How to Set up Firewall on Synology NAS (and why you probably do not need one)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right how's it going Neil So today we're going to be going over tutorial I really should have done a long time ago because I've been asked a ton of times for it and it's actually caused a lot of confusion and caused people to actually kind of get locked out of their nases in some cases and so we're going to go over how to set this up and get it right so you're good and that is going to be how to use the firewall on your Synology Nas and so before we even get started on this I need to give one disclaimer the majority of users actually don't even need to set up a firewall you do not need to set up a firewall on your Synology Nas that's because in most people's home networking and even most businesses networking your firewall should be your actual router and so having this analogy also have a firewall is a nice to have but is not strictly necessary though especially if you have a cheap consumer router the Synology has a much better ability to kind of customize the exact rules and who's able to access what and so in that case it can be very useful and so this tutorial is going to be basically starting off by what is a firewall and how does it work and then going on to the basic firewall rules that I would set up for most people and how to set up pretty easily so you're also not going to be locking yourself out so first off what is a firewall a firewall in networking is essentially a block all connections have to go through the firewall before actually getting done on the end so say you have an SMB server that is where you can easily hook up your Synology and see it via Mac OS finder or Windows File Explorer that packet goes over Port 445 so that connection goes over Port 445. so whenever your computer goes and clicks connect to the Synology via Mac osbinder it is going to send a request on Port 445 to the Synology says Hey I want to connect to you but before we get to any of the internal packages of this analogy first it's got to pass through the firewall and that firewall is going to go through a list of rules that it's got a list of rules that we're going to set up and it's going to look at every single one of these rules and I'll explain it more once we've actually got it set up and it is going to find the first one that matches and whatever the first one matches is it is going to listen that either block or allow and that is how a firewall works it allows you to say what can and cannot connect into the network and so Technologies firewall is a package that most Linux administrators and anybody who's really ever followed tutorial online on how to set something up online for a service on like AWS instance or digital ocean probably already be familiar with and that is ufw or uncomplicated firewall it's very easy to set up and it's even easier through control panel where you can really see it all out and I will say there is one difference between the firewall on Synology and what you would find on a higher end router that really has an advanced firewall and that is that the Synology is always allowed to receive packets that it has requested and that is a good thing because it makes it a lot simpler but that is just one difference and that is how the vast majority of people probably want to do it anyway the one thing you cannot do with this firewall is specifically block internet access to certain things and so you can't do things like block all web access from the Synology you can't do that kind of thing that's not what this setup is even really able to do I'm sure you could ssh in and figure out but that is not how this is designed and that's a good thing and so to explain this for people who don't know a ton about firewalls it's pretty simple and we're going to talk about it just on my computer just it's easier to explain like that and so say on my computer I had a firewall rule that said I never want to have any incoming traffic on Port 80. no matter what so if I had a firewall rule that did that and I went to Google I would be able to have outgoing traffic so I'd be able to send a request to www.google.com on Port 80 which is the web HTTP port then Google is going to send me acknowledgment some packet whatever the website is it's going to return that but if I had a firewall that did not allow return traffic my computer would say nope even though I requested that I'm not allowed to have any traffic on Port 80 and block it that's not what you want instead of what the vast majority of firewalls do and your Synology does as well by default is it allows established traffic so that is exactly what you want because you want to be able to say okay I don't want anybody to come in on Port 80 but if I go out to Port 80 I want to be able to get that back and so that's really what the firewall is doing it's keeping this massive list of all these different packets that it has sent out and every packet that comes back in it checks it against that list if it's in reference to one of the packets that has already gone out so it's basically a reply from a web server you reach out to it's going to say great you are fine and if it's not it's going to go into the other rules I just wanted to explain that really quickly because it's a little bit more advanced it helps people kind of understand how firewalls work but that is really out of the scope of