-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
- Status
SweetAndLow
Sweet'NASty
- Joined
- Nov 6, 2013
- Messages
- 6,421
You can restrict nfs connecting to a specific ip if you want in the nfs settings.
Fab Sidoli
Contributor
- Joined
- May 15, 2019
- Messages
- 114
Wanted to follow up on this thread.
I think having options for FW settings would be great. I think more and more people are using FreeNAS in productions - a sign of how popular it is - but the lack of a FW is a bit disappointing.
I have just been trying to configure a FW only to find that my settings get nuked on reboot.
Is there a way of setting up a FW and have it stick on reboots?
I think having options for FW settings would be great. I think more and more people are using FreeNAS in productions - a sign of how popular it is - but the lack of a FW is a bit disappointing.
I have just been trying to configure a FW only to find that my settings get nuked on reboot.
Is there a way of setting up a FW and have it stick on reboots?
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Yes, put it on a different device than the FreeNAS box. It doesn't act as a firewall, and isn't intended to. If you think it should, feel free to submit a feature request (the "report a bug" link at the top of the page).
Fab Sidoli
Contributor
- Joined
- May 15, 2019
- Messages
- 114
Not entirely helpful, but I don't understand why you feel it can't act as a firewall as well?
SweetAndLow
Sweet'NASty
- Joined
- Nov 6, 2013
- Messages
- 6,421
Because its a NAS. Firewall is something completely different on your network. It's not good to mix and match this stuff.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
If what you're asking for is ever going to happen, it's going to be the devs who implement it. The way you ask them to do something is to submit a bug. "Not what I wanted to hear" is not the same as "not helpful."
Why it can't right now is because it isn't designed to, and (as you've already found) any work you do behind the scenes is undone the next time you reboot. But there's certainly no reason the devs can't incorporate this feature; the question is whether they should, and even more importantly whether they will. And what I think on those questions is pretty much irrelevant.
Fab Sidoli
Contributor
- Joined
- May 15, 2019
- Messages
- 114
As a user of their system, I happen to believe that what you think isn't irrelevant, but I understand the point you are trying to make.
baztardo.snow
Dabbler
- Joined
- May 8, 2020
- Messages
- 38
I have been trying to find a good solution to accessing Nextcloud form the Net, but evry search ends in your Nas / Firewall / bad idea dont do it bla bla bla is nt BSD suppose to be The most desirable server (according to some) look in The the Plug IN section a LOT of those plug ins require an internet connection to be Useful Kind if hard to have a Mine craft server to play whit people when it isnt hooked up to the internet the when people ask on how to harden the system your told dont do that just seam odd to me,
Paying 3k for a server to jsut be NAS and never serve any thing else other then files on a local network doesn't seam like a good investment.. There has to be some happy medium might as well just go back to using my QNAP and reinstall my server whit some thing that can be and act as a fortified server..
Or can some one give an more suitable solution to getting every to work and get along ..
Paying 3k for a server to jsut be NAS and never serve any thing else other then files on a local network doesn't seam like a good investment.. There has to be some happy medium might as well just go back to using my QNAP and reinstall my server whit some thing that can be and act as a fortified server..
Or can some one give an more suitable solution to getting every to work and get along ..
baztardo.snow
Dabbler
- Joined
- May 8, 2020
- Messages
- 38
I think Im starting to understand why I see so many people using FreeNas in a VM..
- Joined
- Nov 25, 2013
- Messages
- 7,776
I run Minecraft and a ton of other stuff on my FreeNAS and this is precisely what it is supposed to do. Just the firewall is on my router connected to my DSL line - why would I want to put it on my NAS? Doesn't every Internet line require a router? The very recommendable products by Ubiquiti Networks are well below 100$/€.
But to come back to the original task at hand - of course you can run a simple packet filter on the FreeNAS. Just put your configuration in a shell script and configure that as a startup task. This way it will survive a reboot.
