Security when attempting access from internet

[STREBLO]

I've been thinking about opening up my network in some way so that I can access my FreeNAS box from the open internet, but obviously this introduces a security risk. I'm thinking about setting up a VPN so that I can access my owncloud however I'm wondering what else I should be doing. What are your recommendations for securing your FreeNAS box? Do you have any recommended references?

I'm also thinking about setting up a dedicated firewall, probably pfSense, would it be a good idea to do this? I've heard read people saying that a router is sufficient, but I've also read the opposite and that it may be a good idea to have a firewall that does the job properly. What do you guys do for a firewall if you're accessing your box from the internet?

 

[DrKK]

First of all: There are about 1000 posts already in the forum on this precise question, even down to the fact of Owncloud.

Second of all: We tend not to answer these questions very thoroughly; our view is that if you're asking? Then you shouldn't be doing it.

Third of all: I think if you stick with just an OpenVPN access, that you don't have to sweat much more. You can install OpenVPN in a FreeNAS jail (again, several posts in the forum), or use the OpenVPN with pfSense, but to do pfSense right involves the expenditure of several hundred dollars for new equipment.

 

[danb35]

to do pfSense right involves the expenditure of several hundred dollars for new equipment

How do you figure? This PC looks entirely adequate, CPU-wise, for $20. Add drive, RAM, and NIC and you're still well under $100, and quite possibly under $50. This one would only need a second NIC; it has the drive and RAM already, and it's $50. Even if you buy new hardware from the pfSense store, with support, it's just $300. Unless your definition of "doing it right" is kind of a special case.

If you're using a VPN for remote access to your LAN, I do tend to think it should be done at the router. pfSense will certainly do that, but so will many consumer-grade routers with third-party firmware like dd-wrt or Tomato.

 

[STREBLO]

First of all: There are about 1000 posts already in the forum on this precise question, even down to the fact of Owncloud.

Second of all: We tend not to answer these questions very thoroughly; our view is that if you're asking? Then you shouldn't be doing it.

Third of all: I think if you stick with just an OpenVPN access, that you don't have to sweat much more. You can install OpenVPN in a FreeNAS jail (again, several posts in the forum), or use the OpenVPN with pfSense, but to do pfSense right involves the expenditure of several hundred dollars for new equipment.

I'm not asking how to set up owncloud, I'm asking what people's recommendations are for properly securing a FreeNAS box. There's lots of information out there but it's hard to break through all the noise and find the right way to do it and I was wondering what other people did to secure themselves. I'm a fairly technical user and familiar and competent with Linux, but I am fairly new to FreeNAS, servers and bsd and just wanted to recommendations from that point of view.

Back to the VPN topic, if it's better to use a dedicated box for the VPN I don't mind buying a small pfsense box as I wouldn't mind setting up a firewall on it as well.

For the firewall I was thinking of also setting up a subnet or Vlan on the network so that I can separate my server from the rest of the network and firewall it off that way. I'm trying to set it up in away that I can leave the network as is because there are other servers and people on the network that I don't want to mess with them as they aren't mine.

 

[nightshade00013]

The way I did this was the OpenVPN Jail method. Open one port to the jail and enable tls-auth.

 

[STREBLO]

The way I did this was the OpenVPN Jail method. Open one port to the jail and enable tls-auth.

Are there any disadvantages to that vs having them separated?

 

[Deleted47050]

I personally use a dedicated Raspberry Pi running OpenVPN, configured with certificate authentication. I have only opened one UDP port on the router to allow connections to come through, but if you don't have a valid certificate you won't be able to connect.

Having a firewall in the picture won't hurt of course. Technically you could do all of this on the router, but I like to keep things separate when possible for no other reason that if something goes wrong, I only have one service down.

 

[zoomzoom]

I've been thinking about opening up my network in some way so that I can access my FreeNAS box from the open internet, but obviously this introduces a security risk. I'm thinking about setting up a VPN so that I can access my owncloud however I'm wondering what else I should be doing. What are your recommendations for securing your FreeNAS box? Do you have any recommended references?

I'm also thinking about setting up a dedicated firewall, probably pfSense, would it be a good idea to do this? I've heard read people saying that a router is sufficient, but I've also read the opposite and that it may be a good idea to have a firewall that does the job properly. What do you guys do for a firewall if you're accessing your box from the internet?

