Firewall Setup Question

Currently reading
Firewall Setup Question

Hello,

I have a question about my firewall setup. So far, I've not done anything specific to it. When the router was first plugged in, it asked me to set up a bunch of automatic rules, and I let it do that so I could get through the setup process.

Presently, it looks like this:
1581881623219.png

Some of this, even with my presently basic undestanding, seems a bit generous. I'm also not sure what's happening with that first System Rule (SFTP, Bonjour).

The only thing I can recall doing that struck me as strange was when I turned on automatic updates for the SRM Security Certificate from Let's Encrypt, it required me to open WAN access to the router's admin. I don't really like that, but I want automatic updates to the cert...

Presently:
  1. The default admin user is disabled.
  2. SSH is disabled.
  3. SFTP (should) be disabled.
  4. There is an SD card in the system for Package Manager, but I have not enabled any of the file sharing options for the LAN yet.
  5. 2FA is required for all logins to SRM.
  6. Synology's DDNS service is enabled. (I'm not yet using any SRM or internal network device services when I leave my office, but in future I might. I went ahead and set this up so I could see how it worked. I'm setting up a Raspberry Pi now that might end up having some services running I want to access remotely, and I have a dynamic IP from my ISP, so...)
  7. I use VoIP service.
  8. All firewall settings are auto-generated.
Questions:
  1. I've seen some great threads on here from people who obviously know what they're doing sharing their firewall setups. (Thanks, @fredbert !) Is there some sort of official documentation somewhere I should look at, too? Google has been less than helpful.
  2. Is there anything in the present list of rules I need to delete/disable?
  3. Is there anything I should add?
Thanks!
 
324
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
How did you "turn on automatic updates for the SRM Security Certificate from Let's Encrypt"?
 
324
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I don't see anything about turning on automatic updates there. Rather, it's about providing a key which can be provided to a certificate authority. (I think of automatic updates as being renewals that happen without user intervention from time to time to prevent the certificate from expiring.)
 
I don't see anything about turning on automatic updates there. Rather, it's about providing a key which can be provided to a certificate authority. (I think of automatic updates as being renewals that happen without user intervention from time to time to prevent the certificate from expiring.)

Right. The first time I did it, it was just setting it up the the key to talk to the certificate authority and issue me a certificate. That was a couple months ago.

I checked it this weekend, saw that my certificate would be expiring soon, and decided to go ahead and renew. I clicked the renew button, and it popped up a window to get me to turn on automatic certificate renewals. That window was the first time I heard about enabling WAN access to the router. It had me stop the process of automatic renewal activation, and go turn on WAN access, and start the automatic renewal setup again.

EDIT - Photo:

1581890274045.png
 
324
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Ah, got it, thanks - sounds like I need to click Renew at a time when my cert is about to expire to launch the automatic renewal process. (Sorry for hijacking your initial question like this...)

To answer your initial questions - the official documentation is pretty thin, but the Synology firewall works pretty much like any other firewall.

The only thing that looks strange to me in your rules is that the third rule appears identical to the fifth rule, but the third rule says Deny while the fifth rule says Accept. The fifth rule will never be active, because anything it would have accepted would have been denied by the third rule. Apart from that, I don't see anything to delete, and the only reason to add a rule would be to enable something that isn't working; if everything is working, then you're good.

I would suggest going down to the bottom of the firewall screen and clicking the expansion chevrons so that you can see what it does with packets that don't match any of the rules. (That is, the "catch all" section). Those should all be set to "Deny" rather than "Accept". That way, anything that you are not explicitly allowing will be dropped.
 
Last edited:
EDIT (2020 02 16 at 1557 US Central):

Photo
Ah, got it, thanks - sounds like I need to click Renew at a time when my cert is about to expire to launch the automatic renewal process. (Sorry for hijacking your initial question like this...)

No need to apologize. A lot of the informational popups in SRM are bizarrely vague, considering how much detail the settings go into. That automatic renewal thing leaves a lot to be desired. At the moment, after enabling WAN access and "DNS" (which I assume is DDNS, which I have turned on?), I can access my system via web browser using the DDNS address.

I'm not sure if I can turn off port 80 access and just leave it 443. Looking into that.

To answer your initial questions - the official documentation is pretty thin, but the Synology firewall works pretty much like any other firewall.

Oh, good. It's not just me who boggled at the lack of instruction there. :)

The only thing that looks strange to me in your rules is that the third rule appears identical to the fifth rule, but the third rule says Deny while the fifth rule says Accept. The fifth rule will never be active, because anything it would have accepted would have been denied by the third rule.


