Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Firewall settings - are they good?

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

15
3
NAS
DS720+
Operating system
  1. Windows
Mobile operating system
  1. Android
Hello, I would like to consult if my firewall settings are okay, and if I understand how firewall works correctly.
The goals are:
- allow access from my home network and remotely from PC at work
- allow access just from my country, to minimize attacks from internet (login attempts, etc.)
- allow access to services which needs full access into internet (torrent, VPN, etc.)
- block everything else I dont need.

192.168.xxx.xxx is my home network.
62.xxx.xxx.xxx is public IP of my computer at work - to allow access remotely when I need it. (I dont know if there are needed to set something up in firewall when I use QC or DDNS too.)

I am setting up rules just in LAN1 interface, because everything else what is not allowed, is blocked by default.
There are no rules in "all interfaces" or any other interface than LAN1.

If I understand how firewall works correctly, when packet come, firewall will start matching it against rules. It stops matching when it find the rule that match. And if it dont, it will block it. Is that true?

Here are my firewall rules. Are they OK, or do you have some recommendations please? Thanks.

1659098809514.webp
 
And if it dont, it will block it. Is that true?
correct

I did notice that the Windows file server is on the list. While it's fine to have it allowed on the FW list, I do hope you will not open this port (445/TCP) towards the internet on your router. That will be highly dangerous.

Rest is fine.
 
No, the port is closed on router. Its just for my home network. I assume that without Windows file server allowed, I cant access NAS through SMB.
 
No, the port is closed on router. Its just for my home network. I assume that without Windows file server allowed, I cant access NAS through SMB.
Well, try first. Local communication will not be blocked unless there is an FW in effect at some level. Still, if your Windows client has an FW active you might also need to open it on that side as well.
 
Given that the firewall rules are tested top to bottom and stop at the first match, you have three unnecessary rules:
  • Rule 5 (SMB access to LAN) is already covered by Rule 1 (always allow LAN access).
  • Slovakia access (allow to all services) is covered by Rule 3 and that means Rule 4 (mgmt access) and Rule 9 (FTP) are never used.
You can disable Rules 4, 5, and 9 if you don't want to delete them.

While limiting access from countries can be by-passed by Internet clients that use in-country VPN breakout services, there's no harm in using country rules as this will stop some unwanted access attempts.
 
I would disable all but the first 3 rules. Then open additional rules, only as necessary.
 
Hi,

My suggestions…
I’d use the first 3 and refine rule no. 3 and limit it to what’s needed (instead of ”all”).
Place an All, All, Deny at the end (although it says it’s going to default to that (for peace of mind).
Consider using a reverse proxy.
BT traffic should go over a “trusted” VPN.

A side note: there’s no need to mask the 192.168.x.x addresses, they’re local and not routed externally.
 
Last edited:
Hi,

My suggestions…
I’d use the first 3 and refine rule no. 3 and limit it to what’s needed (instead of ”all”).
Place an All, All, Deny at the end (although it says it’s going to default to that (for peace of mind).
Consider using a reverse proxy.
BT traffic should go over a “trusted” VPN.

A side note: there’s no need to mask the 192.168.x.x addresses, they’re local and not routed externally.
Agreed
[automerge]1659126655[/automerge]
Also what county is the IP address in rule 2? If it’s a Slovakia ip address then it’s not needed since it would be covered in rule 3.
 
Rule 2 IP is from Slovakia also. I just specified it there to secure my access to NAS even if geolocation get wacky or so :)

Thanks you all for suggestions.
[automerge]1659594141[/automerge]
Hi,

A side note: there’s no need to mask the 192.168.x.x addresses, they’re local and not routed externally.
So the NAS's firewall does not apply anything to packets coming from LAN?
 
So the NAS's firewall does not apply anything to packets coming from LAN?
That's not what was meant. The NAS's firewall applies to connections from anywhere and doesn't differentiate between public IP networks and RFC 1918 reserved subnets. The comment was regarding you obscuring the LAN IPs in the screen shot. It's a personal decision whether to divulge the LAN subnets that you are using, or not, and is debatable whether it reveals usable information about your LAN. Any IP in the RFC 1918 reserved subnets cannot be directly accessed across the Internet as these are excluded from routing tables (plus which of the millions of 192.168.1.N is the one you are targeting :) ). My preference is to obscure or remove my LAN IPs from screen shots/command outputs that I post.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

Back in the day I had to complete vendor training and certification for our firewalls. Always were things...
Replies
8
Views
173
If you create a rule: Source interface: LANs Source IP: 192.168.0.0/16 Destination interface: Any...
Replies
4
Views
479
Thank you, Birdy for the QC White paper!! Had a smattering of info on it.. Your link filled in the blanks.
Replies
8
Views
493
Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
2,031
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
768

Thread Tags

Tags Tags
firewall

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top