Avoiding internet connection?

Status
Not open for further replies.
twelve12pm

twelve12pm

Cadet
Joined
Dec 26, 2017
Messages
8
I'm thinking about installing a FreeNAS system and so far I've played with it on a virtual machine.

When it comes time to set up a "real" server, is it possible to reduce / minimize / or avoid altogether connecting it to the Internet, but still benefit from NTP, email of system status to the administrator, etc? The purpose would be to gain some security by minimizing exposure. Any pointers would be appreciated.
 
Zredwire

Zredwire

Explorer
Joined
Nov 7, 2017
Messages
85
You could avoid connecting it to the internet if you have an onsite NTP and Mail server. If not then (depending on your firewall) you could block it from the internet accept the ports needed for NTP and Mail.
 
Last edited:
N

NASbox

Guru
Joined
May 8, 2012
Messages
650
twelve12pm said:
I'm thinking about installing a FreeNAS system and so far I've played with it on a virtual machine.

When it comes time to set up a "real" server, is it possible to reduce / minimize / or avoid altogether connecting it to the Internet, but still benefit from NTP, email of system status to the administrator, etc? The purpose would be to gain some security by minimizing exposure. Any pointers would be appreciated.
Click to expand...

I'm assuming you are a (home/soho/small business) user and not part of a larger organization with a managed network. (Good to give context with your question.)

I don't know if FreeNAS contains a firewall or if it has been stripped out, if so, I guess you could activate it and set up IP based rules in that firewall. Maybe someone can comment who knows the details.

I think this is best handled in your network - do yourself a favour and set up a pfSense router (or other decent router that offers proper monitoring and control) if you possibly can.

I personally would not trust the consumer grade routers or even worse what the ISP provides for firewall under any circumstances! They are often insecure when purchased (or even worse have a back door in them), they don't generally get patched, they offer little or no way to monitor and control traffic. That's why I have a pfSense running my network. (Open source with a lot of knowledgeable people watching it.)

pfSense handles ALL dhcp, ntp, and dns (any dns/ntp with hardcoded addresses are redirected and handled internally and I get my ntp directly from NRC (Canada) public servers), so it cuts down a lot of messy traffic that could be hiding malicious activity.

My FreeNAS has limited internet connectivity OUTBOUND. I connect to a webserver to suck down backups over SSH, so I have a very specific rule - SSH Destination WebServer / any other non-local addresses/protocols BLOCKED. I also connect for outbound SMTP to send notifications - again a very specific rule only to the allowed SMTP server.

I don't use internet printing, and my tv/media player is insecure so none of these devices have any access to the internet. (These devices often call home and are used by hackers to gain entry to a network.)

If you do decide you want some remote access pfSense can do it the right way with a secure VPN (TLS security, 2048/4096 bit key and a password). Whatever you do don't use port forwarding or odds are you will get hacked.

There's a lot you can do if you have a decent gateway firewall-and if you don't you're pretty much at the mercy of your devices.

Good luck.... hope this is of some help.
 
twelve12pm

twelve12pm

Cadet
Joined
Dec 26, 2017
Messages
8
NASbox said:
I'm assuming you are a (home/soho/small business) user and not part of a larger organization with a managed network. (Good to give context with your question.)
Click to expand...

It's a SOHO / Small Business context. I'll be sure to mention that next time.

NASbox said:
I don't know if FreeNAS contains a firewall or if it has been stripped out, if so, I guess you could activate it and set up IP based rules in that firewall. Maybe someone can comment who knows the details.

I think this is best handled in your network - do yourself a favour and set up a pfSense router (or other decent router that offers proper monitoring and control) if you possibly can.

I personally would not trust the consumer grade routers or even worse what the ISP provides for firewall under any circumstances! They are often insecure when purchased (or even worse have a back door in them), they don't generally get patched, they offer little or no way to monitor and control traffic. That's why I have a pfSense running my network. (Open source with a lot of knowledgeable people watching it.)

pfSense handles ALL dhcp, ntp, and dns (any dns/ntp with hardcoded addresses are redirected and handled internally and I get my ntp directly from NRC (Canada) public servers), so it cuts down a lot of messy traffic that could be hiding malicious activity.
Click to expand...

Thank you for pointing me in the direction of pfSense! That sounds very interesting indeed and I am looking into that. It appeals to me that, like FreeNAS, it is built upon (a customized) FreeBSD. That may make it easier to administer the network (fewer OS-specific details to learn about, etc).

Like you, I do not trust the consumer grade routers. Those tend to come with very little (if any) documentation, so you have little to no idea what they're doing/blocking/etc, and are almost certainly never patched.

NASbox said:
My FreeNAS has limited internet connectivity OUTBOUND. I connect to a webserver to suck down backups over SSH, so I have a very specific rule - SSH Destination WebServer / any other non-local addresses/protocols BLOCKED. I also connect for outbound SMTP to send notifications - again a very specific rule only to the allowed SMTP server.

I don't use internet printing, and my tv/media player is insecure so none of these devices have any access to the internet. (These devices often call home and are used by hackers to gain entry to a network.)

If you do decide you want some remote access pfSense can do it the right way with a secure VPN (TLS security, 2048/4096 bit key and a password). Whatever you do don't use port forwarding or odds are you will get hacked.

There's a lot you can do if you have a decent gateway firewall-and if you don't you're pretty much at the mercy of your devices.

Good luck.... hope this is of some help.
Click to expand...

It sounds like this setup could work, as the pfSense machine will provide the necessary NTP services, etc.

Thank you for your input!
 
N

NASbox

Guru
Joined
May 8, 2012
Messages
650
pfSense is enterprise grade, it can do way more than a SOHO user will ever need. Learning curve is a bit tricky but once you have it figured out, it's solid. The deveolopers sell it to enterprise customers, so they have to be on the ball with updates. If you have IoT deveices, cameras etc. get a managed switch and keep that crud away from the rest of the network, and if possible totally isolated. If you do need access, VPN into your network.

Good luck.
 
Status
Not open for further replies.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Avoiding internet connection?"

Similar threads

B
  • Locked
Losing internet connection
Replies
5
Views
2K
b23norris
B
C
No internet connection
Replies
4
Views
3K
Ericloewe
Ericloewe
T
Truenas Scale with PiHole VM - Scale cannot access internet through DNS
Replies
5
Views
2K
Samuel Tai
Samuel Tai
Johnny Fartpants
How to Avoid Accidental Deletion of Dataset with Replication
2
Replies
29
Views
8K
Johnny Fartpants
Johnny Fartpants
A
  • Locked
Security regarding default gateway and static routes
Replies
1
Views
1K
m0nkey_
m0nkey_
Top