Firewall Rules Scale

N

NicJak

Cadet
Joined
Jun 16, 2020
Messages
9
I would like to allow for remote backups for my family. For this I use wireguard and allow only a previous given IP for every client. For security reasons I would like to only allow all IPs to access TrueNAS on its SMB ports. Except for myself. I would like to allow myself to also access the webGUI.

So I thought of implementing this using firewall rules for the entire wireguard-space that deny all but the SMB ports. And off course the exception of my own access rights.

1. Question
Does this sound like a reasonable approach for remote backups for my family? Or are there flaws/security issues? What would be an alternative, if this is bad?
2. Question
If the approach is reasonable: how does one proceed to implement such firewall rules in TrueNAS Scale? In TrueNAS Core I had a jail with ipfw rules to act accordingly.

Thank you and yours sincerely
NicJak
 
N

NicJak

Cadet
Joined
Jun 16, 2020
Messages
9
In case somebody might try to do something similar:

I added a Post-Init Script that I placed in the /root folder. Upon boot the following rules are applied:

iptables -A INPUT -i vpn_server -d <ip-of-TrueNAS> -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -i vpn_server -s <ip-of-my-own-user> -j ACCEPT
iptables -A INPUT -i vpn_server -j DROP
 
Ixian

Ixian

Patron
Joined
May 11, 2015
Messages
218
Is there a reason you need to do this on the SCALE server and not an edge device like your firewall?
 
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
NicJak said:
I added a Post-Init Script that I placed in the /root folder.
Click to expand...
Whatever you place inside /root, you want to make sure you have backup copies.

This folder lives directly on the boot ("OS") device, and will not be backed up with any replications or backup tasks.
 
N

NicJak

Cadet
Joined
Jun 16, 2020
Messages
9
Ixian said:
Is there a reason you need to do this on the SCALE server and not an edge device like your firewall?
Click to expand...
I wouldn't know how to implement it there? The only device that supports wireguard and is permanent on in my network is TrueNAS. I assume a firewall outside this device would be futile, as the packets are encrypted when they pass the gateway and thus indistinguishable. And they will probably not pass the gateway a second time as TrueNAS will route it internally. Or do I get something wrong here?

winnielinnie said:
Whatever you place inside /root, you want to make sure you have backup copies.

This folder lives directly on the boot ("OS") device, and will not be backed up with any replications or backup tasks.
Click to expand...
Thank you for the hint! This is indeed a very good remark. :) Luckily I version my scripts there with git and push them to my private repository.
 
You must log in or register to reply here.

Similar threads

K
OpenVPN Server Firewall Settings
Replies
1
Views
2K
li_chang
L
dffvb
Virtualization of firewall
Replies
5
Views
3K
jlw52761
jlw52761
O
No internet connection with Wireguard on TrueNAS SCALE 21.06-BETA.1
Replies
12
Views
9K
CoolWolf
C
BlakeNagel07
  • Locked
Transmission with OpenVPN in jail "remote webGUI"
Replies
4
Views
2K
BlakeNagel07
BlakeNagel07
mattboston
Truenas behind firewall
Replies
2
Views
2K
mattboston
mattboston
Top