ChrisUK1978
Dabbler
- Joined
- Jan 18, 2014
- Messages
- 11
Hi all,
I note with interest that recent FreeNAS builds come with IPFW compiled with the IPFIREWALL_DEFAULT_TO_ALLOW kernel option - this is great news!
I have a local FreeNAS box and an offsite FreeNAS box running in a VM on a commercial backup service (I'll not mention which as I'm discussing vulnerabilities below).
I do regular rsync backups via ssh-tunnel to the offsite backup to keep my data available and secure. As the offsite is running in a VM, the provider does not provide a firewall and expects the VMs to protect themselves.
The backup service is relatively well known for hosting FreeNAS VMs and cannot offer individual customers custom firewall rules. I am noticing a lot of root login attempts. I have ensured only certificate based logins and have disabled password logins, but would like to lock the install further.
The offsite ideally needs all ports closing apart from ssh and http, and the latter two restricting to my local IP addresses so that only I can access them.
I therefore need a firewall running on the offsite FreeNAS box and have tried to get IPFW to co-operate. Thus far a reboot seems to overwrite /etc and /usr/local/etc where I am attempting to modify the configs (I appreciate an upgrade may undo all this - I am prepared to reconfigure on upgrade) - despite mount -uw / before I start.
My questions;
1. Can the default FreeNAS IPFW installation be configured at all?
2. How might I go about configuring for a persistent firewall?
I know people are, quite rightly, advising not to put FreeNAS onto a public facing network, but sometimes its the only option. I think providing a means to protect the box, and ideally adding a rule engine for the firewall to the GUI would be a worthy and well-used addition.
Many thanks.
Kind regards,
Chris.
I note with interest that recent FreeNAS builds come with IPFW compiled with the IPFIREWALL_DEFAULT_TO_ALLOW kernel option - this is great news!
I have a local FreeNAS box and an offsite FreeNAS box running in a VM on a commercial backup service (I'll not mention which as I'm discussing vulnerabilities below).
I do regular rsync backups via ssh-tunnel to the offsite backup to keep my data available and secure. As the offsite is running in a VM, the provider does not provide a firewall and expects the VMs to protect themselves.
The backup service is relatively well known for hosting FreeNAS VMs and cannot offer individual customers custom firewall rules. I am noticing a lot of root login attempts. I have ensured only certificate based logins and have disabled password logins, but would like to lock the install further.
The offsite ideally needs all ports closing apart from ssh and http, and the latter two restricting to my local IP addresses so that only I can access them.
I therefore need a firewall running on the offsite FreeNAS box and have tried to get IPFW to co-operate. Thus far a reboot seems to overwrite /etc and /usr/local/etc where I am attempting to modify the configs (I appreciate an upgrade may undo all this - I am prepared to reconfigure on upgrade) - despite mount -uw / before I start.
My questions;
1. Can the default FreeNAS IPFW installation be configured at all?
2. How might I go about configuring for a persistent firewall?
I know people are, quite rightly, advising not to put FreeNAS onto a public facing network, but sometimes its the only option. I think providing a means to protect the box, and ideally adding a rule engine for the firewall to the GUI would be a worthy and well-used addition.
Many thanks.
Kind regards,
Chris.
