I've been thinking about opening up my network in some way so that I can access my FreeNAS box from the open internet, but obviously this introduces a security risk. I'm thinking about setting up a VPN so that I can access my owncloud however I'm wondering what else I should be doing. What are your recommendations for securing your FreeNAS box? Do you have any recommended references?
I'm also thinking about setting up a dedicated firewall, probably pfSense, would it be a good idea to do this? I've heard read people saying that a router is sufficient, but I've also read the opposite and that it may be a good idea to have a firewall that does the job properly. What do you guys do for a firewall if you're accessing your box from the internet?
All consumer grade routers have an internal firewall, usually set by default to deny all incoming connections (unless users turn on UPnP, which is a horrendous idea). FreeNAS should never be exposed directly to WAN... it's meant to always be firewalled behind the router.
If you have a router that is capable of running DD-WRT or OpenWRT (preferably OpenWRT, as it provides more options for the end user), I would start by setting that up on the router. OpenWRT easily has one of the best iptables implementations [by way of fw3), however if you choose to go with DD-WRT, copy the following into the commands section and save it as the firewall script
Code:
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N delegate_input
iptables -t filter -N delegate_output
iptables -t filter -N delegate_forward
iptables -t filter -N delegate_rate_limit
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N zone_lan_dest_DROP
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_DROP
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_DROP
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
iptables -t filter -D INPUT -j delegate_input
iptables -t filter -A INPUT -j delegate_input
iptables -t filter -D OUTPUT -j delegate_output
iptables -t filter -A OUTPUT -j delegate_output
iptables -t filter -D FORWARD -j delegate_forward
iptables -t filter -A FORWARD -j delegate_forward
iptables -t filter -A delegate_input -i lo -j ACCEPT
iptables -t filter -A delegate_output -o lo -j ACCEPT
iptables -t filter -A delegate_input -m comment --comment "user chain for input" -j input_rule
iptables -t filter -A delegate_output -m comment --comment "user chain for output" -j output_rule
iptables -t filter -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
iptables -t filter -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A delegate_input -m conntrack --ctstate INVALID -j DROP
iptables -t filter -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A delegate_output -m conntrack --ctstate INVALID -j DROP
iptables -t filter -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A delegate_forward -m conntrack --ctstate INVALID -j DROP
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
iptables -t filter -A syn_flood -j DROP
iptables -t filter -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
iptables -t filter -A reject -p tcp -j DROP
iptables -t filter -A reject -j DROP
iptables -t filter -I delegate_forward 1 -i br0 -m state --state NEW -j ACCEPT
iptables -t filter -A delegate_rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -t filter -A delegate_rate_limit -p tcp --dport 23 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -t filter -A delegate_rate_limit -p tcp --dport 1194 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -t filter -A delegate_rate_limit -p udp --dport 1194 -m limit --limit 3/min --limit-burst 3 -j DROP
iptables -t filter -A delegate_rate_limit -p ICMP --icmp-type echo-request -m limit --limit 3/sec -j ACCEPT
iptables -t filter -A delegate_rate_limit ! -p ICMP -j LOG --log-prefix " Connection dropped "
iptables -t filter -A delegate_rate_limit -p tcp -j DROP
iptables -t filter -A delegate_rate_limit -p udp -j DROP
iptables -t filter -A delegate_rate_limit -j DROP
iptables -t filter -I delegate_input -p ICMP --icmp-type echo-request -j rate_limit
iptables -t filter -I delegate_input -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -t filter -I delegate_input -p tcp --dport 23 -m state --state NEW -j rate_limit
iptables -t filter -I delegate_input -p tcp --dport 1194 -m state --state NEW -j rate_limit
iptables -t filter -I delegate_input -p udp --dport 1194 -m state --state NEW -j rate_limit
iptables -t filter -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -j zone_lan_dest_DROP
iptables -t filter -A zone_lan_output -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br0 -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br0 -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br0 -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br0 -j ACCEPT
iptables -t filter -D zone_lan_dest_DROP -o br0 -j DROP
iptables -t filter -A zone_lan_dest_DROP -o br0 -j DROP
iptables -t filter -D delegate_input -i br0 -j zone_lan_input
iptables -t filter -A delegate_input -i br0 -j zone_lan_input
iptables -t filter -D delegate_output -o br0 -j zone_lan_output