this because this is a very simple firewall to set up and we're going to be going over the basics here all right so now let's go over how to actually set up a firewall on a Synology Nas and it's very easy and I'm in DSM 7.2 beta which is pretty much the same except now Quick Connect listens to firewall rules so in previous versions of DSM Quick Connect actually kind of bypass those firewall rules and was always allowed in now you can actually use firewall rules with quick connect which is great so to set up a firewall you just go into control panel security and firewall and now what a lot of people do is they will hit enable firewall and they're like great my firewall is enabled this is done absolutely nothing that's because the default profile is blank and so the way that the default firewall works right out of the box in Synology is it says okay there's nothing in here and so then if we look down here this is the all interfaces tab so when we say if no rules in all interfaces are matched rules in each interface will be matched okay so no rules were matched over here so now we need to go into the specific interface and for me that'd be coming out on Lan three well there's nothing coming in on Lan three there's no firewall rules on Lan three all right nothing's been matched allow access so by default this is allowing all access in the exact same thing as if you had no firewall whatsoever but what we're going to want to do is we're really going to set up everything in the alt interfaces tab if you have a special VLAN over here so say you have a specific security camera VLAN and you only want traffic on that security camera VLAN coming in via the specific ports and they can't access anything else you could actually create rules on these specific lands over here and set them up like that or you could always do it based off of subnets but instead we're going to keep it easy here and we're just going to do everything on all interfaces and you can manage all those rules on all interfaces just based off of those subnets we can actually leave the profile name as default and let's actually set up a real firewall so a real firewall the last rule you should have is block everything because normally what you want to be able to do on a firewall is you want to say first I want to allow a bunch of stuff and then anything that has not been explicitly allowed I want to block and that is generally how you'll see a setup now this is one place where you can lock yourself out of your network and you may have to do a soft reset a soft reset resets the firewall rule so if you ever do accidentally lock yourself out you can do that but I'm going to create some rules here that are going to make sure you never lock yourself out and don't disrupt any local services so the firewall I'm going to set up here is really going to be designed to block external access on specific ports so what I'm going to do here is I'm just going to set it up where anything on the local networks is allowed in anything not on the local networks is blocked and that is a great place to start because you want everybody on your local network to have access to all the services on the Nas and you should be really controlling that by if you don't want somebody to be able to do something on a local network at all you probably should just block the service entirely now if you are a little bit more advanced and you do have a bunch of network set up and you know your stuff you can really customize this down to exactly what people can and cannot do but this is just going to be a great place for people to start that is not going to get in your way that's really the goal of this is to not get in your way because everything on this analogies really has authentication on it anyway and so you don't need to worry too too much about this this is really just additive security and so I'm going to set this up where the three RFC 1918 networks those are your local networks there's the 10 dot anything the 192.168. anything the 1 72.16.anything those three networks I'm going to set up here where essentially they are allowed in and so your router should be giving out IP addresses on one of those three addresses anyway and those three addresses do not route on the internet so you know that those connections had to have come from in the network or come from a VPN that's into the network but that's the only place that those could have come because they cannot be routed just on the internet and so we're going to go ahead and set those up and we're going to set them up with allow so we're going to hit create we're going to allow all ports and for our specific IP address we're first going to do the 10. anything subnet so it's 10.0.0.0 with a subnet mask of 255.0.0.0 so for people who are not super familiar with networking this is one of those private networks and essentially the subnet mask means that any digit after the 10 can be varied and it's all on the network I'm planning on doing a full explanation of Ip subnets or anything like that but anybody will be able to enter these three rules in and start working and we're going to select that and hit allow I'm going to repeat for the next two rules for the other two RFC 1918s the next one is going to be 192.168.0.0 and it's going to be 255.255.0.0 and allow again now the last one I'm always going to have to look up because I never remember what this last 12 is and it is this guy right here 