Just because you can, doesnn't mean you should - Security/Firewall advice needed

[Huggy]

Hi All,

So basically a couple of weeks ago I decided to try setting up mailplus server. It was more tecnical than I was expecting, and to be honest some of it was a bit over my head, but it all seemed good. Since then I've been a bit concerned about the security implications of having a mailserver running on the same box that I keep all my personal data on. Then yesterday I noticed lots of events of failed connections to the mailserver and to the nas, so I deceided to secure things up.

I've stopped the mailserver and closed the related ports in my router.
I've disabled all reverse proxy rules that I don't/shouldn't use ie. nas.mydomain.com and instead i'll just stick to something like Tailscale if I need to remotely access the nas.
also, I decided to turn on synology's internal firewall...

So, I'm inexperienced with firewalls and things aren't going well so far...

I've made sure I haven't locked myself out at the top of the rule list.
I've ended the rule list with a deny all rule.
But, when it comes to rules for all the services running in docker I'm having no luck...

For example, Bitwarden. I host this in a docker container and share this with family members in this country and one other. The url for accessing the server is something like http://bitwarden.mydomain.com and goes through nginx reverse proxy. So I started by creating a rule to allow access to nginx. Then I tried creating a firewall rule for bitwardens port and allowed access from the 2 countries but no joy. I then tried the same port but from my laptops IP but still no joy. For some reason though Plex seemed to work. It was really sluggish when I created a rule from the two necassary countries, but things improved when I added another rule allowing access from my subnet.

Could someone tell me where I'm going wrong please?

Any advice on securely running a mailserver would be appreciated too. I'm guessing that running it on a seperate machine would be better, or is it best to forget it?

Also, this has made me think that I need to setup a good backup solution. other than having a second, off site nas, is it possible to automatically backup to a remote (family members) pc?

Thanks for any help and advice.

 

[Rusty]

Then I tried creating a firewall rule for bitwardens port and allowed access from the 2 countries but no joy

Considering BW is running behind RP, how are you exactly trying to configure this in the fw?

or is it best to forget it?

There is a lot of elements (especially from a security standpoint) that go into having a mail server. Unless you really want to harden it well, be prepared to battle with all sorts of things hitting you from the web. Having it on the same box as your data would be a general "no-rule", but that's just me.

Also, this has made me think that I need to setup a good backup solution. other than having a second, off site nas, is it possible to automatically backup to a remote (family members) pc

Not really. Guess you could start some sort of service on the PC side that might accept connections and run the backups, or you could just use a 3rd party solution via Docker and try that. Finally, you have the option to push data to a cloud provider, or eventually, run another "nas" on your family member side and transfer data that way.

 

[fredbert]

Have you tried using the DSM reverse proxy using a dedicated port, instead of just unique FQDN and TCP 443? I think that the DSM firewall would then work controlling connections to this dedicated port. You wouldn't allow direct Internet access to the dedicated Docker container's port but to the proxied port.

Regarding running MailPlus Server (or Mail Server): do you need to host the primary mail service on your NAS? What I do is to use a email service provider which handles mail to and from my main personal domain. But to keep an archive of received mail I have set up forwarding rules to Mail Server at home.

To limit who can connect to Mail Server's SMTP server I have created two firewall rules (this on SRM, but should be doable on DSM):

1. Allow SMTP requests to NAS from IP range used by email service provider's servers.
2. Deny SMTP requests from ALL

On SRM I manually manage firewall rules for port forwarding instead of having them automatically created to allow ALL.


Addendum...

Mail servers: running them for others is a thankless task. People are quirky how they manage their data and when it messes up, and it will, then they blame you when access is denied. Message stores can get mangled if you're unlucky. Servers get attacked for spam relays. Domestic broadband IP ranges are usually flagged as suspect for mail services.

Best is to try to offload this to a service provider and you can join the rest of your users in blaming the SP when it goes wrong.

 

[Rusty]

Have you tried using the DSM reverse proxy using a dedicated port, instead of just unique FQDN and TCP 443? I think that the DSM firewall would then work controlling connections to this dedicated port.

My thoughts exactly. Same reason I asked how it is configured atm.

 

[fredbert]

My thoughts exactly. Same reason I asked how it is configured atm.

You posted while I was writing

A pity that reverse proxy access policies only accept explicit IP addresses and ranges. It would be nice if geo-location tags could be used... even if it's possible hide the source IP using VPN services.

 

[Huggy]

Considering BW is running behind RP, how are you exactly trying to configure this in the fw?