All consumer grade routers have an internal firewall, usually set by default to deny all incoming connections (unless users turn on UPnP, which is a horrendous idea). FreeNAS should never be exposed directly to WAN... it's meant to always be firewalled behind the router.

If you have a router that is capable of running DD-WRT or OpenWRT (preferably OpenWRT, as it provides more options for the end user), I would start by setting that up on the router. OpenWRT easily has one of the best iptables implementations [by way of fw3), however if you choose to go with DD-WRT, copy the following into the commands section and save it as the firewall script

Code:

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N delegate_input
iptables -t filter -N delegate_output
iptables -t filter -N delegate_forward
iptables -t filter -N delegate_rate_limit
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N zone_lan_dest_DROP
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_DROP
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_DROP
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
iptables -t filter -D INPUT -j delegate_input
iptables -t filter -A INPUT -j delegate_input
iptables -t filter -D OUTPUT -j delegate_output
iptables -t filter -A OUTPUT -j delegate_output
iptables -t filter -D FORWARD -j delegate_forward
iptables -t filter -A FORWARD -j delegate_forward
iptables -t filter -A delegate_input -i lo -j ACCEPT
iptables -t filter -A delegate_output -o lo -j ACCEPT
iptables -t filter -A delegate_input -m comment --comment "user chain for input" -j input_rule
iptables -t filter -A delegate_output -m comment --comment "user chain for output" -j output_rule
iptables -t filter -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
iptables -t filter -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A delegate_input -m conntrack --ctstate INVALID -j DROP
iptables -t filter -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A delegate_output -m conntrack --ctstate INVALID -j DROP
iptables -t filter -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A delegate_forward -m conntrack --ctstate INVALID -j DROP
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
iptables -t filter -A syn_flood -j DROP
iptables -t filter -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
iptables -t filter -A reject -p tcp -j DROP
iptables -t filter -A reject -j DROP
iptables -t filter -I delegate_forward 1 -i br0 -m state --state NEW -j ACCEPT
iptables -t filter -A delegate_rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -t filter -A delegate_rate_limit -p tcp --dport 23 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -t filter -A delegate_rate_limit -p tcp --dport 1194 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -t filter -A delegate_rate_limit -p udp --dport 1194 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -t filter -A delegate_rate_limit -p ICMP --icmp-type echo-request -m limit --limit 3/sec -j ACCEPT
iptables -t filter -A delegate_rate_limit ! -p ICMP -j LOG --log-prefix " Connection dropped "
iptables -t filter -A delegate_rate_limit -p tcp -j DROP
iptables -t filter -A delegate_rate_limit -p udp -j DROP
iptables -t filter -A delegate_rate_limit -j DROP
iptables -t filter -I delegate_input -p ICMP --icmp-type echo-request -j rate_limit
iptables -t filter -I delegate_input -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -t filter -I delegate_input -p tcp --dport 23 -m state --state NEW -j rate_limit
iptables -t filter -I delegate_input -p tcp --dport 1194 -m state --state NEW -j rate_limit
iptables -t filter -I delegate_input -p udp --dport 1194 -m state --state NEW -j rate_limit
iptables -t filter -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -j zone_lan_dest_DROP
iptables -t filter -A zone_lan_output -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br0 -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br0 -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br0 -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br0 -j ACCEPT
