Do Firewall Rules Prevent IPs from Reaching Threat Prevention?

Currently reading
Do Firewall Rules Prevent IPs from Reaching Threat Prevention?

41
4
NAS
DS220J, DS420J
Operating system
  1. Windows
Mobile operating system
  1. Android
If the Firewall has a rule to block an entire IP range, say 45.0.0.1/255.0.0.0, will Threat Prevention still react to threat IP in that range or do those IPs blocked at the firewall not reach TP?
 
Interesting, I have found in SRM 1.2 that blocking an Internet subnet in the firewall stops TP events. Not yet had time to study SRM 1.3 order of doing things. Doing IDPS on the Internet side always produced a lot of noise so when deploying only one IDPS device you would usually rely on the firewall DOS features to filter the stuff it could, allow the source/destination you wanted, then put the IDPS immediately on the LAN edge. Of course, with built-in IDPS and other features firewalls will have their own order of processing.

The obvious answer to this question is to try it and see what happens. Find an active source in TP that is creating a lot of events and add a firewall rule to block it: maybe use a country block if you have a few that are always scanning/probing and see if the firewall blocks them from raising TP events.
 
Out of interest I did a google on this and found a thread at The Other Place

I may be wrong but I think it may be your thread @rkruz3? Regardless, it's a good topic and useful for people to think about when setting up the their SRM routers. Also, the last point from Synology support is helpful too, to summarise/paraphrase: when you amend the firewall policy to block connections then this only will apply to new connections. Any existing connections that were allowed but now would be denied will continue until they end.

What does this mean? Well if you have a very long TCP timeout for dormant connections then they will not drop, though having too long timeouts can cause the firewall state table to fill up (and I don't think SRM gives a way to edit this value so it's a moot point). But also if you want to stop the kids from accessing whatever is the social platform du jour then any current connections won't die. So you'll have to switch off/on WiFi to force them to reconnect :)

I would add that TP acts on otherwise permitted connections, those passed as allowed by the firewall, so in effect it is a higher priority but in a processing point of view it acts second. Firewall processing has had a long time to get optimised whereas TP (IDPS) is much more processor intensive, so filter out the known unwanted first.
 
Excellent insight, thank you. I asked the question because when experimenting with the router, I saw that the Firewall (FW) would generally block IPs before Threat Protection (TP), but I would also see, to a lesser degree, the FW blocked IP show up in TP. So probably the reason for the occasional TP reaction to a FW blocked IP is your explanation of "existing connections." Nice Job!

I'm arriving at the conclusion that it's probably a lot of busy work to set up the FW to block IP ranges when TP will handle them per their policies (I've selected all the Poor Reputation and known threat policies). I started using the FW to block entire ranges where a TP-identified IP resided within rather than the individual IP. Because I was still seeing attacks from IPs whose regions were blocked (basically blocked all regions but the U.S.), I was thinking blocking at the FW would lessen the processor burden, but now I dont think it makes a difference and has some bad consequences.

The bad consequences? When torrenting (Qbittorent) large files with fewer seeds and peers, the torrent frequently stops and shows an error. I looked at the Qbittorrent peer's IP addresses and saw some of them were in my FW blocked IP ranges. I removed the FW IP and region blocks, and the torrent ran beautifully for several hours and completed without error, AND the download was much faster than I'd seen before.

I think now I will just use the region blocks, remove the IP range blocks and let TP do its work.

BTW, I agree Synology support is excellent, but the official forum "the other place" is lightly used and not much help.
 
I've never been a torrent user but I think that it allows for bits of downloads to be retrieved from multiple sources. If that is true then you never really know exactly where they will come from so FW rules could interfere. Also, I seem to recall that your supposed to be a good torrenter and allow sending out from your downloaded content.

Just for keeping TP quieter I have a few FW rules to block certain countries and then some of my services are further limited to a few specific countries. Only sometimes do I do a temporary FW rule to block a /24 or /16 that has been raising lots of TP events. That usually stops after a while and I disable then delete the rule.

The first iteration of Synology's Intrusion Protection, rebranded as TP, was a lot heavier on resources than it is now. I agree it's easier to use the poor reputation, compromised host, etc groups of signatures in TP to selectively eliminate those suspect connections.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Just asking again if more in-depth information or rules are available than link posted. I keep creating...
Replies
1
Views
1,226
Now I'm not looking on my phone.... The best you can do is to split the single 192.168.1.0/24 subnet and...
Replies
6
Views
2,056
ofc you can test the rules when they're setup. Ping from any device to any device within your LAN - ping...
Replies
11
Views
1,309
Deleted member 5784
D
  • Question
@Gerard No port forwarding. No particular need as far as I know.
Replies
3
Views
1,704
This is more SRM 1.3.1-1 than RT2600ac specific. Something has been bugging me: I use IPV4 settings here...
Replies
0
Views
1,354
Firewall rules are checked from top to bottom (first to last). When a matching rule is found for the...
Replies
1
Views
2,478
  • Solved
That's what I was after.... The DENY ALL RULE Covers and blocks EVERYTHING not specifically indicated as...
Replies
4
Views
1,598

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top