Firewall config tab/service

Artion

Patron
Joined
Feb 12, 2016
Messages
331
Hi,
it would be cool to have a GUI tab to configure the firewall (pf, ipfw or ipf) so to be able to use the FreeNAS box as a firewall service. If it isn't possible, could it be done by developing a plugin?

Feature #13600
 

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
Your nas should never be a firewall. Your firewall needs to be a separate device on your network.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
It could be done as a plugin, but it is a terrible idea, because the general nature of the thing would be to fail open, which is totally wrong for a firewall device.
 

Artion

Patron
Joined
Feb 12, 2016
Messages
331
Thank you all for your time and effort. As a newbie I appreciate every advice.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
I apologize for the terse cell-phone-authored response. To expand upon that a little, a firewall device is supposed to be designed such that if something goes wrong, it starts dropping traffic rather than allowing it to pass. This probably breaks things, but is a total attention-getter for whoever is responsible for the device.

The problem with FreeNAS is that it is designed for NAS use, and the firewall defaults to open. You can definitely change that, but there is a huge risk. For example, if you create a startup script that executes an "ipfw add 60000 deny all from any to any" and then also adds some specific exceptions out of a script, there's a danger that at some point the mechanism for startup scripts changes, and your scripts don't get executed, and you do what's sometimes referred to as a "pants drop", exposing your bare fanny to the Internet. There's also the possibility that FreeNAS could change from ipfw to ipf, or that the filtering could be removed entirely in the base OS, and your dependence on a particular feature turns into a liability. The usual response is "but I'll check! and make sure!" and I know you believe it, but history suggests that this sort of thing gets missed more often than it is detected, largely because the default is open access, and it is so much harder to notice that too MUCH is open than to notice that everything's broke because the firewall hasn't opened the stuff it was supposed to.

However, I also believe that there's a lot of value in multiple layers of defense. There would definitely be some value to having a subsystem on FreeNAS that could manage a local firewall.
 

Artion

Patron
Joined
Feb 12, 2016
Messages
331
Thank you very much for the info. It was very clarifying to me. I didn't now the inside of the firewall on FN. As I understand, building a local firewall jail to be used as a filter for all other jails could be somehow useful, making the jails accessible only thru the firewall.
However thanks again for sharing your knowledge. :)
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
There probably isn't a particularly good way that you could make one jail be a firewall for other jails (speaking from a network design perspective). It is a nice idea though. I believe there may be more options when bhyve shows up on FreeNAS 10.
 

Artion

Patron
Joined
Feb 12, 2016
Messages
331
I wasn't aware of bhyve. Thanx. :)
 

Marcet

Contributor
Joined
May 31, 2013
Messages
193
If you want a good firewall, buy a NETGEAR WNDR3700 or WNDR3800 and flash it with OpenWrt.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
If you want a good firewall, buy a NETGEAR WNDR3700 or WNDR3800 and flash it with OpenWrt.

Those seem like they'd be particularly unlikely to be good firewalls, especially in the high speed packet filtering department, also especially considering OpenWRT isn't really designed as the type of firewall I was suggesting, which is something that's designed first and foremost as a security appliance.
 

Marcet

Contributor
Joined
May 31, 2013
Messages
193
Those seem like they'd be particularly unlikely to be good firewalls, especially in the high speed packet filtering department, also especially considering OpenWRT isn't really designed as the type of firewall I was suggesting, which is something that's designed first and foremost as a security appliance.
In the context of my home/business, I'm really satisfied. But it's not a pro grade equipment.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
In the context of my home/business, I'm really satisfied. But it's not a pro grade equipment.

Yes, but in "the context of [your] home/business" you're probably also not on live IP space but rather behind NAT, which can effectively break the ability of someone out on the Internet to directly access the equipment behind the NAT. This isn't actually a firewall, but since it is probably a baked-in requirement on your network (since your ISP probably only gives you a single IP address), it functions in some ways like a defaults-to-drop firewall.
 

Marcet

Contributor
Joined
May 31, 2013
Messages
193
You're right, I have only one IP. So I deal only with port forwarding.
 

Marcet

Contributor
Joined
May 31, 2013
Messages
193
I just discovered pfSense which seems to be a excellent solutions.
@jgreco : Is that the kind of Firewall /Router you had in mind ?
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
pfSense is the firewall equivalent of what FreeNAS is in NASland. Do it right and it will serve you exceptionally well. However, there is a bit of a learning curve. When you look at spending money on a "router" device from a company like D-Link or Netgear, one of the things you have to be aware of is that firmware updates for that box might not last more than a year or two before the device is considered "obsolete." That's just one of the reasons something like pfSense is so attractive.
 

Marcet

Contributor
Joined
May 31, 2013
Messages
193
pfSense is the firewall equivalent of what FreeNAS is in NASland. Do it right and it will serve you exceptionally well. However, there is a bit of a learning curve.
If it's at the same level where FreeNAS is, then the learning curve is worth it.
I used to have a linux box as a router before open-wrt, the learning curve wont be so long I suppose ;)

Just saw a video presenting the features of pfSense, and was quite impressed.
I'll go for it in a near future.

When you look at spending money on a "router" device from a company like D-Link or Netgear, one of the things you have to be aware of is that firmware updates for that box might not last more than a year or two before the device is considered "obsolete." That's just one of the reasons something like pfSense is so attractive.
Indeed.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
It ought to be easier than the Linux box, though doing complicated stuff with pfSense can still be like beating your head with a brick. But that's true for any competent firewall appliance.
 

Marcet

Contributor
Joined
May 31, 2013
Messages
193
It ought to be easier than the Linux box, though doing complicated stuff with pfSense can still be like beating your head with a brick. But that's true for any competent firewall appliance.
That's true and a proper helmet should do the trick :D
 
Top