Best way to implement some basic packet filtering?

[Pheran]

I'm running FreeNAS 11.1U6 and I need to do some basic packet filtering to restrict access to administrative ports (basically 22, 80/443) to specific IP ranges. I don't see anything in the GUI to accomplish this. Is my best bet to modify some startup script and implement a few pf rules? I know my way around networking, I'm just trying to figure out what the FreeNAS-recommended way to do this is. Thanks!

 

[DrKK]

You would not do this on the FreeNAS side, you would do this on your network switch fabric. You won't be able to modify firewall rules in your FreeNAS appliance...or at least, you cannot do so easily and it is not the correct procedure in any case.

Can you not do this on your WAN-facing router?

 

[Pheran]

This FreeNAS server will act as an offsite backup in a network environment that I don't have full control over for this purpose. Sorry, I should have specified the use case in the first post.

 

[m0nkey_]

AS @DrKK has already stated, you would need to do this externally. You could put a simple firewall appliance in front of it like a low-end Mikrotik, Ubiquity EdgeRouter Lite or maybe a pfSense SG-1000 firewall.

 

[kdragon75]

you cannot do so easily and it is not the correct procedure in any case.

Tell that to any security nut. Perimeter security is not effective at mitigating attacks from compromised boxes. Not to mention that there are use cases to filter as the host level. That's one of the reasons VMware NSX is gaining popularity, it implements virtual firewalls/IDS per guest. This is a fairly commonly asked for item on the forums.

While we don't need routing support (except the few lab corner cases) we could benefit from packet filtering and logging.

 

[kdragon75]

AS @DrKK has already stated, you would need to do this externally. You could put a simple firewall appliance in front of it like a low-end Mikrotik, Ubiquity EdgeRouter Lite or maybe a pfSense SG-1000 firewall.

Unless your trying to do any advanced filtering or IDS/IPS. Or anything that comes close to 10gb. Those little appliances have their applications but not as a host firewall for high performance storage appliances.

 

[kdragon75]

I'm running FreeNAS 11.1U6 and I need to do some basic packet filtering to restrict access to administrative ports (basically 22, 80/443) to specific IP ranges. I don't see anything in the GUI to accomplish this. Is my best bet to modify some startup script and implement a few pf rules? I know my way around networking, I'm just trying to figure out what the FreeNAS-recommended way to do this is. Thanks!

You could add a startup script to load pfctl rules as needed.

 

[Elliot Dierksen]

You could add a startup script to load pfctl rules as needed.

I know you were talking about a corner case here, but this sounds a little too familiar. Hey, now that we have a great purpose built storage appliance, let's shoehorn a bunch of other unrelated functions into it. What could possibly go wrong??? :)

 

[kdragon75]

I know you were talking about a corner case here, but this sounds a little too familiar. Hey, now that we have a great purpose built storage appliance, let's shoehorn a bunch of other unrelated functions into it. What could possibly go wrong??? :)

Honestly I think any network appliance should have some sort of firewall and log. Bt yes, KISS still holds true.

 

[kdragon75]

/me boots 5 VMs, starts his Plex jail, checks his cloud VPN, and updates group policy all on his storage server.