onlineforums
Explorer
- Joined
- Oct 1, 2017
- Messages
- 56
Hi FreeNAS Community!
I understand that, by default, FreeNAS doesn't have a software firewall installed (pf for example). The main argument from my understanding is that FreeNAS is a tool for NAS and one should use a firewall tool for firewall. My concern is that for many the FreeNAS box has to be accessable via the public facing internet for backup/restoration reasons. So without a firewall, there must be something upstream.
Is a consumer grade router (Asus, Netgear, etc) sufficient? My understanding is that these consumer grade devices, by default, block all inbound traffic except for those that are established. For someone to use FreeNAS within NAT in consumer router setup one must do a port forward on the consumer router for the SSH port or whatever mechanism is being used to backup over the internet to the FreeNAS box. Is this sufficient? It is still a point of potential entry, however, isn't that true with a more complex setup as well?
The alternative is something like pfsense, untangle or proprietary hardware firewall. However, don't they basically do the exact same thing as a consumer grade firewall (default block all inbound, but open up a particular port to forward to an internal NAT address)? If one doesn't use some of the advanced features (VLAN, VPN, etc) of a more complex upstream firewall, then what is the point going beyond consumer router?
Finally, not to get anyone in trouble, but do you have an upstream firewall AND run pf or some other firewall on your FreeNAS box in a jail? :)
I understand that, by default, FreeNAS doesn't have a software firewall installed (pf for example). The main argument from my understanding is that FreeNAS is a tool for NAS and one should use a firewall tool for firewall. My concern is that for many the FreeNAS box has to be accessable via the public facing internet for backup/restoration reasons. So without a firewall, there must be something upstream.
Is a consumer grade router (Asus, Netgear, etc) sufficient? My understanding is that these consumer grade devices, by default, block all inbound traffic except for those that are established. For someone to use FreeNAS within NAT in consumer router setup one must do a port forward on the consumer router for the SSH port or whatever mechanism is being used to backup over the internet to the FreeNAS box. Is this sufficient? It is still a point of potential entry, however, isn't that true with a more complex setup as well?
The alternative is something like pfsense, untangle or proprietary hardware firewall. However, don't they basically do the exact same thing as a consumer grade firewall (default block all inbound, but open up a particular port to forward to an internal NAT address)? If one doesn't use some of the advanced features (VLAN, VPN, etc) of a more complex upstream firewall, then what is the point going beyond consumer router?
Finally, not to get anyone in trouble, but do you have an upstream firewall AND run pf or some other firewall on your FreeNAS box in a jail? :)