IPFW (Firewall) Rule Editor

[ChrisUK1978]

Hi,

I applaud the recent addition of IPFW into the stock FreeNAS build - awesome forward thinking again by the team. Please ensure this functionality remains as I know of a number of backup VM hosts that allow install of FreeNAS as a default set-up option, including the one I use.

I have recently set up IPFW with the help of users in the forum.

A FreeNAS GUI based IPFW firewall rule builder will help many users who have a real need to place the FreeNAS box onto a public facing network (in my case a backup service).

Cheers,
Chris.

 

[cyberjock]

As a general rule, security devices and non-security devices should NEVER be mixed. This is basic good security practices.

 

[jgreco]

And yet some of us believe that it is a great idea to enforce policy at multiple layers; essentially RAID for firewall rules to protect against the inevitable screwups.

 

[ChrisUK1978]

Hi cyberjock,

I completely agree with your sentiment, and can think of other reasons to not have the firewall in the way.

Where the distro is used commercially and in VM/hosted environments then local security is absolutely necessary. It my case, the host I use almost exclusively offers FreeNAS VMs so there's a good chance of finding FreeNAS installs on his IP block.

Personally, I set firewall rules on the router and locally on the boxes as double redundancy.

Those with less capable routers and multiple boxes would benefit from letting IPFW handle complex rules also.

Just a thought to help others (as I've seen a fair number of posts from others asking about a firewall in FreeNAS) - I'm more than happy with the current state of play.

Cheers,
Chris.

 

[warri]

This feature would not be on my priority list, since usually people use a NAT/router in front of a NAS.
You have a good point about corporate environments, etc. For professional users this might be a plus.

I've just seen a feature request in the bug tracker for this feature. Check out Feature Request #3923 for future updates.

 

[jgreco]

In many hosting and cloud environments, you will find yourself on multi-tenant IP networks with minimal protection. Sucks but true.

 

[Alec Edworthy]

I would use a firewall if there was a way to easy configure it from the command line. I think that doing it the official FreeBSD way would involve editing config files on the (normally read-only) root filesystem which would then get removed on re-install (you need to edit the rc.conf file and possibly another one to tell it to import additional rules from a separate file). I've found a way of adding my own rules but it's involved me hacking together a script which detects the firewall coming up as part of the normal boot process and then adds my additional lines to it (the additional line at the moment being to block access to ntp).

Alec

 

[cyberjock]

Yeah.. don't hold your breath on that. The developers have already said that it's not going to happen. It's fairly inappropriate for the expectations of FreeNAS. While I can appreciate your viewpoint Alec Edworthy, I agree and disagree with your reasoning. At the end of the day, the devs make the call though. And they've chosen to say that a firewall is inappropriate for FreeNAS. I agree with their philosophy on why though.

Will this decision mean that some users will not be using FreeNAS. Probably. But, we're not trying to make a one-stop shop for everything out there. And the firewall can be implemented from the command line if you are determined. I believe there's a guide on the forums with step-by-step directions too.

 

[Alec Edworthy]

Don't worry cyberjock, I agree that this is probably out of spec. I was mainly clarifying that the presence of a GUI route isn't essential to me, I'd be happy with a command line route. At some stage I'll see if I can work out a more normal command line route (I think your're right about the threads on this).

Alec

 

[david kennedy]

I would also like to see some sort of "firewall" features in freenas.

First, I agree with cyberjock. I am not trying to mix security and non-security on the same device. In my home network i have a dedicated firewall/content filter system.

I'm in the process of moving off Solaris to freenas. On my solaris system I use "crossbow" to restrict bandwidth to the storage which contains our TV/DVD rips. This effectively prevents our kids from watching them outside their "tv time".

Its just a simple cron job which increases/decreases the bandwidth available to certain IP addresses.

I can probably do the same in freenas to block NFS but wanted to show a potential use case for this.