Hey @Rusty,

Yeah that's what I was trying to get my brain around. As it's being accessed through a RP I created a rule to allow connections to nginx

That didn't seem to work so I also created a rule for bitwardens port. I can access it through 192.168.1.XX:XXXX but not through the reverse proxy ie bitwarden.mydomain.com

I know I'm missing something basic here lol.

Thanks for your input about mailserver and backup solution, I thought as much.

Cheers

 

[Rusty]

That didn't seem to work so I also created a rule for bitwardens port. I can access it through 192.168.1.XX:XXXX but not through the reverse proxy ie bitwarden.mydomain.com

that's exactly what @fredbert is saying. You can't use your internal IP address and Docker port for BW to block outside access because outside access is FQDN and 443, and on top of it you can't use geo block, but rather a specific ip/range. In any case, protecting it this way will have no effect.

guessing it works for plex because you are running plex on bare-metal via Package Center, not docker?

 

[Huggy]

guessing it works for plex because you are running plex on bare-metal via Package Center, not docker?

No plex is in docker but I don't have a reverse proxy rule for it, instead I have port 32400 open on my router.

-- post merged: 25. Mar 2022 --

Have you tried using the DSM reverse proxy using a dedicated port, instead of just unique FQDN and TCP 443? I think that the DSM firewall would then work controlling connections to this dedicated port. You wouldn't allow direct Internet access to the dedicated Docker container's port but to the proxied port.

Hi @fredbert ,

I will give Synology's RP a try and see if that works.

Best is to try to offload this to a service provider and you can join the rest of your users in blaming the SP when it goes wrong.

Good advive, I thought I'd be better off doing that for now. Thank you

 

[fredbert]

No plex is in docker but I don't have a reverse proxy rule for it, instead I have port 32400 open on my router.

That's different because you are using a separate firewall that has no idea what is happening on the NAS, or any other LAN device. It is just following it's rules: change this to that; allow/deny; send out of this interface. But the NAS firewall is mediating connections on the endpoint device: you should really consider Docker containers (and VMs) as separate LAN devices unless you absolutely know that the DSM firewall intercepts all interface traffic.

 

[Rusty]

Still, Plex in docker in host mode results as a bare metal install, so its following the principal as it was installed via PC, but as Fredbert said, any other container that is bridged is another story.

 

[Huggy]

Have you tried using the DSM reverse proxy using a dedicated port, instead of just unique FQDN and TCP 443? I think that the DSM firewall would then work controlling connections to this dedicated port. You wouldn't allow direct Internet access to the dedicated Docker container's port but to the proxied port.

Hey @fredbert,

Thanks for your help but I'm just not getting this. Could you explain what you mean by a dedicated port please. Sorry if I'm being a bit thick here, my brain has gone to mush trying to figure this out.

Thanks

 

[Telos]

So basically a couple of weeks ago I decided to try setting up mailplus server. It was more tecnical than I was expecting, and to be honest some of it was a bit over my head

I would advise you to stop. Despite the issues you raised, without mailserver expertise, you are at risk for black holing your IP (due to spam) and having your ISP block all your mail access (in/out). Setting up a mailserver is not for noobies.

 

[fredbert]

Assuming the docker container uses the NAS's IP and you have fixed it's port to 32345. Then you could create a reverse proxy rule for port 12345 as follows, it would work for any URL to the NAS so long as it uses this port.

You would then create the firewall rule against port 12345.

 

[Huggy]

Assuming the docker container uses the NAS's IP and you have fixed it's port to 32345. Then you could create a reverse proxy rule for port 12345 as follows, it would work for any URL to the NAS so long as it uses this port.

View attachment 5590

You would then create the firewall rule against port 12345.

Thanks @fredbert, but just to make sure I'm understanding you right, is this just a workaround? Am I better off not using the internal firewall?

Are you saying that I'd have to do this with all services running in containers that I want to allow access to from outside my network, and that I'd have to add port numbers to all URLs used? In which case I'd might as well switch back from nginx to Synology's RP?

If so, it would seem to me that keeping the mail server shut down and just sticking with my routers firewall and nginx as before would suffice?

In any case, protecting it this way will have no effect.

Is that what @Rusty meant?

Thanks for your help, and for explaining this to me.

 

[fredbert]

In which case I'd might as well switch back from nginx to Synology's RP?

I completely missed the difference you meant when you said you’re using nginx reverse proxy. DSM uses ngnix itself. And you probably posted elsewhere saying about running a dockerised nginx reverse proxy. I assumed you meant you are using the built in reverse proxy.

Is there a reason to use a roll your own proxy? When I’ve proxied my containers it has worked using the built in proxy but I’m also using TCP 443 not unique port. I also use a filtered policy in the firewall (on SRM but likely to work on DSM) that places a set of rules first to filter out specific countries.