Firewall setup - is this OK?

Currently reading
Firewall setup - is this OK?

291
90
NAS
DS920+, DS416slim
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
I would like to know that my firewall is setup correctly and despite doing lots of reading it's always helpful to have a sense check. I know that the firewall is not entirely necessary if your router has a firewall, which mine does - but I'd still like to make sure because I don't fully trust it (it is a ZTE (who!?) router provided by my ISP, Hyperoptic (UK)).

My usage involves:
- local network: file server, DLNA etc
- VPN in to 192.168.5.1
- remote UK use of DS apps like Video Station and DS File
- reverse proxy from my website using port 443 to point to DS apps
--- i am trying to get everyone to use xxx.website.com:443 as the address for all external apps but I'm not sure that's happening (had free DDNS before and I think some were using our static IP) - also not sure if this is an "issue" or not.
- everyone is in the UK, but may go abroad, so want easy ability to change this
- backup via rysnc to an offsite DS, which connects to this DS via VPN

The firewall has the following rules

1. destination port 443 / all IP / allow [reverse proxy]
2. all ports / 192.168.5.1 to 192.168.5.10 / allow [VPN]
3. the rule that has all the DSM apps (DSM, DLNA, SSH (22, 7654)) / all IP / allow
4. all ports / local IP-subnet / allow
5. all ports / UK IPs / allow
6. all ports / all IPs / deny

So my questions (/points...) are:

1. Is this sensible/safe given my requirements!
2. Rule 1 - port 443. It is a redirect from my website ("A" records). Should this be restricted to an IP address/the IP of the godaddy server?
3. Rule 1 - port 443. If for example someone enters the address into DS Video of xxx.website.com:443 when they are in India, would DS see the location as India or the wherever xxx.website.com is hosted (appreciate this is not relevant for the rule currently) ?
3. Rule 1 - port 443. Does having this open mean that my NAS is fundamentally "open" and anyone can attempt to connect to it through this port? I think this explains my general ignorance with firewalls. I have this port open at the get-go, so anyone can attempt to log into the DS if they are aware (somehow) that this port is open? But does this matter given that.... ->
4. I have made sure that everyone uses reasonably complex and long passwords, and in most cases 2FA - am I right in assuming that as long as this is followed, the firewall is functionally useless because nobody can get access without logging in in the first place?
5. I have a static IP address and that is what the reverse proxy is fed by - xxx.website.com:443 -> 12.34.456.789. If all remote connections are via the reverse proxy, should I simply be allowing local network, 12.34.456.789, and denying everything else??

Imagine most experts on the forum are bored with questions/posts like this so sorry in advance!
 
1. All IP ranges globally? That is certainly generous. Isn't this already covered by #5?
2. Why all ports? Designate only what is necessary. This should be the second rule.
3. I would delete this entirely. It is far too broad. Port 22? Never.
4. Why all ports? Designate only what is necessary. This should be the first rule.
5. Why all ports? Designate only what is necessary. Can you further restrict the IP range?
6. Fine.
 
Last edited:
Thanks @Telos - much appreciated. I think I will create a new set of rules from fresh because it will likely be cleaner.

One general question - when creating a firewall rule is it OK to open ports by selecting the corresponding app in "Select from a list of builti-in applications" rather than typing all the ports in manually?

1. My domain provider is godaddy but I have no idea where they are based. I kind of assumed they could change where the website is hosted, so I thought I needed this for the reverse proxy??
2. OK
3. I thought this was one that was definitely right!! DSM automatically creates these rules so various apps can run. Are you saying I should incorporate this rule into what I currently hve as rules 2, 4 and 5 ? Why no port 22 ?
4. OK
5. I don't think I can restrict this further. At least six external users with dynamic IPs.
6. At least I got one right :ROFLMAO:
 
Last edited:
Right I have redone it all as you suggested (more or less).

I now have:

1. Selected apps (DSM, DLNA/UPNP, Minimserver, CIFS, Video Station, Encrypted terminal (22, 7654)) - local subnet - allow
2. Selected apps (DSM, DLNA/UPNP, Minimserver, CIFS, Video Station) - VPN subnet - allow
3. port 3493 - local desktop only - allow (this is for WinNUT client)
4. port 443 - UK - allow (this is for reverse proxy)
5. VPN server - UK - allow
6. all ports - all IPs - deny

I think this is a lot better!?

Re 1, encrypted terminal, in settings it is defined as 7654 and not 22. Should I remove terminal from here and add just 7654 to rule 3 which is my local desktop?
 
Re 1, encrypted terminal, in settings it is defined as 7654 and not 22. Should I remove terminal from here and add just 7654 to rule 3 which is my local desktop?
Do you mean SSH (Secure Shell)? If you aren't using SSH on its default TCP 22 then you don't have to have to include it.
 
Last edited:
Do you mean SSH (Secure Shell)? If you aren't using SSH on its default TCP 22 then you don't have to have to include it.

I do mean that, yes. Thanks
-- post merged: --

RIght now I am onto the small issues.

When connecting with the VPN I can see the NAS shared files, but not
a. the rest of the network
b. connect to the internet

Does anyone know which apps/services I should be enabling to allow access to these?
 
DSM automatically creates these rules so various apps can run.
Do not allow this to happen! Disable UPnP in your router... it is a huge security hole. Only permit ports you really need. Synology is overzealous with port forwarding. Disable until you lack a connection that you need.

Generally speaking 1-2 open ports (HTTPS or VPN) is all that is required.

I kind of assumed they could change where the website is hosted, so I thought I needed this for the reverse proxy??
You could likely use HTTPS (443) alone. I'm sure others will have good advice here.
 
Do not allow this to happen! Disable UPnP in your router... it is a huge security hole. Only permit ports you really need. Synology is overzealous with port forwarding. Disable until you lack a connection that you need.

Generally speaking 1-2 open ports (HTTPS or VPN) is all that is required.
Thanks - I have done that. UPnP has been disabled on my router for ages.

I didn't know the automatic adding of ports was a big issue (I will stop doing that now) however another potentially big misunderstanding on my part - I assumed there was a difference between opening ports on your router and opening ports on your DS.

For example on my router I only have three ports open and forwarded to the same port on the NAS: 8001 (DSM), 1194 (VPN), and 443 (reverse proxy). On reflection I probably don't need 8001 open as it now goes through the reverse proxy.

But on the DS I have more ports open for various services like CIFS, DLNA, Video Station etc.

I assume this is what I'm supposed to be doing?

You could likely use HTTPS (443) alone. I'm sure others will have good advice here.

Think I've got this sorted out, cheers.


My main query now is which apps/services I need running (on the rule that gives the VPN subnet access to the network) in order to access the internet and other devices on the network when connected by VPN. Currently I can only see the DS shared folders.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
1,249

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top