Security tips for home NAS use case

Status
Not open for further replies.

SmallGuy

Guru
Joined
Jun 7, 2013
Messages
560
Mount points are all you need to access your FreeNAS data from a jail.
All data access stay inside FreeNAS, don't bother to set-up something more sophisticated, adding complexity and exposition you don't need.
 

joelmusicman

Patron
Joined
Feb 20, 2014
Messages
249
Edit: It looks like I was confused. I reviewed the manual section 10.2.2.2 starting on p. 231, and this is the method I used to link storage between my plugin jails and the NAS itself... did you do something different? I think my confusion was in saying that I "mounted the shares into the jails" which is not entirely accurate; as the manual mentions, this process merely creates pointers to the data on the NAS. If this is the case, I may not need nfs ports open after all... I will test tonight to confirm if closing the nfs-related ports in the plugin jails has an impact on sharing with the NAS.

Yup, that's what I was confused about. I was thinking you had your jails access your NFS shares. Sounds like you're doing it the right way.
 

entyrion

Explorer
Joined
Apr 3, 2014
Messages
52
After checking, I confirmed that nfs ports do not need to be open for sharing to work with the plugin.
 

entyrion

Explorer
Joined
Apr 3, 2014
Messages
52
As an update, I have the firewall up and running on FreeNAS itself. As /etc/ is read-only, I run an ipfw post-init script to set that up. A few additional questions about securing my NAS for ongoing research (and any hints would be appreciated) :)

1. Is "ipfw list" the proper way to check the status of my firewall? I'm assuming that if it returns the rule set, then the firewall is up and running correctly, right?
2. Per the NFS guide at http://www.tldp.org/HOWTO/NFS-HOWTO/security.html I would also like to secure my portmapper, but that guide is old since hosts.deny is deprecated. Does anyone have any advice for a good guide to learn to secure the portmapper using the newer hosts.allow system on FreeNAS?
3. What is a reasonably secure configuration? I'm thinking I would only want local machines to access it.
4. Additionally, since /etc/ is read only, how can I set this up to apply automatically on startup?

Thanks for your advice and thoughts!
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,525
Hint#1: Don't run FreeNAS with a firewall.. it's untested, even the developers have said you're crazy to think of doing it that way.
Hint#2: Read #1 again and again.. until it sinks in.
Hint#3: Recognize that FreeNAS expects you to have good security for your LAN and stop trying to redesign FreeNAS in ways the developers have even said is idiotic...

No joke.. someone put in a ticket requesting this as a feature in FreeNAS. The developers shot it down and have publicly said that the source code of the software may or may not work, is totally untested, and you should not be trying to use it, rely on it, or even attempt to use it on a box with any data on it of any value.
 

panz

Guru
Joined
May 24, 2013
Messages
556
@entyrion we appreciate your efforts to understand things and try new ways to achieve a goal, but sometimes it's easier and more secure to take a known way...

If you value your data please don't try to force FreeNAS to something it wasn't meant to. Just build a simple and cheap pfSense box (as suggested before).
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Let me second (or third, or forth,...) pfSense. pfSense is really one of the best network firewalls out there, and it's really user friendly. Furthermore, it works on pretty much any hardware (even that hardware you wanted to use for FreeNAS but would get yelled at for using), as long as it has two network cards.

I currently use pfSense on my home network. I run a purpose-built Atom-based pfSense box, but I used to use an old Dell workstation (Pentium III-era) with a PCI add-in network card. And unless you have super-fast internet, those old 100Mbps network cards are more than enough. The biggest concern is power consumption, and that's why I went with a purpose-built machine.
 

ewhac

Contributor
Joined
Aug 20, 2013
Messages
177
Let me second (or third, or forth,...) pfSense.
Fifth.

I have two HP N54L microservers sitting on my desk. One is running FreeNAS 9.1.1; the other is running pfSense 2.1.1. The N54L is almost certainly overkill for a pfSense box, but they can be had for fairly cheap.

If you can bear the cost of a second machine, you really want firewalling to be handled by a separate machine that contains no important data.
 

Wonderjacky

Cadet
Joined
May 16, 2014
Messages
8
Hint#1: Don't run FreeNAS with a firewall.. it's untested, even the developers have said you're crazy to think of doing it that way.
Hint#2: Read #1 again and again.. until it sinks in.
Hint#3: Recognize that FreeNAS expects you to have good security for your LAN and stop trying to redesign FreeNAS in ways the developers have even said is idiotic...

No joke.. someone put in a ticket requesting this as a feature in FreeNAS. The developers shot it down and have publicly said that the source code of the software may or may not work, is totally untested, and you should not be trying to use it, rely on it, or even attempt to use it on a box with any data on it of any value.


Do you mean in a jail too? Or only on freenas itself?
I want to make my freenas as an offsite backup server.
The data to backup will be send via rsync to my freenas server.
I was planning to do it with a dedicated jail that would hold the ssh server and to expose that jail to internet (sshd port only).
I wanted to use a firewall in that jail to prevent the jail to access anything else on my LAN.
If it is not the right solution how would you do it?

François
 

WhirlwindMonk

Dabbler
Joined
Apr 13, 2013
Messages
15
For pfSense, it seems like most everyone I'm seeing running a home network is buying something at least partially prebuilt. Is it at all cost-effective to build a pfsense system from parts, or is buying a dirt cheap barebones system and slapping a hard drive and stick of ram in it really the best way to go? I assume that if I needed to go really cheap, I could use the leftover gaming hardware I have lying around, but that's kind of power-hungry.
 

panz

Guru
Joined
May 24, 2013
Messages
556
This topic is going to be more appropriate in the pfSense Forum. BTW take a look at my signature for a system that draws only 21 Watts.
 

ric

Contributor
Joined
Dec 22, 2013
Messages
180
Newbie here.. pfsense sound like a perfect one for me as user-friendly more easy to setup. I have a cisco asa 5505 lying around that I would to setup as firewall/openvpn

My question is how can I configure pfsense to work with the ASA or is it possible to use pfsense with ASA?

Your input would be greatly appreciated.

Thanks.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,525
@ric,

You just responded to a thread that is over a year old. So I'm gonna lock the thread. Please take your pfsense questions to the pfsense forums/IRC.

Thanks.
 
Status
Not open for further replies.
Top