Where are Firewall Settings in the FreeNAS 11 ?

[baztardo.snow]

This is the output for FAMP stack

Code:

steve@freenas:~ % iocage get all FAMP
CONFIG_VERSION:26
allow_chflags:0
allow_mlock:0
allow_mount:0
allow_mount_devfs:0
allow_mount_fusefs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:0
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
allow_tun:0
allow_vmm:0
assign_localhost:0
available:readonly
basejail:1
boot:1
bpf:1
children_max:0
comment:none
compression:lz4
compressratio:readonly
coredumpsize:eek:ff
count:1
cpuset:eek:ff
cputime:eek:ff
datasize:eek:ff
dedup:eek:ff
defaultrouter:auto
defaultrouter6:auto
depends:none
devfs_ruleset:6
dhcp:1
enforce_statfs:2
exec_clean:1
exec_created:/usr/bin/true
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:FAMP
host_hostuuid:FAMP
host_time:1
hostid:3eabf660-7b10-5344-001b-107b4453001a
hostid_strict_check:0
interfaces:vnet0:bridge0
ip4:new
ip4_addr:none
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
ip_hostname:0
jail_zfs:0
jail_zfs_dataset:iocage/jails/FAMP/data
jail_zfs_mountpoint:none
last_started:2020-05-18 05:30:43
localhost_ip:none
login_flags:-f root
mac_prefix:107b44
maxproc:eek:ff
memorylocked:eek:ff
memoryuse:eek:ff
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:eek:ff
msgqsize:eek:ff
nat:0
nat_backend:ipfw
nat_forwards:none
nat_interface:none
nat_prefix:172.16
nmsgq:eek:ff
notes:none
nsem:eek:ff
nsemop:eek:ff
nshm:eek:ff
nthr:eek:ff
openfiles:eek:ff
origin:readonly
owner:root
pcpu:eek:ff
plugin_name:famp
plugin_repository:https://github.com/ix-plugin-hub/iocage-plugin-index.git
priority:99
pseudoterminals:eek:ff
quota:none
readbps:eek:ff
readiops:eek:ff
release:11.3-RELEASE-p9
reservation:none
resolver:/etc/resolv.conf
rlimits:eek:ff
rtsold:0
securelevel:2
shmsize:eek:ff
stacksize:eek:ff
state:up
stop_timeout:30
swapuse:eek:ff
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:0
type:pluginv2
used:readonly
vmemoryuse:eek:ff
vnet:1
vnet0_mac:107b44747a75 107b44747a76
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:auto
vnet_interfaces:none
wallclock:eek:ff
writebps:eek:ff
writeiops:eek:ff
steve@freenas:~ %

 

[baztardo.snow]

Maybe I need to set up a Reverse Proxy in its own jail and get it to delegate the internet traffic that is after I can figure out why I cant access the internet now ..
Maybe some Thing is messed up in my FreenNas .. geeting this set up has been Absolutely Painful and I don't mean the file server (Freenas) but every thing else I have tried to install or set up.. Nextcloud, OnlyOffice, Ubuntu, Docker server, portainer, RocketChat, Git, and maybe Plex but I 'm losing steam ,.,,

Maybe I have just been unlucky <sigh>

 

[Patrick M. Hausen]

Your FAMP jail does not have an IPv4 address configured. But the Nextcloud one looks good. Can you

• ping your default gateway (192.168.0.1) from inside the jail
• ping arbitrary Internet hosts from inside the jail, e.g. 8.8.8.8

If the answer to any of these is "no", then we need to check basic networking and routing. If the answer is "yes", I suspect name resolution.

The setting "/etc/resolv.conf" tells iocage to copy the host's /etc/resolv.conf into the jail at startup. Do you have a valid DNS configuration for the NAS itself?

