Advice needed - how to set firewall rules for a jail?

[jjb2018]

Hi all,

I've been using FreeNAS for some time, mainly as a backup server for my main system. However, over the last couple of weeks I have installed the nextcloud plugin and have been testing it out. At the moment I've got the jail configured for DHCP, and not NAT, so it gets it's own IP address on my LAN. I have an internet hostname pointing to my external IP address and have port 443 forwarded through my router to the nextcloud jail's internal IP address. Everything works as expected, and I would like to continue using this long term. I just want to be sure that this nextcloud jail is secured properly, to at least only accept inbound connections to port 443 and block everything else. I know how I would do this in Linux, with UFW, but don't know how to set firewall rules in the freeNAS jail. Can anybody give me some pointers?

Thanks in advance.

 

[Apollo]

For the long term strategy you should rather look at using a hardware firewall such as pfsense between your ISP connection and your LAN.
Beside adding better security, you will be able to expand the use of your Freenas box further.

 

[jjb2018]

Yes, i have been keen to buy / build a pfsense box for some time now. Thought about buying a netgate sg-1100, but they're a bit expensive for what you get hardware-wise so I'm more inclined to look into a home build box with better specs.

 

[Patrick M. Hausen]

For the long term strategy you should rather look at using a hardware firewall such as pfsense between your ISP connection and your LAN.
Beside adding better security, you will be able to expand the use of your Freenas box further.

I disagree :)

You can set ipfw rules inside a jail just fine. I have never done that in the FreeNAS context, though. We use it in production to provide NAT64 to jails. I sure can help but not write a ready-made recipe from the top of my head.

But ... if there is no service listening on port X you cannot be attacked via that port. So in general I prefer to enable only that which I want to expose to the world and have other still necessary servers listen to a Unix domain socket or 127.0.0.1 if TCP is required. VNET enables this quite nicely.

Try netstat -na | grep LISTEN inside your jail and you will see all open ports. No service, no need for a firewall. At least not for one of the port filtering kind.

 

[jjb2018]

I disagree :)

You can set ipfw rules inside a jail just fine. I have never done that in the FreeNAS context, though. We use it in production to provide NAT64 to jails. I sure can help but not write a ready-made recipe from the top of my head.

But ... if there is no service listening on port X you cannot be attacked via that port. So in general I prefer to enable only that which I want to expose to the world and have other still necessary servers listen to a Unix domain socket or 127.0.0.1 if TCP is required. VNET enables this quite nicely.

Try netstat -na | grep LISTEN inside your jail and you will see all open ports. No service, no need for a firewall. At least not for one of the port filtering kind.

Thanks for this.

Code:

root@nextcloud:~ # netstat -na | grep LISTEN
tcp4       0      0 127.0.0.1.3306         *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 *.443                  *.*                    LISTEN
tcp4       0      0 127.0.0.1.9000         *.*                    LISTEN
root@nextcloud:~ #

As I suppose I should have expected ... only nginx listening for external incoming connections. I have 2FA enabled on all nextcloud users as well.