SRM Firewall order and deny

Currently reading
SRM Firewall order and deny

14
0
Router
  1. RT6600ax
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Hi,

Question 1
I need to make rules about the access of my smart tv but I have difficulties to know in which order to insert them in the firewall:
Source: TV to WAN : Allowed : Svod
Source: TV to NAS : Allowed (for plex)
Source: TV to LAN: Denied.
The kb indicates
The SRM firewall applies the rules in a defined order. Once a rule matches, it is applied and the SRM firewall does not look for a match with the remaining rules.

Rule 1 to the wan is on to the wan and does not influence the lan so I figure it may be in 1 or 2 or 3 may be important.
The 3 is generalist while the 2 is an authorization within the exclusion of the 3 so I tell myself that in 2 it is good. But without conviction ...


Question 2 :
I read in several places that it is recommended to put a "deny all" rule at the end. What is the use if we have the 4 parameters in "deny" below the configuration?
firewall.png

Thanks
 
Firewall rules are processed from top to bottom, with the four hard coded catch all rules last. The first matching rule for a connection’s protocol, source IP + port, and destination IP + port will result in the rule’s action being applied and then processing stops.

Since you are talking about the SRM router firewall (not a NAS firewall) then whether you need rules will depend on if the connections are even mediated by the router and then its firewall. If the TV is on the LAN then you can’t add a firewall rule to deny it accessing other LAN devices. But you can if you have the TV on a different VLAN to the LAN, and if it is separated from them (e.g. the guest VLAN has a setting to permit its clients to access the LAN … which bypasses using the firewall).

Since you are denying all connections (the bottom four rules) then you should have a rule to allow LAN devices, or those you want, out to access the Internet.
 
Hello and thank you for your answers.
Indeed I forgot to give an important element :(. I am on a 6600AX which manages the VLAN.
My smart TV is on a different VLAN from my main network where my NAS is.
I unchecked the option of complete isolation between VLANs on SRM.

I think that this rule is useless because it is outgoing traffic so it is already authorized ? :
Source: TV to WAN : Allowed : Svod

I would only put these two in this order:
Source: TV to NAS : Allowed (for plex port only)
Source: TV to LAN : Denied.

I did not need to allow my devices to access the internet despite the 4 rules at the end. But I think they only concern the INBOUND wan > LAN traffic ?
 
OK, so you are already on SRM 1.3.1 with the extra VLNA support.

I think that this rule is useless because it is outgoing traffic so it is already authorized ? :
Source: TV to WAN : Allowed : Svod
The easy thing to do is create the rule and enable it... is the access allowed? Now disable the rule... is the access now blocked?

I would only put these two in this order:
Source: TV to NAS : Allowed (for plex port only)
Source: TV to LAN : Denied.
If the NAS is on the LAN then yes you put the rules in that order (exceptions first and then the general action after). But check that the two VLANs don't have other Network permissions to bypass the firewall [I'm only changing to SRM 1.3 and haven't yet had time to look at the interface changes].

I did not need to allow my devices to access the internet despite the 4 rules at the end. But I think they only concern the INBOUND wan > LAN traffic ?
May be, I'd be disappointed if this was true. I've always put specific rules to mediate internal to external connections. I don't think that they should be assumed to be allowed, especially when there are the four explicit catch all rules for everything else.
 
OK, so you are already on SRM 1.3.1 with the extra VLNA support.


The easy thing to do is create the rule and enable it... is the access allowed? Now disable the rule... is the access now blocked?


If the NAS is on the LAN then yes you put the rules in that order (exceptions first and then the general action after). But check that the two VLANs don't have other Network permissions to bypass the firewall [I'm only changing to SRM 1.3 and haven't yet had time to look at the interface changes].


May be, I'd be disappointed if this was true. I've always put specific rules to mediate internal to external connections. I don't think that they should be assumed to be allowed, especially when there are the four explicit catch all rules for everything else.

Great, thank you very much.
No, in this new SRM there is just an option to isolate the VLAN. I have my VLAN 4 with my IOT where you just check the option and it can't communicate with other VLANs anymore.
However, it can still communicate with the Internet. If I want to forbid it, I have to make a rule on the firewall.

I will review all my rules as soon as I can. I currently have a ticket pending with synology because I have a bug and I can't save my rules anymore. It marks me "loading" but the rules don't save. I'm afraid I have to reset my router.
 
I've just got to checking the firewall and have found these two new rules added to the top of my policy...
1662306177994.png


These look to allow all access between internal VLANs. Not sure how they evolve when I enable more VLANs and use the isolation options.

Personally, I would have rules covering all the scenarios, which includes have my own deny rules at the end of my policy with, as Jan said, their own hit counters.
 
I've just got to checking the firewall and have found these two new rules added to the top of my policy...
View attachment 10613

These look to allow all access between internal VLANs. Not sure how they evolve when I enable more VLANs and use the isolation options.

Personally, I would have rules covering all the scenarios, which includes have my own deny rules at the end of my policy with, as Jan said, their own hit counters.
I had to terminate those rules when I started with multiple VLANs. As the rules state, they allow complete communication in any direction.

With multiple vlans I had to remove these rules, turn off network isolation for each network (as that settings has higher priority over FW rules), and then create multiple FW rules to block communication between vlans while making more rules that allow specific client communication.

After all that I had the desired effect of sandboxing communication and allowing only specific traffic from and to certain clients.
 
It doesn’t look like there is a way to recreate the two new ‘compatibility’ rules, should you delete them. They are ALL protocols but that’s not possible to achieve when creating a new rule: you have to select one of the four protocol options. So to recreate will require four rules to cover IPv4/6 and ICMP/TCP+UDP. I wonder if other protocols are handled or not, by the compatibility rules?

But I agree that these default rules are there to get new and novice firewall users up and running. If you have more complex needs then you’ll have to sit down and work how to implement them. There’s no avoiding reading the guidance and digesting it. That paper I linked to gives a reasonable example about how this works.

I like how rules can now be assigned by interface. So the previous RFC 1918 subnets can be specifically written as LAN sources and avoids allowing external use of these to pass the firewall.
 
So You're saying if I need to test VLAN instead of deleting the 2 new rules, just disable (Un-Check) them so they don't physically go away.....

???

About to start...
That's what I did. No reason to delete them if you can move them and/or turn them off
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
1,140

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top