Or if you wnat to get fancy, configure a VM, bridged to the designated external interface and install OpenSense in there. And use a bridge connected to the desginated internal interface to connect your LAN, the FreeNAS box itself and the internal interface of the firewall VM. Perfectly possible but you will need to know your way around networking fundamentals and a bit of FreeBSD ... no ready-made recipe, yet.
I used to run my DNS and DHCP server on my NAS, but eventually switched that to an Edgerouter X by the aforementioned company, because I rather frequently toy with my NAS but don't want to interrupt service for the rest of the family ...
Kind regards,
Patrick
But to come back to the original task at hand - of course you can run a simple packet filter on the FreeNAS. Just put your configuration in a shell script and configure that as a startup task. This way it will survive a reboot.
Or if you wnat to get fancy, configure a VM, bridged to the designated external interface and install OpenSense in there. And use a bridge connected to the desginated internal interface to connect your LAN, the FreeNAS box itself and the internal interface of the firewall VM. Perfectly possible but you will need to know your way around networking fundamentals and a bit of FreeBSD ... no ready-made recipe, yet.
I used to run my DNS and DHCP server on my NAS, but eventually switched that to an Edgerouter X by the aforementioned company, because I rather frequently toy with my NAS but don't want to interrupt service for the rest of the family ...
Kind regards,
Patrick
baztardo.snow
Dabbler
- Joined
- May 8, 2020
- Messages
- 38
I was thinking of getting an Edgerouter X and I have a good Router two of then Actually each one to a different IP and one having a WIFI access point, and a smart gigabit switch whit a few 10 Gb port and one to my NAS Server.
I have spent the last month Researching on how I want To set my server and Network up..
Hardware Firewall is'nt my issue but when i see people saying DONT harden your NAS seam odd Ok i get the statement to not use a Firewall server on your NAS ok .. fine I get that... IT's same as setting up a server cluster Domain, LAPAD, DataBase Etc .. but for a home Lab having 5 Server just is nt feasible for me ,,
I have jsut spent the last few days trying to get access to nextcloud and install it whit mounts to the Nas but install the jail on SSD for speed set every thing up HTTPS ect ... then find out after I cant even Reach it from the Internet even after setting every thing up for it ..
Its just SO Frustrating <sigh>
I have spent the last month Researching on how I want To set my server and Network up..
Hardware Firewall is'nt my issue but when i see people saying DONT harden your NAS seam odd Ok i get the statement to not use a Firewall server on your NAS ok .. fine I get that... IT's same as setting up a server cluster Domain, LAPAD, DataBase Etc .. but for a home Lab having 5 Server just is nt feasible for me ,,
I have jsut spent the last few days trying to get access to nextcloud and install it whit mounts to the Nas but install the jail on SSD for speed set every thing up HTTPS ect ... then find out after I cant even Reach it from the Internet even after setting every thing up for it ..
Its just SO Frustrating <sigh>
baztardo.snow
Dabbler
- Joined
- May 8, 2020
- Messages
- 38
I even Tested the FAMP stack in the Plug in section NO go from the internet.. some thing is blocking the connection even whit the router DMZ to that IP address..
I still use Firewalls on most of my devices that can be set up to use natively I believe redundant firewalls is good secure practice .
I still use Firewalls on most of my devices that can be set up to use natively I believe redundant firewalls is good secure practice .
- Joined
- Nov 25, 2013
- Messages
- 7,776
Nextcloud runs just fine on FreeNAS. And there's nothing to specifically "harden" in a typical home setup. I just forward port 443 to my SSL reverse proxy (Apache & dehydrated) which then forwards the requests to the various jails and VMs.
Why do you need an additional firewall on your NAS - you should definitely only open single ports/applications to the Internet.
Patrick
Why do you need an additional firewall on your NAS - you should definitely only open single ports/applications to the Internet.
