Hi,
I'm seeking for a way to customize service start up parameters in my FreeNAS Setup.
But at first let me explain what I'm planning to do:
I want to run my FreeNAS in multiple VLAN's and want to reduce the attack surface of the System in the "untrusted" VLAN's as far as possible.
Of course this could be done using firewall configuration as DeliveryGuy showed previously [1]. But it seems quite unsupported to do so and add's extra layers that may cause problems sooner or later.
My idea is to let services only listen on the intended interface. For a bunch of services this is supported (more or less) by Service Settings in the Web UI (NFS, SSH, Web UI, SMB, ...).
However, I can't find a way to do so for the SNMP Service.
This might not be a security harm but a not listening service can't get one and, the more important, it can't leak information to any one not intended.
So my Question is:
Is there a way to customize service start arguments (custom <service>_flags argument(s))?
State of my Research:
I've already done some research on this topic. On a plain FreeBSD System I would add/change the snmpd_flags variable in the rc.conf to add the bind IP as a parameter for the snmpd. On FreeNAS the relevant rc.conf is created out of the configuration sqlite DB so setting the flags in /var/tmp/rc.conf.freenas wouldn't have an persistent effect as it would be overwritten soon.
The rc.conf.local script also seem's quite unpromising for my problem as it seems that the database and the rc.conf.local script need adaption the fulfill my needs (And the UI of course).
The relevant script lines seem 434 - 440 [2]
My Setup:
I'm currently running FreeNAS-11.1-U4 on an 2x Intel XEON X5650 (2.67GHz 12 Cores with 24 Threads) with ~51GB Ram (~47
GB available, said by "grep memory /var/run/dmesg.boot").
Best regards and thank you in advance
Markus Lange
[1] https://forums.freenas.org/index.php?threads/setting-up-a-firewall-on-freenas.19059/
[2] https://github.com/freenas/freenas/blob/master/src/freenas/etc/rc.conf.local
I'm seeking for a way to customize service start up parameters in my FreeNAS Setup.
But at first let me explain what I'm planning to do:
I want to run my FreeNAS in multiple VLAN's and want to reduce the attack surface of the System in the "untrusted" VLAN's as far as possible.
Of course this could be done using firewall configuration as DeliveryGuy showed previously [1]. But it seems quite unsupported to do so and add's extra layers that may cause problems sooner or later.
My idea is to let services only listen on the intended interface. For a bunch of services this is supported (more or less) by Service Settings in the Web UI (NFS, SSH, Web UI, SMB, ...).
However, I can't find a way to do so for the SNMP Service.
This might not be a security harm but a not listening service can't get one and, the more important, it can't leak information to any one not intended.
So my Question is:
Is there a way to customize service start arguments (custom <service>_flags argument(s))?
State of my Research:
I've already done some research on this topic. On a plain FreeBSD System I would add/change the snmpd_flags variable in the rc.conf to add the bind IP as a parameter for the snmpd. On FreeNAS the relevant rc.conf is created out of the configuration sqlite DB so setting the flags in /var/tmp/rc.conf.freenas wouldn't have an persistent effect as it would be overwritten soon.
The rc.conf.local script also seem's quite unpromising for my problem as it seems that the database and the rc.conf.local script need adaption the fulfill my needs (And the UI of course).
The relevant script lines seem 434 - 440 [2]
Code:
_snmp_config()
{
echo "snmpd_conffile=\"/etc/local/snmpd.conf\""
local snmpd_loglevel=$(${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} "SELECT snmp_loglevel FROM services_snmp ORDER BY -id LIMIT 1")
echo "snmpd_flags=\"-LS${snmpd_loglevel}d\""
}
My Setup:
I'm currently running FreeNAS-11.1-U4 on an 2x Intel XEON X5650 (2.67GHz 12 Cores with 24 Threads) with ~51GB Ram (~47
GB available, said by "grep memory /var/run/dmesg.boot").
Best regards and thank you in advance
Markus Lange
[1] https://forums.freenas.org/index.php?threads/setting-up-a-firewall-on-freenas.19059/
[2] https://github.com/freenas/freenas/blob/master/src/freenas/etc/rc.conf.local