255.240 subnet masks are complicated they're a lot easier when they just end in 255 or zero so I tend to stick to those networks but the 172.16 has always gotten me because of that so we're just going to add that in here okay so right here these are the first three rules you should have if you know more about networking and you know what your specific subnet is you can specifically add just yours or anything like that but anybody without any knowledge of networking should be able to add these three rules and be safe and say that your local network should be on one of these three or you got bigger problems now all we've done is ADD allows so as we said earlier because we've not had a block anywhere there it's just going to allow everything what we want to do now is we want to have a catch all block and this is one where you can start actually locking out services and so you may run into things no longer happening specifically on the internet because we've got these three rules up here you know everything will route locally so all of your local connections will work but remote connections will not once we add this rule just letting you know so what we're going to do now is we're going to say all ports all IP addresses deny and so now the way this reads is we're going to go down from the top you always start with firewall rules to the top and you stop whenever one of them matches so anytime I've got a local connection coming in so my Subnet is on 10.30.0.0 which is within 10.0.0.0255 that guy right there is going to be allowed so any of my local connections will be allowed on any ports in any protocols but now say I'm on my phone outside and my IP address is 132.45 whatever it is going to look down through these first three rules and say hey that's not containing any of those well the fourth one says anything anything anything deny and so now any connections outside of your home's Network even if you have Port 40 enabled will be blocked one thing I would highly recommend doing is before ever hitting apply always look at these rules right here you can drag them and so you want to make sure that the deny is always at the bottom and that these three rules are always at the top unless you know what you're doing and you know what your subnet is so now we can okay and hit apply now we have zero remote access to this device but let's say we want to be able to access something on this that is totally normal we want to be able to access something outside of our homes Network well let's say we want to be able to access DSM and Synology Drive share sync two easy ports add in there but we know we're never going to be accessing outside the country so we're only going to do it for the United States we can go ahead and add that in here so we're just going to say create new firewall rule and this is where we're going to start selecting our specific applications because we don't want to open up something like SMB of the United States unnecessarily and so by the way this in and of itself is not going to make that happen you still need to open up the ports on your router but here we can go ahead and select our list of built-in applications and we're going to do the two TSM ones right here 5000 5001 and if you change those it will also be changed there and we're also going to scroll down to Port uh 6690 for Synology Drive server so there we go we have set all of these guys on up and now we can say hey the applications I want to be able to access all of those are really designed to be on the internet so they should be safe but just in case let's also limit the source IP to only the United States so that is using location and we can just search on in and you can select which parts you like if it's just mainland United States and like I guess the States you can choose that now no these are not perfect obviously an attacker could VPN in and so some of these rules may be blocked by VPN carriers so it's not perfect this should not be your sole security but it's nice to start with something like this because the more restrictive you are with all of your rules generally the safer you'll be and so now we've said okay we're going to allow DSM as well as Synology Drive server and these can be any applications you care about you can also add in your webdav anything you really are using wanting to use you can select then your location you can be as restrictive or non-restrictive as possible you generally want to set up it as allow rather than block you can only select I think 30 countries because there is a performance implication on this and then we're going to say allow Now by default it has added it to the bottom of the list which means it's useless that rule any rules below this all all deny are never going to hit because they're going to get stopped by this so now we want to drag it up we're actually going to want to drag it up to below the three allow rules right here due to Performance reasons there are a lot of possible IP addresses within the United States and so there is a slight overhead that every single packet has to take and so by having it below these three we'll actually give you overall better performance because the majority of connections you're going to have are on the local network which are way faster to look up than looking at these it's ancillary but can have a legitimate performance impact especially if you start having more and more complicated rules and so now