iptables -t filter -A delegate_output -o br0 -j zone_lan_output
iptables -t filter -D delegate_forward -i br0 -j zone_lan_forward
iptables -t filter -A delegate_forward -i br0 -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -j zone_wan_src_DROP
iptables -t filter -A zone_wan_forward -j zone_wan_dest_DROP
iptables -t filter -A zone_wan_output -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
iptables -t filter -D zone_wan_src_DROP -i eth1 -j DROP
iptables -t filter -A zone_wan_src_DROP -i eth1 -j DROP
iptables -t filter -D zone_wan_dest_DROP -o eth1 -j DROP
iptables -t filter -A zone_wan_dest_DROP -o eth1 -j DROP
iptables -t filter -D delegate_input -i eth1 -j zone_wan_input
iptables -t filter -A delegate_input -i eth1 -j zone_wan_input
iptables -t filter -D delegate_output -o eth1 -j zone_wan_output
iptables -t filter -A delegate_output -o eth1 -j zone_wan_output
iptables -t filter -D delegate_forward -i eth1 -j zone_wan_forward
iptables -t filter -A delegate_forward -i eth1 -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
iptables -t filter -D zone_wan_src_DROP -i eth1 -j DROP
iptables -t filter -A zone_wan_src_DROP -i eth1 -j DROP
iptables -t filter -D zone_wan_dest_DROP -o eth1 -j DROP
iptables -t filter -A zone_wan_dest_DROP -o eth1 -j DROP
iptables -t filter -D delegate_input -i eth1 -j zone_wan_input
iptables -t filter -A delegate_input -i eth1 -j zone_wan_input
iptables -t filter -D delegate_output -o eth1 -j zone_wan_output
iptables -t filter -A delegate_output -o eth1 -j zone_wan_output
iptables -t filter -D delegate_forward -i eth1 -j zone_wan_forward
iptables -t filter -A delegate_forward -i eth1 -j zone_wan_forward
iptables -t nat -N delegate_prerouting
iptables -t nat -N delegate_postrouting
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
iptables -t nat -D PREROUTING -j delegate_prerouting
iptables -t nat -A PREROUTING -j delegate_prerouting
iptables -t nat -D POSTROUTING -j delegate_postrouting
iptables -t nat -A POSTROUTING -j delegate_postrouting
iptables -t nat -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
iptables -t nat -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
iptables -t nat -D delegate_prerouting -i br0 -j zone_lan_prerouting
iptables -t nat -A delegate_prerouting -i br0 -j zone_lan_prerouting
iptables -t nat -D delegate_postrouting -o br0 -j zone_lan_postrouting
iptables -t nat -A delegate_postrouting -o br0 -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -j MASQUERADE
iptables -t nat -D delegate_prerouting -i eth1 -j zone_wan_prerouting
iptables -t nat -A delegate_prerouting -i eth1 -j zone_wan_prerouting
iptables -t nat -D delegate_postrouting -o eth1 -j zone_wan_postrouting
iptables -t nat -A delegate_postrouting -o eth1 -j zone_wan_postrouting
iptables -t nat -D delegate_prerouting -i eth1 -j zone_wan_prerouting
iptables -t nat -A delegate_prerouting -i eth1 -j zone_wan_prerouting
iptables -t nat -D delegate_postrouting -o eth1 -j zone_wan_postrouting
iptables -t nat -A delegate_postrouting -o eth1 -j zone_wan_postrouting
iptables -t nat -I delegate_postrouting -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t mangle -N mssfix
iptables -t mangle -N fwmark
iptables -t mangle -D FORWARD -j mssfix
iptables -t mangle -A FORWARD -j mssfix
iptables -t mangle -D PREROUTING -j fwmark
iptables -t mangle -A PREROUTING -j fwmark
iptables -t mangle -D mssfix -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A mssfix -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D mssfix -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A mssfix -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t raw -N delegate_notrack
iptables -t raw -D PREROUTING -j delegate_notrack
iptables -t raw -A PREROUTING -j delegate_notrack
- This is the default firewall from OpenWRT with rate limiting applied to ports 22 (SSH), 23 (Telnet), and 1194 (OpenVPN), set to drop. While it's not recommended to use default ports for sensitive connections, if you choose to do so, change the rule to accept.
Depending on the reason why you're looking for access will determine the best course of action. If you're simply needed to SSH in to check or do things via command line, a Multi-Hop SSH Tunnel would be best. I wrote a wiki on how to do so, which can be accessed
here.
If you're looking to have access to your shares, then an SSL VPN would be best. I wrote a tutorial on how to configure OpenVPN on OpenWRT, which can be accessed
here. The wiki can also be used to set up OpenVPN on any *nix OS, with only the commands needing slight modification to match whatever flavor you're working on.
pfSense, Sophos UTM, and others are firewall OSes requiring their own hardware, and while you could buy hardware for $100 or less, if you're going to go with a firewall OS for a router, you literally get what you pay for. If all you require is remote access to your FreeNAS box, then it's going a bit overboard to build your own router. This isn't to say you shouldn't build your own router, but to first determine what it is you're looking to do and what would you gain by going with a home built router.