iptables -t filter -D zone_lan_dest_DROP -o br0 -j DROP
iptables -t filter -A zone_lan_dest_DROP -o br0 -j DROP
iptables -t filter -D delegate_input -i br0 -j zone_lan_input
iptables -t filter -A delegate_input -i br0 -j zone_lan_input
iptables -t filter -D delegate_output -o br0 -j zone_lan_output
iptables -t filter -A delegate_output -o br0 -j zone_lan_output
iptables -t filter -D delegate_forward -i br0 -j zone_lan_forward
iptables -t filter -A delegate_forward -i br0 -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -j zone_wan_src_DROP
iptables -t filter -A zone_wan_forward -j zone_wan_dest_DROP
iptables -t filter -A zone_wan_output -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
iptables -t filter -D zone_wan_src_DROP -i eth1 -j DROP
iptables -t filter -A zone_wan_src_DROP -i eth1 -j DROP
iptables -t filter -D zone_wan_dest_DROP -o eth1 -j DROP
iptables -t filter -A zone_wan_dest_DROP -o eth1 -j DROP
iptables -t filter -D delegate_input -i eth1 -j zone_wan_input
iptables -t filter -A delegate_input -i eth1 -j zone_wan_input
iptables -t filter -D delegate_output -o eth1 -j zone_wan_output
iptables -t filter -A delegate_output -o eth1 -j zone_wan_output
iptables -t filter -D delegate_forward -i eth1 -j zone_wan_forward
iptables -t filter -A delegate_forward -i eth1 -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
iptables -t filter -D zone_wan_src_DROP -i eth1 -j DROP
iptables -t filter -A zone_wan_src_DROP -i eth1 -j DROP
iptables -t filter -D zone_wan_dest_DROP -o eth1 -j DROP
iptables -t filter -A zone_wan_dest_DROP -o eth1 -j DROP
iptables -t filter -D delegate_input -i eth1 -j zone_wan_input
iptables -t filter -A delegate_input -i eth1 -j zone_wan_input
iptables -t filter -D delegate_output -o eth1 -j zone_wan_output
iptables -t filter -A delegate_output -o eth1 -j zone_wan_output
iptables -t filter -D delegate_forward -i eth1 -j zone_wan_forward
iptables -t filter -A delegate_forward -i eth1 -j zone_wan_forward
iptables -t nat -N delegate_prerouting
iptables -t nat -N delegate_postrouting
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
iptables -t nat -D PREROUTING -j delegate_prerouting
iptables -t nat -A PREROUTING -j delegate_prerouting
iptables -t nat -D POSTROUTING -j delegate_postrouting
iptables -t nat -A POSTROUTING -j delegate_postrouting
iptables -t nat -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
iptables -t nat -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
iptables -t nat -D delegate_prerouting -i br0 -j zone_lan_prerouting
iptables -t nat -A delegate_prerouting -i br0 -j zone_lan_prerouting
iptables -t nat -D delegate_postrouting -o br0 -j zone_lan_postrouting
iptables -t nat -A delegate_postrouting -o br0 -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -j MASQUERADE
iptables -t nat -D delegate_prerouting -i eth1 -j zone_wan_prerouting
iptables -t nat -A delegate_prerouting -i eth1 -j zone_wan_prerouting
iptables -t nat -D delegate_postrouting -o eth1 -j zone_wan_postrouting
iptables -t nat -A delegate_postrouting -o eth1 -j zone_wan_postrouting
iptables -t nat -D delegate_prerouting -i eth1 -j zone_wan_prerouting
iptables -t nat -A delegate_prerouting -i eth1 -j zone_wan_prerouting
iptables -t nat -D delegate_postrouting -o eth1 -j zone_wan_postrouting
iptables -t nat -A delegate_postrouting -o eth1 -j zone_wan_postrouting
iptables -t nat -I delegate_postrouting -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t mangle -N mssfix
iptables -t mangle -N fwmark
iptables -t mangle -D FORWARD -j mssfix
iptables -t mangle -A FORWARD -j mssfix
iptables -t mangle -D PREROUTING -j fwmark
iptables -t mangle -A PREROUTING -j fwmark
iptables -t mangle -D mssfix -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A mssfix -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D mssfix -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A mssfix -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t raw -N delegate_notrack
iptables -t raw -D PREROUTING -j delegate_notrack
iptables -t raw -A PREROUTING -j delegate_notrack