Poor screenshot on my part. Those are both "encrypted terminal" services.
Deny: includes SFTP and Bonjour (Bonjour is not enabled).
Allow: includes SFTP and NTP.

I think this is because I have NTP enabled for clock sync? It's odd.
Should I change these?

Apart from that, I don't see anything to delete, and the only reason to add a rule would be to enable something that isn't working; if everything is working, then you're good.

I appreciate you taking the time to look at it. It's been at least a decade since I actually tried to configure a firewall. I'm a bit rusty at it.

I would suggest going down to the bottom of the firewall screen and clicking the expansion chevrons so that you can see what it does with packets that don't match any of the rules. (That is, the "catch all" section). Those should all be set to "Deny" rather than "Accept". That way, anything that you are not explicitly allowing will be dropped.

Ugh. I didn't even notice those. I have some vision issues and would really like a high contrast/dark mode for this interface...

See updated screenshot below. Right now WAN-to-LAN traffic for IPv4 and IPv6 are set to allow, and otherwise not-allowed WAN to SRM access is denied.

If I deny WAN-to-LAN traffic, won't that cut my LAN client devices off from the internet?

1581891723812.png
 
324
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
No, if you deny WAN-to-LAN traffic, it won't cut your LAN client devices off from the internet.
What it will block is UNSOLICITED connections to them: That is, someone on the internet randomly decides to try to connect to your LAN, they'll be blocked. But the WAN-to-LAN barrier does not block SOLICITED connections: which just means that if you initiate a connection (to a website, to a mail server, etc.), the return traffic will be allowed. (This is how things like Quickconnect and TeamViewer, which SEEM to accept connections from out on the internet, work: They are constantly sending packets to the Quickconnect or TeamViewer server out on the internet, which means that incoming packets from those servers will always get through, even without port forwarding or an explicitly open port.)

There is NO reason to allow incoming packets (from the WAN) to access SRM for NTP - NTP is, if anything, a service provided to devices on your LAN. You would want to permit devices on the LAN to access SRM for that purpose, though, if they are using your router as their time server. And it's not clear to me why you'd want to allow WAN traffic to access SRM for SFTP, either, unless you are (on purpose) running an SFTP server on the router.
 
No, if you deny WAN-to-LAN traffic, it won't cut your LAN client devices off from the internet.
What it will block is UNSOLICITED connections to them: That is, someone on the internet randomly decides to try to connect to your LAN, they'll be blocked. But the WAN-to-LAN barrier does not block SOLICITED connections: which just means that if you initiate a connection (to a website, to a mail server, etc.), the return traffic will be allowed. (This is how things like Quickconnect and TeamViewer, which SEEM to accept connections from out on the internet, work: They are constantly sending packets to the Quickconnect or TeamViewer server out on the internet, which means that incoming packets from those servers will always get through, even without port forwarding or an explicitly open port.)

Good morning. I really appreciate the explanation. My brain was reading WAN-to-LAN as bidirectional, not unidirectional. Obviously, I'm dreadfully out of practice at firewall admin. -_-

There is NO reason to allow incoming packets (from the WAN) to access SRM for NTP - NTP is, if anything, a service provided to devices on your LAN. You would want to permit devices on the LAN to access SRM for that purpose, though, if they are using your router as their time server. And it's not clear to me why you'd want to allow WAN traffic to access SRM for SFTP, either, unless you are (on purpose) running an SFTP server on the router.

I wonder if this is because I have client devices on the LAN set to time sync off NTP servers? Laptops and cell phones, for instance. If I blocked NTP incoming packets, wouldn't client devices on the LAN no longer be able to time sync unless I hardcoded the router's IP into the clients as the timekeeping server? (Which would then create issues for mobile devices when outside my LAN, possibly?)
 
324
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
The return packets from clients' NTP requests are coming back to the clients themselves, not to SRM (the router's own operating system). So, in short, no. Blocking NTP packets from reaching SRM just prevents devices from asking your router, "what time is it?"

If you wanted for some reason to block your client devices from obtaining the time from external time servers, you'd block NTP LAN-to-WAN.
 
The return packets from clients' NTP requests are coming back to the clients themselves, not to SRM (the router's own operating system). So, in short, no. Blocking NTP packets from reaching SRM just prevents devices from asking your router, "what time is it?"

If you wanted for some reason to block your client devices from obtaining the time from external time servers, you'd block NTP LAN-to-WAN.

