J
jpaetzel
Guest
FreeNAS uses ipfw to get around an issue with NFS. It's not just for jails at this point. It's part of system startup.
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Unable to build FreeNAS with make release.
- Thread starter Kingedgar
- Start date
- Status
Kingedgar
Dabbler
- Joined
- Jan 30, 2014
- Messages
- 47
Thanks for that info. I do have one remaining question. Why have the firewall default to accept instead of having a rule set that allows whatever NFS issue is going on?
Having "options IPFIREWALL_DEFAULT_TO_ACCEPT" ruins any rule set created in a jail because the last rule is always accept any from any to any...
Just my $.02
J
jpaetzel
Guest
So have your last rule be drop a any. It's not a huge deal. It's default to accept so a fuck up like accidentally flushing all rules doesn't lock you out.
Kingedgar
Dabbler
- Joined
- Jan 30, 2014
- Messages
- 47
There in lies the issue for me. My last rule is/was drop any, but the last rule that shows up in "ipfw list" is accept all. Oh well. I am trying to build my own FreeNAS version that fixes this issue for me. Right now I have dropped all references to IPFIREWALL in the kernel config and am building it as a module. NFS won't be in use on this machine so I don't see that getting in my way. I guess I'll find out the consequences of this when the build is finished.
Thanks for all you do for FreeNAS and the community, it is VERY MUCH appreciated.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
From the NAS point of view, that certainly makes sense.
From a security perspective, it is troubling because any Internet-facing firewall should fail secure; for a catastrophic misconfiguration event (loss of firewall rule file, etc) the default should be to deny traffic. The risk of an administrator not noticing that their firewall isn't in place is very high because "everything works."
We occasionally have users who want to expose FreeNAS to the Internet. I think that's a bad idea regardless, but would note that it would be nice to have some firewall design integrated into the system so that the system automatically generated an appropriate firewall, including limiting the interfaces or network IP ranges that various services were made available to, and failing secure.
J
jpaetzel
Guest
Exposing your NAS to the internet is such a bad idea that I'm not going to give you ANY justification to do it in the software.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
I'm in violent agreement with the idea that exposing the NAS to the Internet is a bad idea.
But. Please follow along for a minute so I can make a point.
I am going to assume - possibly incorrectly, though it is irrelevant - that you feel a NAT gateway is protection of some sort. I note in particular that FreeNAS has been made somewhat dependent on network services such as DNS, SMTP, NTP, etc.; this basically ends up as a reason for people to justify giving their FreeNAS limited connectivity to the Internet. Most home networks are not fortunate enough to have lots of infrastructure deployed. In fact, we very strongly encourage NAS users to set up e-mail to handle proactive problem reports from SMART or daily or whatever.
That design decision may eventually have an unintended consequence. In the New World Order of IPv6, NAT is an evil concept. The correct design to deploy a FreeNAS box would be to deploy it on an IPv6 ULA or other unrouted network. For a site with network infrastructure services like DNS, SMTP, NTP, etc., that's all very workable and is parallel to existing deployments using RFC1918 space for private storage and management networks.
However, we will reach a point where IPv6 users need to deploy a NAS, and plop it on their IPv6 /64 that their ISP handed them - possibly without an intermediate firewall.
So here's my point. Regardless of our agreement that exposing the NAS to the Internet is a bad idea, failure to acknowledge and plan for this eventuality, which is going to happen under IPv6, is a bad thing. Even the sharpest admin occasionally makes a mistake, so at some point a FreeNAS box will be exposed to the IPv6 public Internet.
While I do not regard many of the automatically generated self-protecting firewalls as being worth much, I think there's substantial opportunity in the highly controlled FreeNAS appliance environment to automatically generate and deploy a fairly strong firewall.
But. Please follow along for a minute so I can make a point.
I am going to assume - possibly incorrectly, though it is irrelevant - that you feel a NAT gateway is protection of some sort. I note in particular that FreeNAS has been made somewhat dependent on network services such as DNS, SMTP, NTP, etc.; this basically ends up as a reason for people to justify giving their FreeNAS limited connectivity to the Internet. Most home networks are not fortunate enough to have lots of infrastructure deployed. In fact, we very strongly encourage NAS users to set up e-mail to handle proactive problem reports from SMART or daily or whatever.
That design decision may eventually have an unintended consequence. In the New World Order of IPv6, NAT is an evil concept. The correct design to deploy a FreeNAS box would be to deploy it on an IPv6 ULA or other unrouted network. For a site with network infrastructure services like DNS, SMTP, NTP, etc., that's all very workable and is parallel to existing deployments using RFC1918 space for private storage and management networks.
However, we will reach a point where IPv6 users need to deploy a NAS, and plop it on their IPv6 /64 that their ISP handed them - possibly without an intermediate firewall.
So here's my point. Regardless of our agreement that exposing the NAS to the Internet is a bad idea, failure to acknowledge and plan for this eventuality, which is going to happen under IPv6, is a bad thing. Even the sharpest admin occasionally makes a mistake, so at some point a FreeNAS box will be exposed to the IPv6 public Internet.
While I do not regard many of the automatically generated self-protecting firewalls as being worth much, I think there's substantial opportunity in the highly controlled FreeNAS appliance environment to automatically generate and deploy a fairly strong firewall.
Kingedgar
Dabbler
- Joined
- Jan 30, 2014
- Messages
- 47
On you point, I agree. The problem lies with the default to accept rule, it renders the firewall useless even if there is a deny rule in front of it. IMHO it would be better served to load rules, fix what's broken, and not default to accept everything. Again that is just my opinion, and I see where someone could make a mistake and flush the rules and be locked out. I have come up with a solution that fit's me by customizing and building my own version of FreeNAS.
I also apologize for being such a pain in this thread. I am not meaning to be demanding or anything of the sort. I simply want what's best for me and the company I am building a NAS for. FreeNAS is such a great product, there really is no other choice when it comes to free and open source NAS solutions.
I am thankful to all who have stopped in and advised me in this thread, I really really appreciate the help!
I also apologize for being such a pain in this thread. I am not meaning to be demanding or anything of the sort. I simply want what's best for me and the company I am building a NAS for. FreeNAS is such a great product, there really is no other choice when it comes to free and open source NAS solutions.
I am thankful to all who have stopped in and advised me in this thread, I really really appreciate the help!
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
I wouldn't worry about it. There are multiple facets to most problems. Pretending those issues don't exist is dumb. We can of course disagree on the correct solution, but understanding them requires familiarity, for which discussion is a good familiarizer.
Which is why I spent some time on the NAT/IPv6 issue discussion above.
Which is why I spent some time on the NAT/IPv6 issue discussion above.
Damn, they're on to me. *deletes account*
No, but in all honesty this thread covered something I had issues with and gave up, but only really being familiar with Linux building and iptables, I thought it was just me being a noob as to why this doesn't work for me. It was very interesting to see more knowledgeable people cover the topic from start to finish and see it get hashed out. I guess it's still not finished Haha.
I just don't really believe in polluting a thread with "off topic" comments, I want to let the topic stay compact you know? But I want you guys to know I appreciate this and it's helped me understand immensely. Now if I could only get openvpn to run in my jail :-/
I'll message you later today and let you know the state. I think I just have to refine my rules, maybe. I'd appreciate it!
- Status
Similar threads
- Locked