Should TrueNAS add a Firewall UI?

[Cyberpower678]

I've seen this asked literally everywhere but never consolidated in a dev ticket to be voted on.

People have repeatedly asked if it's possible to set up a firewall in Free/TrueNAS, have opened tickets asking for the feature which were shot down due to a lack of votes, and complained that ipfw is not persistent through reboots.

I've decided to open a ticket on this request https://jira.ixsystems.com/browse/NAS-110277.

( Mod edit - New ticket link is here: https://ixsystems.atlassian.net/browse/NAS-110277 )

If you are interested in seeing the developers add a Firewall UI to Free/TrueNAS, please comment and vote on this ticket.

 

[winnielinnie]

I suppose one argument to make for this "GUI Firewall" could give the user "reassurance" that TrueNAS only makes remote outgoing connections that you explicitly permit, such as email alerts, checking for updates, submitting stats, certain services that require outgoing connections, etc. But then it wouldn't be so much a fully-fledged firewall per se, but rather summarizing what outgoing connections you expect.

The GUI for this page could serve as a convenient "one-stop shop", rather than having to navigate among the different menus throughout the web interface.

Just a mockup example I whipped up:

You click on Network > Outgoing Remote Connections, and are presented with a page that looks like this:

 

[ddaenen1]

Honestly, when the expectation is that a piece of software becomes a Jack of all Trades, things start going wrong. The examples are numerous. My advice is to stay focussed and become the best at your core business.

 

[neptuneIS]

If you want to use TrueNas as an external backup server, you may install it on a bare metal server in some external datacenter, where you don't have any other system.
In such setup, having basic pf rules to allow only tunneled / secure trafic and black everything else, or restrict management interface to some trusted network, is required.

 

[blanchet]

A basic firewall, like VMware vCenter Server Appliance (VCSA) has, would be very useful for TrueNAS.

 

[hescominsoon]

as truenas is not meant to be internet facing..there's no real need for a firewall/firewall gui.

 

[oljas]

If you really need firewall on same host that runs TrueNAS, just run it in bhyve! If you are not satisfied with throughput of bhyve firewall, just setup firewall in a jail.
I mean TrueNAS already got everything for network setup - gui for physical interfaces and for vlans, the rest are better to be done with other great software.
I`ve used pfsense and later opnsense in bhyve for years, and have no complains.
Recently I replaced several my bhyve firewalls to vnet-jails and they are blazing fast. Opnsesne-bootstrap script makes it ridiculously easy to setup PF firewall in a jail with nice gui and all bells and whistles.

 

[lxsq]

as truenas is not meant to be internet facing..there's no real need for a firewall/firewall gui.

I'd say it is. IPv6 are getting more common, which does not have a natural NAT firewall. Most consumer routers can only turn IPv6 "firewall" on or off. Block all ports, or open all ports.

 

[Davvo]

I'd say it is. IPv6 are getting more common, which does not have a natural NAT firewall. Most consumer routers can only turn IPv6 "firewall" on or off. Block all ports, or open all ports.

You shouldn't expect a product that's not meant to be exposed [to the internet] to have the proper tools to do so.

Btw, the discussion had been inactive for two years.

 

[danb35]

Yeah, not sure why a two-year-dead thread was necro'd. But the ticket's there, and the devs have "accepted" it--almost two years ago, it looks like. Apparently "accepting" a suggestion doesn't mean anything's going to happen with it any time soon.

 

[WI_Hedgehog]

I'm going to say a firewall is out of scope.
Reasoning:

IBM: Network attached storage (NAS) is a centralized, file server, which allows multiple users to store and share files over a TCP/IP network via Wifi or an Ethernet cable. It is also commonly known as a NAS box, NAS unit, NAS server, or NAS head.


Red Hat: Network-attached storage (NAS) is a file-level storage architecture that makes stored data more accessible to networked devices. NAS is 1 of the 3 main storage architectures—along with storage area networks (SAN) and direct-attached storage (DAS). NAS gives networks a single access point for storage with built-in security, management, and fault tolerant capabilities.

The main differences between NAS and general-purpose server storage lies in the software. NAS software is deployed on a lightweight operating system (OS) that's usually embedded in the hardware. General-purpose servers have full OSs that send and receive thousands of requests every second—a fraction of which may be related to storage—while a NAS box sends and receives only 2 types of requests: data storage and file sharing.

 

[danb35]

I'm going to say a firewall is out of scope.

I agree, as I said on the ticket and in several other related threads. But the iX devs have "accepted" the suggestion, whatever that means.

 

[Davvo]

I agree, as I said on the ticket and in several other related threads. But the iX devs have "accepted" the suggestion, whatever that means.

Maybe it's a misclick and they wanted to reject it

 

[winnielinnie]

But what about my super cool idea which I made a super cool mock screenshot?

It's super cool.

 

[WI_Hedgehog]

But what about my super cool idea which I made a super cool mock screenshot?

It's super cool.

YOU'RE SUPER COOL. (pat on the back)

Moving on, Serve The Home reviewed a bunch of purpose-built appliances. They have videos on them if you're more of a slacker--vision oriented.

 

[HoneyBadger]

Okay folks, I think this thread has run its course.

If you'd like to voice your support for this feature request, the easiest way is to add a "thumbs up" to the suggestion here:

[NAS-110277] - iXsystems TrueNAS Jira

ixsystems.atlassian.net

Thanks.