Last edited:
I would like to know that my firewall is setup correctly and despite doing lots of reading it's always helpful to have a sense check. I know that the firewall is not entirely necessary if your router has a firewall, which mine does - but I'd still like to make sure because I don't fully trust it (it is a ZTE (who!?) router provided by my ISP, Hyperoptic (UK)).
My usage involves:
- local network: file server, DLNA etc
- VPN in to 192.168.5.1
- remote UK use of DS apps like Video Station and DS File
- reverse proxy from my website using port 443 to point to DS apps
--- i am trying to get everyone to use xxx.website.com:443 as the address for all external apps but I'm not sure that's happening (had free DDNS before and I think some were using our static IP) - also not sure if this is an "issue" or not.
- everyone is in the UK, but may go abroad, so want easy ability to change this
- backup via rysnc to an offsite DS, which connects to this DS via VPN
The firewall has the following rules
1. destination port 443 / all IP / allow [reverse proxy]
2. all ports / 192.168.5.1 to 192.168.5.10 / allow [VPN]
3. the rule that has all the DSM apps (DSM, DLNA, SSH (22, 7654)) / all IP / allow
4. all ports / local IP-subnet / allow
5. all ports / UK IPs / allow
6. all ports / all IPs / deny
So my questions (/points...) are:
1. Is this sensible/safe given my requirements!
2. Rule 1 - port 443. It is a redirect from my website ("A" records). Should this be restricted to an IP address/the IP of the godaddy server?
3. Rule 1 - port 443. If for example someone enters the address into DS Video of xxx.website.com:443 when they are in India, would DS see the location as India or the wherever xxx.website.com is hosted (appreciate this is not relevant for the rule currently) ?
3. Rule 1 - port 443. Does having this open mean that my NAS is fundamentally "open" and anyone can attempt to connect to it through this port? I think this explains my general ignorance with firewalls. I have this port open at the get-go, so anyone can attempt to log into the DS if they are aware (somehow) that this port is open? But does this matter given that.... ->
4. I have made sure that everyone uses reasonably complex and long passwords, and in most cases 2FA - am I right in assuming that as long as this is followed, the firewall is functionally useless because nobody can get access without logging in in the first place?
5. I have a static IP address and that is what the reverse proxy is fed by - xxx.website.com:443 -> 12.34.456.789. If all remote connections are via the reverse proxy, should I simply be allowing local network, 12.34.456.789, and denying everything else??
Imagine most experts on the forum are bored with questions/posts like this so sorry in advance!
My usage involves:
- local network: file server, DLNA etc
- VPN in to 192.168.5.1
- remote UK use of DS apps like Video Station and DS File
- reverse proxy from my website using port 443 to point to DS apps
--- i am trying to get everyone to use xxx.website.com:443 as the address for all external apps but I'm not sure that's happening (had free DDNS before and I think some were using our static IP) - also not sure if this is an "issue" or not.
- everyone is in the UK, but may go abroad, so want easy ability to change this
- backup via rysnc to an offsite DS, which connects to this DS via VPN
The firewall has the following rules
1. destination port 443 / all IP / allow [reverse proxy]
2. all ports / 192.168.5.1 to 192.168.5.10 / allow [VPN]
3. the rule that has all the DSM apps (DSM, DLNA, SSH (22, 7654)) / all IP / allow
4. all ports / local IP-subnet / allow
5. all ports / UK IPs / allow
6. all ports / all IPs / deny
So my questions (/points...) are:
1. Is this sensible/safe given my requirements!
2. Rule 1 - port 443. It is a redirect from my website ("A" records). Should this be restricted to an IP address/the IP of the godaddy server?
3. Rule 1 - port 443. If for example someone enters the address into DS Video of xxx.website.com:443 when they are in India, would DS see the location as India or the wherever xxx.website.com is hosted (appreciate this is not relevant for the rule currently) ?
3. Rule 1 - port 443. Does having this open mean that my NAS is fundamentally "open" and anyone can attempt to connect to it through this port? I think this explains my general ignorance with firewalls. I have this port open at the get-go, so anyone can attempt to log into the DS if they are aware (somehow) that this port is open? But does this matter given that.... ->
4. I have made sure that everyone uses reasonably complex and long passwords, and in most cases 2FA - am I right in assuming that as long as this is followed, the firewall is functionally useless because nobody can get access without logging in in the first place?
5. I have a static IP address and that is what the reverse proxy is fed by - xxx.website.com:443 -> 12.34.456.789. If all remote connections are via the reverse proxy, should I simply be allowing local network, 12.34.456.789, and denying everything else??
Imagine most experts on the forum are bored with questions/posts like this so sorry in advance!