FreeNas Block All IP's apart from choosen ones

[miklasz]

Hi, I am trying to setup some kind of firewall, i was looking at fail2ban iptables ipfw and other scripts running it, but I decided to ask pros. as I experience some problems and dont want to mess to much.

what I need is:

1. accessible freenas from the Internet (I know its NOT recommended, please read number 2.
2. I need to allow 5 different IP's to access FreeNas, and all other IP's to be ban compleatly
- I do run PRIV Key login over ssh
- at the moment root can access ssh (but it will be probably changed)
- I do off site backup between cople of NAS and allowing FreeNas over Internet (ssh, scp) it just easier

any ides how to do it ? as easier as possible. any hints ?

many thanks for any reply! :)

Bartosz

 

[Mirfster]

Why not simply put up a dedicated firewall/router and have VPN access? PFSense comes to mind with OpenVPN.

 

[miklasz]

i do use ipsec between networks (if i am in internal network), i am thinking of pulling my cisco 2620xm and set it up as my router/firewall but i need to work on the fans as they super loud, i was thinking of easier way on the freenas it self.

i might just change public ip's from main freenas and use vpn to internal network to access WebInterface and with jails (with public IP's) use fail2ban (as I have some silly brute force ssh from China Thailand and Russia :) )

but i would like to find out how to setup block all IP's for the nas access and allow only IP i want to use. As sometimes its pain in the ass to vpn to internal network just to do few clicks on the web interface. I use different computers in different placess and it would be easier for me to add IP on the nas than setup VPN's for all the computers I use.
Also I use many jails and setup fail2ban for example on every nas on couple of jails would be time consuming :) just looking for the options :D

Thx

 

[pirateghost]

Limit this at the firewall or NAT device level, not the FreeNAS level. There should be a dedicated device between FreeNAS and the internet. This is where your ingress/egress controls should be.

 

[Mirfster]

but i would like to find out how to setup block all IP's for the nas access and allow only IP i want to use. As sometimes its pain in the ass to vpn to internal network just to do few clicks on the web interface.

IPs can be spoofed so I would not think that is the best method. Sure it may seem like a PITA to VPN, but it is going to be much worse once someone does get in because you find it too much of a pain to take proper measures. Please think it over a bit and don't try to sacrifice security simply for wanting to be bothered with things that you may consider a nuisance...

 

[miklasz]

yeah, i guess its a good approach, i did actually just changed all to local lan, so it can be accessible from inside only, all networks are connected over ipsec tunnels, and i can access it from outsite by vpn to main router...

but i have some jails i have to use with public ip's but i can use fail2ban with them i guess

thx for quick reply