Ah. That makes sense. I'm not sure why that was auto-enabled when I set up the router. (The default settings auto-enable certain router firewall ports when they're asked to do things. I'm guessing I should turn that off, too...)

A couple of other questions:
  1. I assume Bonjour is enabled for Any --> SRM access for things like Bonjour printer and file sharing? Which is odd as I have all file sharing services disabled. Should I turn that off for now, too? (When I need to do cloud printing, I actually email the document to my printer using an email address that bounces it through an HP cloud server. I probably should be using my own router for this because some of those documents are for work, but I'm not sure how to set that up yet.)
  2. Can I safely deny the second row item (non secure HTTP access to the SRM admin)? I don't want to accidentally lock myself out of the admin system.
 
324
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
The only reason I can think of for bonjour access to SRM to be enabled is, as you suggest, so that Apple devices on the LAN can find file storage and printer services offered by the router itself.
I'd suggest denying non secure http access from the WAN to SRM, so that connections to the router's admin pages from the internet must be HTTPS. There's less reason to do so for connections from the LAN.
 
The only reason I can think of for bonjour access to SRM to be enabled is, as you suggest, so that Apple devices on the LAN can find file storage and printer services offered by the router itself.

So, I think I'm getting the hang of this. Denying All-->SRM traffic will not tamper with in-LAN Bonjour because in-LAN Bonjour is not trying to access printers/disks hanging off the router?

Does that include wifi printers on the network set up using AirPrint, though?
I guess a better question is, when the source/destination IP is "SRM," what does that mean? Just the router? Anything on the internal network that I have to go through the router to get to?

I'd suggest denying non secure http access from the WAN to SRM, so that connections to the router's admin pages from the internet must be HTTPS. There's less reason to do so for connections from the LAN.

Both of the SRM - HTTP rules--secure and unsecure--are not editable. I think I can change the access ports, but that's it. So I can't deny insecure access.

I actually have to use the router's dynamic DNS host name to get HTTPS to work. The Let's Encrypt certificate is tied to the DDNS host, which I suppose makes sense given that I don't have a static IP. So, accessing it from within the LAN via its in-LAN IP is always HTTP only (and I get a warning about domain/valid certificate mismatch).

I don't see any reason to use the DDNS address from inside the LAN.
 
324
124
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
So, I think I'm getting the hang of this. Denying All-->SRM traffic will not tamper with in-LAN Bonjour because in-LAN Bonjour is not trying to access printers/disks hanging off the router?

CORRECT.

Does that include wifi printers on the network set up using AirPrint, though?
I guess a better question is, when the source/destination IP is "SRM," what does that mean? Just the router? Anything on the internal network that I have to go through the router to get to?

SRM is only services offered by the router, such as the router's VPN server, storage on a USB stick or hard drive connected to the router, or printer reached through the Control Panel / Device / Printer setup on the router. A printer reachable via Airprint requires LAN access to bonjour, not access to SRM.

Both of the SRM - HTTP rules--secure and unsecure--are not editable. I think I can change the access ports, but that's it. So I can't deny insecure access.

Not sure what to say about this.

I actually have to use the router's dynamic DNS host name to get HTTPS to work. The Let's Encrypt certificate is tied to the DDNS host, which I suppose makes sense given that I don't have a static IP. So, accessing it from within the LAN via its in-LAN IP is always HTTP only (and I get a warning about domain/valid certificate mismatch).

If you access ANYTHING using https and a numeric IP address, you'll get an error, as the certificate is tied to the domain name, not the numeric IP address. But you should be able to access the router from within the LAN using its DDNS address, and the port number you've assigned on the router to external access (default being 8001). If you can't, then, as an experiment, try turning off the Safe Access app (by going into Package Center, and selecting Safe Access, and clicking Stop.) Are you then able to access the router via its DDNS name via https?

I don't see any reason to use the DDNS address from inside the LAN.

Only so that your portable devices can access the router at the same URL whether they are trying from within or without your LAN.
 
@akahan ,

I have confirmed I get a properly (HTTPS)-secured page load when I access SRM via the DDNS address. So that works fine. :) I'm the only one who directly accesses the SRM, so I don't mind having to manually type the DDNS address when outside the LAN. I'm honestly happier with not putting the DDNS address in any settings while SRM is open the WAN, in case someone else accesses those settings somehow and sees the address.

For the moment, the only person who would need access to the SRM outside the LAN is me, so I don't mind just manually typing it every time.I

Thanks for all your help.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top