattered all over the world, with no rhyme nor reason as to what countries were in which rule....
At the bottom of firewall rules, I have a rule written to deny all -- if it doesn't match the above rules.... And I've noticed the DENY ALL Rule still gets "Hits".... (this was in addition to the 4 fixed rules at bottom effectively doing the same thing as my DENY ALL Rule, but not showing any "Hits".... I created the DENY ALL Rule because I wanted to see "Hits"... From this I assumed that there was something from a region I had not selected that was trying to get through, and DENY ALL Blocked it!

Because I continually get "Hits" from DENY ALL Rule, after thinking about it for a while..... I created new rules today, based upon ALL listing of region's List... Block Incoming from Everywhere in the Region List (Limited to 15 per rule).... and deleted my older rules.... and moved the 18 new rules above my DENY ALL Rule (Support had told me maximum number of user rules in Router Firewall was 128 Rules).. OK.. I'm effectively blocking all un-requested inputs from Everywhere.... I left the DENY ALL rule I created, active at the bottom.

It's interesting to note that that last rule... That blocks EVERYTHING prior rules miss.... after I block Literally Everything I can from the region list.... Still get's "Hits"

I don't have any other software to examine things.... but I'm nosy.... If I block ALL REGIONS, Why does DENY ALL at bottom still get hits?

Thanks for any comments....
-- post merged: --

Here's a picture of bottom of firewall List showing what I was describing....
region block example.jpg
 
Sort by date Sort by votes
Jan Janowski said:
I don't have any other software to examine things.... but I'm nosy.... If I block ALL REGIONS, Why does DENY ALL at bottom still get hits?
Click to expand...
I’m not sure why are you doing all of this (maybe you have a reason, I don’t know) and I don’t use a Synology router. However, firewalls work better if you close everything and open only what you want. It appears to me that you’re doing it the other way around.

In other words:
Allow your subnet
Allow your country
Deny all

Of course, the above can be further tuned according to your needs, like not allowing everything from your country (maybe just 443 or a VPN connection).

But I might be missing the point. I often do 🙃
 
Upvote 0
Last edited:
Another fellow I asked suggested asking Synology, too, so I did. His reasoning was that maybe not all IVP4 addresses were assigned to those regions. Like you surmised.

Oh yeah, my reasoning was to learn more about firewall rules we are allowed to make. Nothing ugly or unusual.
As you see in the picture I’ve some traps set just to double check other devices. “Hits” (Or the lack of them😁!) are a ‘make darn sure’ that other things are working as intended….

This is especially true with respect to the IP Cameras… though my particular model is not on the latest security flaw list of models… I’ve been told that might be a mistake, and it will be added. As I await new firmware, this trap is a double check that all is still OK, and cameras are not reacting to anything.
 
Upvote 0
Last edited:
Info just received from Support, that clarified the results seen:

In large part, this has to do with how the traffics' sources are identified. When traffic is reaching your router, the firewall is checking the source WAN IP address, and then comparing them against its database of WAN IP addresses to determine its region of origin. If the address happens to be one identified as belonging to a particular region of the world, then the firewall rule you have set covering that region will catch it.

However, in the last 3-5 years there have been some changes in WAN IP addresses associated with specific regions. Some addresses that were formerly associated with a particular region are now associated with new regions, and in some cases blocks of addresses that were formerly reserved for future use or other applications have been assigned to new regions. The regional IP address database in SRM may not include these changes, or something may have been a recent enough change that it's not yet in the database.

The "deny all" rule is a good final catch-all for these cases. It doesn't mean you misconfigured your previous rules, but if some traffic is arriving from an address that's not associated with any region expressly defined (as far as SRM is aware based on its available info) then the regional rules won't stop it. That final "deny all" will help make sure it doesn't slip through anyway.

Regards,


So... It's clearer now.. Everything does not include 'all' IP's...
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top