Firewall best practice

Currently reading
Firewall best practice

14
4
NAS
920+
Router
  1. RT6600ax
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Hi,
I would like to start off a discussion about firewall best practices with the router. Here is my current configuration and what it does.

1. Allow VPN access from certain countries
2. Allow SRM access only from my origin country Germany
3. Allow NAS access from certain countries for Synology Photos
4. Deny access from all other countries
5. Port forward for Synology Photos

I think that limiting access from certain countries vastly improves security. As you can see from the hit counter in rule 4 that there are tons of requests from countries that should not really access the router. What are your thoughts? Are there any additional rules that might be usefull?

1700741074752.png
 
Not sure why you need Internet access to the SRM management GUI: does this actually work as there is a SRM setting to block/allow WAN access. It’s usual to only allow LAN access to your router management, it’s your security perimeter and would reduce the risk. Since you have a NAS, my personal view is, there’s no good reason to run file/media services on the router. Also, limit standard user access to the VPN Plus services. Why not use a VPN session if you need to access SRM GUI?

It’s recommended that the DSM HTTP/S ports be changed from the well known defaults of 5000 and 5001, along with other best practices for securing the NAS. Which brings me to the firewall rules that match the port forwarding rules… do they actually get used? I ask because the rule before them is blocking everything, and the firewall rules are processed top to bottom and stop when a match is made.

SRM port forwarding has an option to automatically create matching firewall rules, but they create any/any/LAN IP/port/Allow rules. And it puts them at the end of the rulebase. You can manually create these firewall rules then place them where you like, and restrict the sources.
 
The SRM was rule was generated when I enabled quick connect. I like the app on my phone to check on the router and I think that is required for that. You are correct, when I use VPN on my phone I would not need this rule. Changing the default ports 5000 and 5001 is a good point. I also disabled the port forwarding rules at the end.
 
Last edited:
I am hoping to isolate multiple devices on LAN -totally- with the firewall.
I’m doing this in multiple ways:
1. Using Static IP’s and only allowing certain IP’s to access internet, in router firewall.
2. Allowing ICMP From specific LAN IP to specific WAN IP, to allow my “ISP Traps” to function in router firewall from a Static IP outside of allowed internet access rule range.
3. ICMP IP range Allow follows in router firewall.
4. ICMP Block All follows in router firewall.
5. Configuring DHCP devices IP’s to have internet access, but be blocked by NAS firewall. (No guest WIFI)
6 To 12 & 4 Deny Rules in router firewall that are there just for the “Hits”. Intentional rules that confirm that rules above it work. These should never display anything but 0. As new rules are confirmed, these extra deny rules are retired.
10. All of which are before a DENY ALL Rule in both router and NAS firewall.
(Wish NAS firewall showed ‘hits’!)

I have NO Ports forwarded, or UPNP enabled, and have used DS FILE, DS CAM, DS FINDER, DS ROUTER, DRIVE… Worldwide.
 
The SRM was rule was generated when I enabled quick connect. I like the app on my phone to check on the router and I think that is required for that. You are correct, when I use VPN on my phone I would not need this rule. Changing the default ports 5000 and 5001 is a good point. I also disabled the port forwarding rules at the end.
OK. I don't bother with QuickConnect for my router, there's nothing running on it that others need to have easy-to-remember access... and I know what IP addresses it has on each internal LAN. The DS router app works perfectly fine on the LAN using the router's LAN IP as the destination. I also changed the SRM HTTP/S ports from the defaults too. So in DS router use LAN_IP:SRM_Secure_Port as the router's address.

I do run VPN Plus but I limit this to non-admin users, so that it requires two user accounts to be able to gain admin access to the router: VPN with std user account; then access router with admin account. I also run LDAP Server on the NAS and then connect the router to it so that I don't have managed local users on the router: a selection of the LDAP accounts get VPN Plus access.

I do like having an explicit 'deny all else' rule at the end of the firewall policy. This was why I manually create and manage the firewall rules that correspond to port forwarding rules: I can limit which sources have access to my exposed services.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

I have setup from zero, thanks for trying to help. Thread can be closed now.
Replies
6
Views
1,742
Just asking again if more in-depth information or rules are available than link posted. I keep creating...
Replies
1
Views
1,180
Now I'm not looking on my phone.... The best you can do is to split the single 192.168.1.0/24 subnet and...
Replies
6
Views
2,022
  • Question
You can allow US traffic, and deny all else. That effectively denies all non-US traffic, and is superior...
Replies
13
Views
1,920
ofc you can test the rules when they're setup. Ping from any device to any device within your LAN - ping...
Replies
11
Views
1,252
Deleted member 5784
D

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top