Setting up a Firewall on FreeNAS

Status
Not open for further replies.

DeliveryGuy

Dabbler
Joined
Dec 6, 2011
Messages
35
The recent NTP reflection incident I was a victim of woke me up to the need for securing my FreeNAS boxes from outside connections. Luckily, FreeNAS 9.2.1.2 comes shipped with the kernel extension for pf, so getting it working is pretty easy.
DISCLAIMER – I AM NOT A SECURITY EXPERT, FOLLOW THIS GUIDE AT YOUR OWN RISK

Get the basics done

1. Mount the filesystem so we can make some changes.
su
enter your root password
mount -uw /
2. Figure out what interfaces you have active so we can add them to the firewall rules.
ifconfig
Your output should look something like this:
re0: flags=8943<up,broadcast,running,promisc,simplex,multicast> metric 0 mtu 1500
options=82099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether f4:6d:04:db:21:ba
inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
inet6 xxxx::xxxx:xxxx:xxxx:xxxx%re0 prefixlen 64 scopeid 0×6
inet xxx.xxx.xxx.xxx netmask 0xfffffff8 broadcast 50.241.46.71
nd6 options=23<performnud,accept_rtadv,auto_linklocal>
media: Ethernet autoselect (1000baseT )
status: active
ipfw0: flags=8801<up,simplex,multicast> metric 0 mtu 65536
nd6 options=9<performnud,ifdisabled>
lo0: flags=8049<up,loopback,running,multicast> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<performnud,auto_linklocal>
bridge0: flags=8843<up,broadcast,running,simplex,multicast> metric 0 mtu 1500
ether 02:df:7f:1c:ff:00
nd6 options=1
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair0a flags=143<learning,discover,autoedge,autoptp>
ifmaxaddr 0 port 12 priority 128 path cost 2000
member: re0 flags=143<learning,discover,autoedge,autoptp>
ifmaxaddr 0 port 6 priority 128 path cost 20000
epair0a: flags=8943<up,broadcast,running,promisc,simplex,multicast> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:09:09:00:0c:0a
nd6 options=1
media: Ethernet 10Gbase-T (10Gbase-T )
status: active
tun0: flags=8051<up,pointopoint,running,multicast> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.8.0.1 –> 10.8.0.2 netmask 0xffffffff nd6 options=1
Opened by PID 17528
What we want to note are all the interface names. Mine are re0, ipfw0, lo0, bridge0, epair0a and tun0
Create the firewall rules

3. Create the pf.conf file and edit it to your needs. We are going to put it on our data drive so future FreeNAS upgrades don’t wipe it out. Adjust the path to match your setup.
mkdir /mnt/Files/hacks
vi /mnt/Files/hacks/pf.conf
Side note, vi has lots of commands, we just need to know a few:
x will delete the character your cursor is over, i will insert, esc will exit insert mode and to save and quit we use :wq
Here are the rules I am running.
#change this to match your primary ethernet interface, re0 or em0 are common, but there are others
ext_if="re0"
vpn_if="tun0"
table <bruteforce> persist
#These are all of the other interfaces we discovered in step 2
set skip on lo0
set skip on bridge0
set skip on ipfw0
set skip on epair0a
set skip on tun0
set block-policy return
scrub in all
#change xxx.xxx.xxx.xxx to the external IP of your FreeNAS box
nat on $ext_if from 10.8.0.0/24 to any -> xxx.xxx.xxx.xxx
#Lock it down
block in all
block out all
#Allow VPN traffic
pass on tun0 keep state
block quick from <bruteforce>
#Allow traffic in for ssh
pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 5/5, overload <bruteforce> flush global)
#Allow traffic in for web - delete or comment out if you don't want web traffic
pass in on $ext_if proto tcp from any to any port 80 flags S/SA keep state
pass in on $ext_if proto tcp from any to any port 443 flags S/SA keep state
#Allow traffic in for OpenVPN
pass in on $ext_if proto udp from any to any port 1194 keep state label "openvpn"
#Allow LAN traffic to connect to FreeNAS - change xxx.xxx.xxx.0 to match your network, ie 192.168.0.0 or 10.0.0.0
pass in on $ext_if from xxx.xxx.xxx.0/24 to any keep state
#Allow traffic out from the LAN
pass out on $ext_if from any to any keep state
Enable the Firewall

