Hi All,
After reading the advice in the forum from experts about other firewall issues, I wonder if my own firewall rules are finally strict enough in my specific context:
Router configuration (ports opened/nated)
The firewall is configured as follow
Rules
My Concerns
Any advice or optimization from your point of view ?
Thanks in advance.
After reading the advice in the forum from experts about other firewall issues, I wonder if my own firewall rules are finally strict enough in my specific context:
Router configuration (ports opened/nated)
- 443 : forwarded to HA Cluster IP which run Synology HTTP proxy server in front of all web services hosted (DSM included), I use a wildcard certificate, routing to the correct web service is done using Synology Proxy configuration (ex : https://dsm.mydomain.com/ -> goes to http://DSM_localIP:5001, https://forum.mydomain.com/ -> http//forum_local_ip:xxxx/ ....)
- 6690 : forwarded to HA Cluster IP which also run Synology Drive
- In resume, 443 and 6690 are NATed on the router to the local 192.168.0.x network (the Synology HA Cluster IP has a 192.168.0.xxx IP address)
- I also have a 192.168.yy.xx network used for Wireguard VPN service provided by the router
- 2 x 1513+ running DSM7 :
- For each 1513+ :
- Ethernet port 1 & 2 are aggregated as Bond 1 -> Primary Cluster Interface (so in the 192.168.0.xxx network) connected via a switch that support aggregation
- Ethernet port 3 & 4 are aggregated as Bond 2 -> Cluster Heartbeat interface (probably in a private ip range configured by the cluster itself, in direct connect between the 2 cluster nodes (no switch between the 2 x 1513+ for Port 3 & 4). Reading Synology SHA docs it seems that the network 169.254.0.0 / 255.255.0.0 is used. But it's not clear if it covers Heartbeat interface (Bond 2) or Primary Cluster interface (Bond 1)
The firewall is configured as follow
- Rules are set for "Bond 1" only (nothing set for "All Interfaces, PPPoE, VPN). Note that "Bond 2" does not even appears in the Firewall interface list
- The configured behavior of the firewall if no rule match is to deny access.
Rules
- Allow access to the NAS to all devices within the LAN
- Allow access to the NAS to devices connected from the Router VPN sub network (devices that are not in 192.168.0.x)
- Synology SHA Custer rules set by the SHA package : NTP (123), SHA (874, 5405, 5406, 7400-7499)
- Allow access (from internet) to Synology Drive for specific countries
- Allow access (from internet) to Synology HTTP Proxy (and services behind) for specific countries
My Concerns
- Does this firewall setup looks safe ?
- I really do not understand the Rule "3" that was added by the SHA Package :
- It looks like a "local network" rule to allow communication between the 2 nodes but it is set as Source IP : All
- I thought it would have been more safe to limit this rule 3 to local network (192.168.0.* ?) or 169.254.0.0 / 255.255.0.0 ?
- Won't it be safer to move the rule 3 at the bottom ?
- Is rule 3 not already covered by Rule 1 ?
Any advice or optimization from your point of view ?
Thanks in advance.