HTH,
Patrick

 

[baztardo.snow]

Uhmm well I have a programing degree, used linux, Windows and Mac for a lot of Years but BSD is still fairly new to me so there lot of thing I know in the other system but just not sure where to find in BSD... I'm not sure if the DNS is set properly in FreeNas, most DNS stuff I have done is in Windows Server or for my Domain..

the Pings seam fine:

Code:

root@freenas[/mnt/NAS1/steve]# iocage console nextcloud
Last login: Mon May 18 00:35:29 on pts/4
FreeBSD 11.3-RELEASE-p7 (FreeNAS.amd64) #0 r325575+ca0f1a6ba25(HEAD): Tue Apr 21 20:46:20 UTC 2020

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@nextcloud:~ # ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=0.607 ms
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=1.969 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=1.280 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=2.082 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=1.914 ms
64 bytes from 192.168.0.1: icmp_seq=5 ttl=64 time=1.573 ms
^C
--- 192.168.0.1 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.607/1.571/2.082/0.508 ms
root@nextcloud:~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=24.128 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=22.136 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=15.886 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=18.442 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 15.886/20.148/24.128/3.196 ms
root@nextcloud:~ #

 

[baztardo.snow]

I quadruple checked the Domain the DNS and IP are set correctly, I have check the router port a few times but even when I try to access by IP instead of FQDN still no access I mean it worked in the Past for my QNAP server ..

The QNAP is down because I stole the drive for new server lol... other wise I would test whit it ..
Is there a plugIn I could install quickly to test ?. I thought FAMP would be the easiest but it not connecting ..

 

[Patrick M. Hausen]

Settings --> Network --> Global Configuration - what is your DNS setting? Is this a valid server for your environment? Does it get copied into the jail's /etc/resolv.conf? If yes, you should be able to ping google.com from inside your jail.

 

[baztardo.snow]

The ping i did earlier are for the Nextcloud jail..

Code:

steve@Xeon:~$ cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0
search cogeco.local

 

[Patrick M. Hausen]

I got that. Can you ping google.com from your Nextcloud jail? If yes, your Nextcloud jail can reach the Internet, so I don't quite get why you say you have a problem with that.

 

[baztardo.snow]

the Connection getting out is Fine the connection coming in is a no go ... the problem is from getting from outside In not inside out... if I try to connect through the browsers whit my FQDN I cant access Nextcloud or the FAMP server it just sit there and times out and even when I manualy type in the IP I still cant reach it either..

 

[baztardo.snow]

The jail can access the internet, but it doesnt seam like the internet can access the Jail(Nextcloud, FAMP)

 

[Patrick M. Hausen]

Have you tried a packet trace (tcpdump) on the FreeNAS to see if any requests reach the box at all? If not, the problem lies with your router. Probably ... ;)

 

[baztardo.snow]

Ya I was tinkling of doing some of that but I think I need a break from this for now, I do appreciate all the help tho Thank you maybe tomorrow will be a better days these last few weeks whit Freenas has been rough ..

 

[danb35]

I have been trying to find a good solution to accessing Nextcloud form the Net, but evry search ends in your Nas / Firewall / bad idea don't do it bla bla bla

Then you're badly misunderstanding the results of your searches. FreeNAS itself should not be put on the open Internet. Whether jails can safely be put on the 'net depends on how those jails are configured. Nothing about this really has anything to do with the subject of this thread, though. Whatever's going on has nothing to do with a firewall in FreeNAS, because it doesn't have one. If you installed using my script (which I'm assuming you did, since you've logged issues against it), there's no firewall there either. The problem almost certainly lies either in your router or your ISP.

 

[baztardo.snow]

Then you're badly misunderstanding the results of your searches. FreeNAS itself should not be put on the open Internet. Whether jails can safely be put on the 'net depends on how those jails are configured. Nothing about this really has anything to do with the subject of this thread, though. Whatever's going on has nothing to do with a firewall in FreeNAS, because it doesn't have one. If you installed using my script (which I'm assuming you did, since you've logged issues against it), there's no firewall there either. The problem almost certainly lies either in your router or your ISP.

Your just taking one phrase and using for what ever context you believe it to be..
already knew the answer to Where are Firewall Settings in the FreeNAS 11 ? which are none
I also known from reading all the countless other post that this thread will go no where I just so happens that some one ask me some thing answer a post I reply to said post isnt that what Forums are used for to communicate information back and forth?

I'm not stupid I'm very well aware of certain best practice of of setting up server clusters and Network but some Times this is 'nt always possible on a home server Money limitation hardware ect... and people just try to do the best they can whit what they have and ask other for help to do so doesn't mean it right or good or bad..

