Firewall settings - are they good?

Currently reading
Firewall settings - are they good?

S

shiro

Media
15
3
NAS
DS720+
Operating system
  1. Windows
Mobile operating system
  1. Android
Hello, I would like to consult if my firewall settings are okay, and if I understand how firewall works correctly.
The goals are:
- allow access from my home network and remotely from PC at work
- allow access just from my country, to minimize attacks from internet (login attempts, etc.)
- allow access to services which needs full access into internet (torrent, VPN, etc.)
- block everything else I dont need.

192.168.xxx.xxx is my home network.
62.xxx.xxx.xxx is public IP of my computer at work - to allow access remotely when I need it. (I dont know if there are needed to set something up in firewall when I use QC or DDNS too.)

I am setting up rules just in LAN1 interface, because everything else what is not allowed, is blocked by default.
There are no rules in "all interfaces" or any other interface than LAN1.

If I understand how firewall works correctly, when packet come, firewall will start matching it against rules. It stops matching when it find the rule that match. And if it dont, it will block it. Is that true?

Here are my firewall rules. Are they OK, or do you have some recommendations please? Thanks.

1659098809514.png
 
shiro said:
And if it dont, it will block it. Is that true?
Click to expand...
correct

I did notice that the Windows file server is on the list. While it's fine to have it allowed on the FW list, I do hope you will not open this port (445/TCP) towards the internet on your router. That will be highly dangerous.

Rest is fine.
 
No, the port is closed on router. Its just for my home network. I assume that without Windows file server allowed, I cant access NAS through SMB.
 
shiro said:
No, the port is closed on router. Its just for my home network. I assume that without Windows file server allowed, I cant access NAS through SMB.
Click to expand...
Well, try first. Local communication will not be blocked unless there is an FW in effect at some level. Still, if your Windows client has an FW active you might also need to open it on that side as well.
 
Given that the firewall rules are tested top to bottom and stop at the first match, you have three unnecessary rules:
  • Rule 5 (SMB access to LAN) is already covered by Rule 1 (always allow LAN access).
  • Slovakia access (allow to all services) is covered by Rule 3 and that means Rule 4 (mgmt access) and Rule 9 (FTP) are never used.
You can disable Rules 4, 5, and 9 if you don't want to delete them.

While limiting access from countries can be by-passed by Internet clients that use in-country VPN breakout services, there's no harm in using country rules as this will stop some unwanted access attempts.
 
Hi,

My suggestions…
I’d use the first 3 and refine rule no. 3 and limit it to what’s needed (instead of ”all”).
Place an All, All, Deny at the end (although it says it’s going to default to that (for peace of mind).
Consider using a reverse proxy.
BT traffic should go over a “trusted” VPN.

A side note: there’s no need to mask the 192.168.x.x addresses, they’re local and not routed externally.
 
Last edited:
WST16 said:
Hi,

My suggestions…
I’d use the first 3 and refine rule no. 3 and limit it to what’s needed (instead of ”all”).
Place an All, All, Deny at the end (although it says it’s going to default to that (for peace of mind).
Consider using a reverse proxy.
BT traffic should go over a “trusted” VPN.

A side note: there’s no need to mask the 192.168.x.x addresses, they’re local and not routed externally.
Click to expand...
Agreed
-- post merged: --

shiro said:
View attachment 10287
Click to expand...
Also what county is the IP address in rule 2? If it’s a Slovakia ip address then it’s not needed since it would be covered in rule 3.
 
Rule 2 IP is from Slovakia also. I just specified it there to secure my access to NAS even if geolocation get wacky or so :)

Thanks you all for suggestions.
-- post merged: --

WST16 said:
Hi,

A side note: there’s no need to mask the 192.168.x.x addresses, they’re local and not routed externally.
Click to expand...
So the NAS's firewall does not apply anything to packets coming from LAN?
 
shiro said:
So the NAS's firewall does not apply anything to packets coming from LAN?
Click to expand...
That's not what was meant. The NAS's firewall applies to connections from anywhere and doesn't differentiate between public IP networks and RFC 1918 reserved subnets. The comment was regarding you obscuring the LAN IPs in the screen shot. It's a personal decision whether to divulge the LAN subnets that you are using, or not, and is debatable whether it reveals usable information about your LAN. Any IP in the RFC 1918 reserved subnets cannot be directly accessed across the Internet as these are excluded from routing tables (plus which of the millions of 192.168.1.N is the one you are targeting :) ). My preference is to obscure or remove my LAN IPs from screen shots/command outputs that I post.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

N
Does Quick Connect bypass firewall settings?
QuickConnect Relay uses a client connection created from the NAS outbound to the Synology servers. This...
Replies
2
Views
3,754
fredbert
fredbert
ChAlb
Firewall Settings review - SHA Cluster + Remote Access
Automatically added rules seem to be added using an allow ALL. Which is why not to use the feature and...
Replies
6
Views
1,523
fredbert
fredbert
U
  • Question
Geo Block Firewall Settings - help!
PF will help you for sure much more then syno fw
Replies
4
Views
3,033
Rusty
Rusty
H
Cloudflare tunnel firewall rules
Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
922
huewho
H
R
  • Question
SRM Firewall Deny Hits
OOOps running SRM 1.3.1 Update 6
Replies
1
Views
949
rfasano
R
C
Failed to apply the firewall profile
You are right. I think I'm getting this error because I can't allow cloudflared.
Replies
2
Views
1,296
caglar
C
Jan Janowski
On one only 720+ (Redundant Synology Drive Entry in firewall)
All 3 NAS's are set that way.... FIREWALL AND NOTIFICATIONS ARE CHECKED I have in the past seen and...
Replies
2
Views
1,130
Jan Janowski
Jan Janowski

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top