• This is the default firewall from OpenWRT with rate limiting applied to ports 22 (SSH), 23 (Telnet), and 1194 (OpenVPN), set to drop. While it's not recommended to use default ports for sensitive connections, if you choose to do so, change the rule to accept.

Depending on the reason why you're looking for access will determine the best course of action. If you're simply needed to SSH in to check or do things via command line, a Multi-Hop SSH Tunnel would be best. I wrote a wiki on how to do so, which can be accessed here.

If you're looking to have access to your shares, then an SSL VPN would be best. I wrote a tutorial on how to configure OpenVPN on OpenWRT, which can be accessed here. The wiki can also be used to set up OpenVPN on any *nix OS, with only the commands needing slight modification to match whatever flavor you're working on.

pfSense, Sophos UTM, and others are firewall OSes requiring their own hardware, and while you could buy hardware for $100 or less, if you're going to go with a firewall OS for a router, you literally get what you pay for. If all you require is remote access to your FreeNAS box, then it's going a bit overboard to build your own router. This isn't to say you shouldn't build your own router, but to first determine what it is you're looking to do and what would you gain by going with a home built router.

 

[anodos]

I happened to have one of these lying around and it's now a pfsense appliance. It handles my 3 home networks (guest, personal, testing) very well. The 10/100 NICs might be an issue if local monopol-ISP ever provides equivalent service to a developed country.

Firebox x500

 

[zoomzoom]

I happened to have one of these lying around and it's now a pfsense appliance. It handles my 3 home networks (guest, personal, testing) very well. The 10/100 NICs might be an issue if local monopol-ISP ever provides equivalent service to a developed country.

Firebox x500

With 10/100 you'll get a maximum speed of 12.5MB/s (less than the read/write speed of a 10x DVD) , which is a substantial issue on a home network, especially one with a NAS device. Out of curiosity, what consumer router did you have prior to setting up the x500? From looking at the specs, you'd be better off sticking with a consumer router for a few reasons:

• Wattage and Heat: it runs at 32.1w, which is over 300% more than even the best consumer grade routers on the market (my WRT1900ac runs ~9.8w). To provide a comparison, the quad core i7 4710 in my Alienware that's OC'd to 3.5gHz runs at 47w (only 32% more than the SL6C8).
• Speed: The SL6C8 is a single core 1.2gHz processor and RAM is 256MB in a single DIMM (unsure of RAM clock speed)

For around $60 more, you could buy a consumer grade router capable of running DD-WRT/OpenWRT, 1Gbit connections, with a dual core processor, and far less wattage use. You'll also more than likely gain modern security features the SL6C8 lacks (the SL6C8 is obsolete and reached it's end of life years ago).

 

[anodos]

With 10/100 you'll get a maximum speed of 12.5MB/s (less than the read/write speed of a 10x DVD) , which is a substantial issue on a home network, especially one with a NAS device. Out of curiosity, what consumer router did you have prior to setting up the x500? From looking at the specs, you'd be better off sticking with a consumer router for a few reasons:

• Wattage and Heat: it runs at 32.1w, which is over 300% more than even the best consumer grade routers on the market (my WRT1900ac runs ~9.8w). To provide a comparison, the quad core i7 4710 in my Alienware that's OC'd to 3.5gHz runs at 47w (only 32% more than the SL6C8).
• Speed: The SL6C8 is a single core 1.2gHz processor and RAM is 256MB in a single DIMM (unsure of RAM clock speed)

For around $60 more, you could buy a consumer grade router capable of running DD-WRT/OpenWRT, 1Gbit connections, with a dual core processor, and far less wattage use. You'll also more than likely gain modern security features the SL6C8 lacks (the SL6C8 is obsolete and reached it's end of life years ago).

I installed pfsense on it (EOL not an issue), it was free, I connect gigabit switches to the firewall's ports, internet maxes out at 50 mbps. Oh, and I did DD-WRT on a cheap consumer wireless router thingy once. I think I'm good for a while. :)

 

[zoomzoom]

I installed pfsense on it (EOL not an issue), it was free, I connect gigabit switches to the firewall's ports, internet maxes out at 50 mbps. Oh, and I did DD-WRT on a cheap consumer wireless router thingy once. I think I'm good for a while. :)

It doesn't matter if you connected gigabit switches to the 10/100 ports on the x500, as it will only run at a maximum of 100 mbit/s [12.5MB/s].

I could be misunderstanding, and you may mean all local traffic is routed through different switches that are gigabit and only traffic going to WAN is routed through the x500. If that's the case, then you're fine. However, if local traffic is being routed through the x500, that traffic, regardless of any gigabit connections upstream, can only transmit at a maximum 100 mbit/s (a bottleneck effect basically).

 

[anodos]

I could be misunderstanding, and you may mean all local traffic is routed through different switches that are gigabit and only traffic going to WAN is routed through the x500. If that's the case, then you're fine.

bingo