Patrick
baztardo.snow
Dabbler
- Joined
- May 8, 2020
- Messages
- 38
Oh I don't think I need it, I just think it odd that some are so against having a firewall on FreeNas maybe some see it as a false sense of security Liability reasons, and I only have the ports needed 80 and 443 I set it to DMZ just to test access to The FAMP stack because Nextcloud just will not Connect to the internet ... not sure why and neither will The FAMP Stack some thing is blocking access..
and when I say firewall I dont mean server .. just plain old firewall protection
and when I say firewall I dont mean server .. just plain old firewall protection
- Joined
- Nov 25, 2013
- Messages
- 7,776
Is this inside a jail? Please post the output of
Probably opening a new thread will be a good idea ;)
iocage get all <jailname>.Probably opening a new thread will be a good idea ;)
baztardo.snow
Dabbler
- Joined
- May 8, 2020
- Messages
- 38
Yes its inside a Jail this is the output for Nextcloud and Freenas Version: 11.3-U2.1
Code:
steve@freenas:~ % iocage get all nextcloud CONFIG_VERSION:26 allow_chflags:0 allow_mlock:0 allow_mount:0 allow_mount_devfs:0 allow_mount_fusefs:0 allow_mount_nullfs:0 allow_mount_procfs:0 allow_mount_tmpfs:0 allow_mount_zfs:0 allow_quotas:0 allow_raw_sockets:0 allow_set_hostname:1 allow_socket_af:0 allow_sysvipc:0 allow_tun:0 allow_vmm:0 assign_localhost:0 available:readonly basejail:0 boot:1 bpf:0 children_max:0 cloned_release:11.3-RELEASE comment:none compression:lz4 compressratio:readonly coredumpsize:off count:1 cpuset:off cputime:off datasize:off dedup:off defaultrouter:192.168.0.1 defaultrouter6:auto depends:none devfs_ruleset:5 dhcp:0 enforce_statfs:2 exec_clean:1 exec_created:/usr/bin/true exec_fib:0 exec_jail_user:root exec_poststart:/usr/bin/true exec_poststop:/usr/bin/true exec_prestart:/usr/bin/true exec_prestop:/usr/bin/true exec_start:/bin/sh /etc/rc exec_stop:/bin/sh /etc/rc.shutdown exec_system_jail_user:0 exec_system_user:root exec_timeout:60 host_domainname:none host_hostname:nextcloud host_hostuuid:nextcloud host_time:1 hostid:3eabf660-7b10-5344-001b-107b4453001a hostid_strict_check:0 interfaces:vnet0:bridge0 ip4:new ip4_addr:vnet0|192.168.0.101/24 ip4_saddrsel:1 ip6:new ip6_addr:none ip6_saddrsel:1 ip_hostname:0 jail_zfs:0 jail_zfs_dataset:iocage/jails/nextcloud/data jail_zfs_mountpoint:none last_started:2020-05-18 04:27:10 localhost_ip:none login_flags:-f root mac_prefix:107b44 maxproc:off memorylocked:off memoryuse:off mount_devfs:1 mount_fdescfs:1 mount_linprocfs:0 mount_procfs:0 mountpoint:readonly msgqqueued:off msgqsize:off nat:0 nat_backend:ipfw nat_forwards:none nat_interface:none nat_prefix:172.16 nmsgq:off notes:none nsem:off nsemop:off nshm:off nthr:off openfiles:off origin:readonly owner:root pcpu:off plugin_name:none plugin_repository:none priority:99 pseudoterminals:off quota:none readbps:off readiops:off release:11.3-RELEASE-p9 reservation:none resolver:/etc/resolv.conf rlimits:off rtsold:0 securelevel:2 shmsize:off stacksize:off state:up stop_timeout:30 swapuse:off sync_state:none sync_target:none sync_tgt_zpool:none sysvmsg:new sysvsem:new sysvshm:new template:0 type:jail used:readonly vmemoryuse:off vnet:1 vnet0_mac:107b44bab581 107b44bab582 vnet1_mac:none vnet2_mac:none vnet3_mac:none vnet_default_interface:auto vnet_interfaces:none wallclock:off writebps:off writeiops:off
- Status
Similar threads
- Locked