4. Edit /etc/rc.conf and add the following.
vi /etc/rc.conf
pf_enable="YES"
pf_rules="/mnt/Files/hacks/pf.conf"
gateway_enable="YES"

5. Start up the firewall and see if it works
service pf start
Your should get this as your output:
Enabling pf
No ALTQ support in kernel
ALTQ related functions disabled
Now check to make sure it is working:
service pf status
Your output should be something like this:
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:04:55 Debug: Urgent
State Table Total Rate
current entries 29
searches 1040038 3525.6/s
inserts 95 0.3/s
removals 109 0.4/s
Counters
match 1093 3.7/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 22 0.1/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
6. Start IP Forwarding without restarting your server
sysctl net.inet.ip.forwarding=1
Make your changes stick

7. Add your rc.conf changes to /conf/base/etc/rc.conf
vi /conf/base/etc/rc.conf
pf_enable="YES"
pf_rules="/mnt/Files/hacks/pf.conf"
gateway_enable="YES"

Clean Up

8. Make the filesystem read only again
mount -ur /
Final Thoughts

An added benefit of setting up a firewall this way is that it will let you route to other computers on your LAN over your VPN. Hope you all enjoy this and let me know how things work out for you.
 

Makaveli6103

Contributor
Joined
Mar 18, 2012
Messages
104
After enabling pf I got a syntax error on the pf.conf file. I ran a status and says it is running and don't see anything abnormal. Any idea why this happened? I pretty much copied and pasted your pf.conf file and modified it to my settings.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
To anyone reading this thread:

FreeNAS is NOT DESIGNED to be exposed to the Internet.

The developers say so. The manual says so. Best security practices say so. Etc.

If you are finding yourself "exposed" to NTP reflection attacks, the correct mitigation is to NOT expose your NAS to the Internet.

I am certainly an advocate of host firewalling, but the potential failure modes here are sufficiently bad that anything on a NAS that is directly reachable from the Internet should be considered to be at grave risk.

DO NOT DO THIS AS MITIGATION FOR NTP DDOS ATTACKS. DO NOT DO THIS AS PRIMARY PROTECTION OF YOUR NAS FROM THE INTERNET.

However, you are certainly encouraged to use this along with a proper separate firewall device, to create a strong belt-and-suspenders solution for protecting FreeNAS.
 

DeliveryGuy

Dabbler
Joined
Dec 6, 2011
Messages
35
Well, this is the hacking area of the forum. By definition, threads in this area are about doing things the developers didn't intend. Just saying.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Regardless, when suggesting things far outside of accepted practices, it is good to remember that this forum includes a search feature and someone searching on the word "firewall" might fail to notice that this is posted in "hacking."

Therefore a warning label should not be considered an optional accessory.
 

HoneyBadger

actually does care
Administrator
Moderator
iXsystems
Joined
Feb 6, 2014
Messages
5,110
But the other threads in here are things like:

"Install this transcoder in a jail"
"Managing your daily email reports"
"Making FC target mode work with CAMCTL"

Not:

"Here's how to do something that is incredibly bad security practice"
 

DeliveryGuy

Dabbler
Joined
Dec 6, 2011
Messages
35
I kind of thought DISCLAIMER – I AM NOT A SECURITY EXPERT, FOLLOW THIS GUIDE AT YOUR OWN RISK was a warning label.

As for HoneyBadger...the thread isn't...expose your FreeNAS box to the internet...it's a great idea!!!!! If pf had a gui I'm pretty sure you wouldn't be calling it a bad security practice to use.
 

HoneyBadger

actually does care
Administrator
Moderator
iXsystems
Joined
Feb 6, 2014
Messages
5,110
If pf had a gui I'm pretty sure you wouldn't be calling it a bad security practice to use.

Nope, in fact pfSense is a great firewall/router distribution ... to be installed on its own hardware as the public-facing endpoint. I wouldn't suggest someone try to install pfSense and then enable filesharing on that either.

And there's nothing wrong with adding a pf-based firewall to FreeNAS if you need to limit internal connections or are worried about an insider threat, but the original reason for this blog post as "exposed to NTP reflection" - as jgreco said, the solution is not "enable a pf-based firewall" it's "get your NAS off the Internet." Problem solved, no hacking required.
 
Status
Not open for further replies.
Top