Freenas VM: Safe to forward ports?

[boggie1688]

Hi all,
I've been a long time user of Freenas, but a huge newbie. Normally my freenas usage is that of a NAS, however recently I started using it to do other things. One of my new adventures is hosting an online gaming server, online sim racing. However, because Freenas is based on FreeBSD, steamcmd won't run easily in a jail. As a result, I spun up my first virtual machine. It was relatively easy to do, and I got all the game server stuff running. Part of enabling public access to the server requires I forward 3 different ports.

1. For remote administration of the gaming service
2. For API call access to the server, allows a return of what map, server settings etc etc
3. For actual game connection to the server

This is where I get a bit worried. I've also been told that Freenas was designed to be a NAS device, and should never be exposed to the internet. While the freenas box itself isn't exposed to the internet, a VM instance has 3 ports forwarded through my router.

Is this a big no no?

 

[Patrick M. Hausen]

No, it isn't. That's one of the points of running VMs and/or containers (aka jails). To provide particular services.

So exposing your application VM to the Internet at large does not put your FreeNAS at increased risk. You should treat that VM as precisely what it is, though. A host exposed to the Internet; so use strong passwords, apply security updates, set up SSL, ... all the regular things.

HTH,
Patrick

 

[boggie1688]

No, it isn't. That's one of the points of running VMs and/or containers (aka jails). To provide particular services.

So exposing your application VM to the Internet at large does not put your FreeNAS at increased risk. You should treat that VM as precisely what it is, though. A host exposed to the Internet; so use strong passwords, apply security updates, set up SSL, ... all the regular things.

HTH,
Patrick

Thanks for the reply Patrick.

I have to admit, I'm not a security expert so I'm not entirely sure how to secure my VM. I'm sad to admit... its a Win10 instance. In any case, I'll do as you advised, make sure passwords are strong, and that it is up to date.

Thanks again!

 

[Samuel Tai]

No, it isn't. That's one of the points of running VMs and/or containers (aka jails). To provide particular services.

So exposing your application VM to the Internet at large does not put your FreeNAS at increased risk.

I beg to differ. I do IT security professionally. Although bhyve is a relatively safe platform, being safe from many known VM escape techniques due to its obscurity, that doesn't mean its free from all of them, especially as it hasn't undergone aggressive vulnerability discovery campaigns funded by state actors, unlike ESXi. Even there, best practice is to have separate hosts for internal VMs vs VMs exposed to the Internet, and to use defense in depth where possible.

 

[boggie1688]

I beg to differ. I do IT security professionally. Although bhyve is a relatively safe platform, being safe from many known VM escape techniques due to its obscurity, that doesn't mean its free from all of them, especially as it hasn't undergone aggressive vulnerability discovery campaigns funded by state actors, unlike ESXi. Even there, best practice is to have separate hosts for internal VMs vs VMs exposed to the Internet, and to use defense in depth where possible.

Dang ok, back to square one. I was trying to avoid having to setup another computer. But I do have enough hardware laying around. Better safe than sorry I suppose.

 

[Patrick M. Hausen]

Hmmmmm ... escape from a hypervisor is not an easy task with readily available scripts for the proverbial kiddies. And it requires a remote code execution and a privilege escalation attack vector upfront in our scenario.

I run short of a dozen of Internet facing services in jails and VMs but they all go through a single choke point (SSL reverse proxy).

But to the OP: I would never expose anything on Windows to the public. Not that in 2020 I would still claim that Windows is fundamentally less secure, but I simply don't know enough to be sure I do not open any backdors involuntarily. So if you ever run anything exposed to the net - no matter if on a hypervisor, jail, dedicated machine ... be sure you know enough about the platform and application to know the implications. And if you don't, or if it's some closed-source thingy that you are not even able to assess - then put a tried and true additional level of control and authentication in front of that.

Like Apache Guacamole (I admit, I love that product) for RDP or a VPN like OpenVPN for arbitrary services.

HTH,
Patrick

 

[Patrick M. Hausen]

Followup ...

I also label myself a security professional in the appropriate context. I did and I still do use VLANs and hypervisors and treat these instances like dedicated hardware. Yes, VLAN hopping and hypervisor escape are possible put in the last 3 decades I never had an incident based on that,
These attack scnearios need a dedicated skilled attack against your and yours only infrastructure. OTOH I have had (more precisely some of my customers did) successful attacks against weak passwords, outdated unpatched PHP versions, outdated unpatched Wordpress versions ... if you run any of these, you will be owned. Only question is, how fast.

So do not expose anything that might possibly be hacked by a script kiddie. If it is proprietary Windows applications you need to share, put something with strong authentication in front of your server. Be practical. If the Mossad is out to get you, they will.

HTH,
Patrick

 

[Samuel Tai]

Dang ok, back to square one. I was trying to avoid having to setup another computer. But I do have enough hardware laying around. Better safe than sorry I suppose.

Why host the hardware yourself? AWS is essentially no- to nominal-cost for low traffic scenarios like yours. Create a VPC and install a Linux VM on it with your application. Then clone it, so you have a master recovery VPC and a working VPC. Then on a regular schedule, save the working to the recovery, and swap roles. If the VM gets compromised, destroy the working VPC; bring the recovery VPC active but offline while you plug the holes; clone the patched VPC to another recovery VPC; and then bring the new working VPC back online.

 

[seanm]

Is this a big no no?

What's your threat model? What do you risk losing? Are you a company with lots of personal customer data and liability issues? Then I might worry about hypervisor escapes. Or are you just some guy with movies and pictures on your NAS? In that case I wouldn't sweat it.