I'm thinking about installing a FreeNAS system and so far I've played with it on a virtual machine.
When it comes time to set up a "real" server, is it possible to reduce / minimize / or avoid altogether connecting it to the Internet, but still benefit from NTP, email of system status to the administrator, etc? The purpose would be to gain some security by minimizing exposure. Any pointers would be appreciated.
I'm assuming you are a (home/soho/small business) user and not part of a larger organization with a managed network. (Good to give context with your question.)
I don't know if FreeNAS contains a firewall or if it has been stripped out, if so, I guess you could activate it and set up IP based rules in that firewall. Maybe someone can comment who knows the details.
I think this is best handled in your network - do yourself a favour and set up a pfSense router (or other decent router that offers proper monitoring and control) if you possibly can.
I personally would not trust the consumer grade routers or even worse what the ISP provides for firewall under any circumstances! They are often insecure when purchased (or even worse have a back door in them), they don't generally get patched, they offer little or no way to monitor and control traffic. That's why I have a pfSense running my network. (Open source with a lot of knowledgeable people watching it.)
pfSense handles ALL dhcp, ntp, and dns (any dns/ntp with hardcoded addresses are redirected and handled internally and I get my ntp directly from NRC (Canada) public servers), so it cuts down a lot of messy traffic that could be hiding malicious activity.
My FreeNAS has limited internet connectivity OUTBOUND. I connect to a webserver to suck down backups over SSH, so I have a very specific rule - SSH Destination WebServer / any other non-local addresses/protocols BLOCKED. I also connect for outbound SMTP to send notifications - again a very specific rule only to the allowed SMTP server.
I don't use internet printing, and my tv/media player is insecure so none of these devices have any access to the internet. (These devices often call home and are used by hackers to gain entry to a network.)
If you do decide you want some remote access pfSense can do it the right way with a secure VPN (TLS security, 2048/4096 bit key and a password). Whatever you do
don't use port forwarding or odds are you will get hacked.
There's a lot you can do if you have a decent gateway firewall-and if you don't you're pretty much at the mercy of your devices.
Good luck.... hope this is of some help.