But some times just trying is how most people learn things..
My ISP and router work fine for many years serving content to and from my QNAP over the internet ..and my local LAN,
but like I said in a previous post I took the drive from it to install in the New server .. so atm its not availble and I dont feel like tearing down this server.. and i dont have any spare drive to put in it

 

[Patrick M. Hausen]

@baztardo.snow But to answer one (implied) question that you probably had: there are no firewall settings in the FreeNAS UI because there is no firewall in FreeNAS unless you manually configure it using FreeBSD features and know-how.

Hence, definitely nothing (!) on FreeNAS is blocking the communication to and from your jail and VM.

If this was obvious for you, let me state it explicitly for others to find. The default configuration of FreeNAS from a network point of view is "everything permitted". You will never have to mess with the FreeBSD firewall because it is disabled.

HTH,
Patrick

 

[baztardo.snow]

The only point I was making was that I see a lot people telling others not to use firewalls on Freenas, an that its a bad idea..
I'm just saying why is it a bad idea to set up a firewall... nothing about putting FreeNas facing the internet.. maybe some would like to secure the freenas on the there LAN.. to feel more secure sure then you say segmentation put it on an other network again not every one has the money for said expensive hardware..
Also not every one has the knowledge to create complicated networks..
I use firewall on my windows, mac, etc.. I would think the more things you secure the better no?.

 

[danb35]

why is it a bad idea to set up a firewall.

Because it isn't designed to have one, and it will revert any changes you make when you reboot--as I posted on this very thread about two weeks ago. Whether it's a good idea for the devs to add it to the design is a separate (albeit related) question, but it won't be decided on this thread--as I said in that same post, if you think it should be there, the way to suggest it to the devs is by way of a bug ticket. I don't see any real value in it, and I'd rather the devs use their time on other things (maybe on the 5+-year-old request to add a GUI feature to turn single-disk vdevs into mirrors), but it isn't in any way my decision to make.

then you say segmentation put it on an other network again not every one has the money for said expensive hardware.

What "said expensive hardware" do you think would be needed for this, and what situation do you envision where a user would have a network complex enough to warrant it, and not be able to afford the allegedly "expensive hardware"?

 

[garm]

The Web UI uses root credentials.. do not put it on an insecure network.. segregation of networks is as easy as having a Netgear 5 port managed switch and a vlan capable router, which most non consumer/prosumer routers will be able to handle. In a professional setting, you need to take way more steps, thus making the firewall even less applicable. The BSD kernel actually handles requests to closed ports per default

https://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/networking.html#idp49785336

your issues with Nextcloud should probably be discussed elsewhere, but a hint is that you need a public IP for it to work, most ISPs will put customers behind carrier NAT to save on IPv4 address.

 

[baztardo.snow]

The Web UI uses root credentials.. do not put it on an insecure network.. segregation of networks is as easy as having a Netgear 5 port managed switch and a vlan capable router, which most non consumer/prosumer routers will be able to handle. In a professional setting, you need to take way more steps, thus making the firewall even less applicable. The BSD kernel actually handles requests to closed ports per default

https://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/networking.html#idp49785336

your issues with Nextcloud should probably be discussed elsewhere, but a hint is that you need a public IP for it to work, most ISPs will put customers behind carrier NAT to save on IPv4 address.

I have 3 public IP at my disposal and currently using two of them on two on different Router if you missed it I did mention this, I also have FQDN and a DNS set up for it, It has been awhile but I have had all of this working before, this new install of freenas has been giving me problems..
and my Freenas is behind a managed switch x2 10Gb x8 1Gb in on one of the 10Gb connection I mention this also .. that is also connected to a router, The second network has my kids and he Wifi Access point that is behind its own router.

 

[Kieeps]

i run a server at Hetzner. i'd love a simple firewall just as proxmox has 'cus then i'd be able to scrap proxmox completly and just install truenas on the bare metal and virtualize a local network for all my containers/VMs.

as of now i run proxmox with opnsense and truenas virtualized.

At home this is not a problem since, as everyone about pointed out, it's behind the opnsense box in my home.