Firewall Settings review - SHA Cluster + Remote Access

[ChAlb]

Hi All,

After reading the advice in the forum from experts about other firewall issues, I wonder if my own firewall rules are finally strict enough in my specific context:

Router configuration (ports opened/nated)

• 443 : forwarded to HA Cluster IP which run Synology HTTP proxy server in front of all web services hosted (DSM included), I use a wildcard certificate, routing to the correct web service is done using Synology Proxy configuration (ex : https://dsm.mydomain.com/ -> goes to http://DSM_localIP:5001, https://forum.mydomain.com/ -> http//forum_local_ip:xxxx/ ....)
• 6690 : forwarded to HA Cluster IP which also run Synology Drive
• In resume, 443 and 6690 are NATed on the router to the local 192.168.0.x network (the Synology HA Cluster IP has a 192.168.0.xxx IP address)
• I also have a 192.168.yy.xx network used for Wireguard VPN service provided by the router

In terms of DSM my setup is the following :

• 2 x 1513+ running DSM7 :

• For each 1513+ :
  • Ethernet port 1 & 2 are aggregated as Bond 1 -> Primary Cluster Interface (so in the 192.168.0.xxx network) connected via a switch that support aggregation
  • Ethernet port 3 & 4 are aggregated as Bond 2 -> Cluster Heartbeat interface (probably in a private ip range configured by the cluster itself, in direct connect between the 2 cluster nodes (no switch between the 2 x 1513+ for Port 3 & 4). Reading Synology SHA docs it seems that the network 169.254.0.0 / 255.255.0.0 is used. But it's not clear if it covers Heartbeat interface (Bond 2) or Primary Cluster interface (Bond 1)

The firewall is configured as follow

• Rules are set for "Bond 1" only (nothing set for "All Interfaces, PPPoE, VPN). Note that "Bond 2" does not even appears in the Firewall interface list
• The configured behavior of the firewall if no rule match is to deny access.

Rules

1. Allow access to the NAS to all devices within the LAN
2. Allow access to the NAS to devices connected from the Router VPN sub network (devices that are not in 192.168.0.x)
3. Synology SHA Custer rules set by the SHA package : NTP (123), SHA (874, 5405, 5406, 7400-7499)
4. Allow access (from internet) to Synology Drive for specific countries
5. Allow access (from internet) to Synology HTTP Proxy (and services behind) for specific countries

My Concerns

• Does this firewall setup looks safe ?
• I really do not understand the Rule "3" that was added by the SHA Package :
  • It looks like a "local network" rule to allow communication between the 2 nodes but it is set as Source IP : All
  • I thought it would have been more safe to limit this rule 3 to local network (192.168.0.* ?) or 169.254.0.0 / 255.255.0.0 ?
  • Won't it be safer to move the rule 3 at the bottom ?
  • Is rule 3 not already covered by Rule 1 ?

I'm a bit afraid of tweaking rule 3 and push a bad configuration to the passive node with the risk to loose access to it or to generate a split brain issue.

Any advice or optimization from your point of view ?

Thanks in advance.

 

[Hilt48]

You need to add another "deny all" rule at the bottom otherwise your firewall wont block anything

 

[ChAlb]

Thanks for your answer. I will try but I guess the default behavior of the firewall is to deny anything that don’t match a rule when the according setting is enabled (« if no rules are matched : deny access »)

 

[Jan Janowski]

Probably as a make damn sure, I have also added a Deny All rule to bottom of all firewall rules here....
In the router, you get: "Hits" and can see the usefulness of that rule.... As I've done with other experimental Rules in Router Firewall... (Just to see the effective-ness of the rule under test)... I So Wish DSM Firewalls showed "Hits" !!!

 

[fredbert]

I’ve not looked at how Synology HA works.

When years ago configuring Check Point FW-1 in HA clusters it used VRRP and monitored circuits. This was where HA interfaces both had a real IP (one per device interface) on the subnet and then they shared a virtual IP. Using priority weighting either one or the other firewall would be primary if it was broadcasting the better weighting or the only one broadcasting. The monitored interfaces would be used to determine if the other device was offline and then all interfaces would be switched to answer arp requests for the virtual IP. I can’t remember what IP addressing the monitoring used, 224.x.y.z rings a bell.

The HA setup also used a sync connection too. This was direct Ethernet between the devices and maintained the connectivity tables etc.


So:

1. What does Synology HA use the heartbeat connection for?
2. Is heartbeat mandatory or a best practice (e.g. reduce latency etc.)?
3. Is there failover/heartbeat/other HA specific comms that needs to use the data interfaces (your bond1)?

I don't see why you need a firewall rule to allow Any to access NTP and HA services. For now ensure your Internet firewall doesn’t forward to these services and then investigate what Synology HA really needs in order to work.

 

[ChAlb]

The firewall rule in place for NTP and HA has been automatically added during the SHA installation.
I also have doubts about its usefulness. However, the documentation for the SHA cluster is particularly short.
Right now my internet router does not forward anything else that the 443/6690 to the cluster VIP but I prefer to have a strict firewall setup on the nas also.

I feel very few people use SHA and that’s probably why there is not much literature about it.

 

[fredbert]

Automatically added rules seem to be added using an allow ALL. Which is why not to use the feature and create rules oneself.