with this firewall rule if we have those ports open on a router our Nas is going to start accepting packets from those ports from IP addresses that match the United States of America and now we can okay and so that right there is probably the easiest setup I would have for people I will also highly recommend disabling firewall notifications I would just disable that because it's really annoying and you should be manually adding in your firewall rules because you know what it is especially with our setup here where we've allowed local access through the firewall and so that way you really don't have to worry about it and so you really should be very cautious and think about okay I now want somebody to be able to access this outside of my local network let's go ahead and do steps to have this now if somebody comes in Via VPN server that is not going to be the case they're actually going to get a local IP address and so it's going to circumvent these rules another thing I did want to mention before closing out this video One Docker loves to break these rules Docker has a special networking that kind of like circumvents these rules and so you will find times where even if you've got it set up on the firewall over here Docker may say nah I'm going to take that so Docker is allowed to break these rules in some cases so just be wary of that don't think just because you've set it up on here means you're golden you should double check that for every single Docker container you expose because Docker actually gets to circumvent ufw sometimes there's a few Subs you can do for that I'm not gonna go into it but just be wary of that and then two I want to talk about the fact that your router is actually doing this for you the entire time it is always checking in and only allowing packets in that you have allowed in by default so port forwarding is essentially you telling your router hey allow this through the firewall and specifically to the actual address very expensive routers that are very Advanced actually require you to do both they require you to now only set up port forwarding but also set up on the firewall those are really annoying because well they should at least make a default rule but technically on very Advanced firewalls you have to do both because port forwarding just says whenever you get a packet send it here whereas the firewall May block it as well and so for the most part you probably don't need to do this but you may have a router that does universal plug and play or you accidentally open up something that you didn't really intend and so that's where this can be really nice because this forces you to understand what you're opening up another thing is a very few routers actually allow you to geoblock like this and actually select what services are allowed from what IP addresses and so that can be very nice to do as well and so having the firewall is always a good setup especially the way we've set it up here where we are very specific about what is allowed in and what is allowed out and by having all of the local networks allowed in by default means you're not going to get a headache on hey this is not working why is this not working but one thing I will close out this video on always always be cautious before saying okay because you can lock yourself out of your Nas it's not where you have to format the thing but you can lock yourself out of an ass and have to do a soft reset on it which can mess up some of your configurations and things like that so always before you hit apply check it you will also get a notification that hey this might lock you out sometimes but generally always just be cautious of avoiding okay because I've done it before when tinkering around and had to do a soft reset because I was running through and just messing around and it has happened before all right well that's gonna be it for this tutorial go and leave any other tutorials you'd like to be making the comments below and if you want to hire me for a project I've got a link for that in the description below I have a good one bye [Music]
Info
Channel: SpaceRex
Views: 18,917
Rating: undefined out of 5
Keywords:
Id: eCTjLTJcogQ
Channel Id: undefined
Length: 20min 20sec (1220 seconds)
Published: Thu Jun 01 2023
Related Videos
EVERY Synology Feature Explained
SpaceRex
42K
I Paid £80 for ALL the Instant CAMERAS | How many can I FIX?!
StezStix Fix?
19K
Best Starter Synology NAS in 2024 (dont waste your money)
SpaceRex
59K
5 AWESOME DOCKER CONTAINERS for Synology NAS and homelabing
SpaceRex
16K
Full Volume Encryption - The MOST Exciting Feature on Synology DSM 7.2
SpaceRex
14K
Synology NAS SSL Certificate Setup! Easily Configure HTTPS! (Tutorial)
WunderTech
44K
Simple Synology Settings EVERYONE should be using (Basics)
SpaceRex
126K
Access Your Raw Photos Anywhere (SYNOLOGY FOR PHOTOGRAPHERS Pt. 3)
SpaceRex
7.4K
Hosting a website from your Synology NAS!
TechCoreDuo
85K
Ultimate Guide to Synology Remote Access: 5 Methods Explored
WunderTech
11K
Creating Firewall Rules To Secure Your Synology NAS
Lawrence Systems
50K
All Synology Backup Methods Explained and Which One is Right For You?
SpaceRex
89K
Discover the Ease of Synology RT6600AX Firewall Rules!
Quik Tech Solutions L.L.C
2.8K
Enable Remote Access To Your Synology NAS Running DSM 7 With DDNS And Port Forwarding
Digital Aloha
43K
Securing Surveillance Camera Networks
Lawrence Systems
41K
How To Get a Plex Server Docker Container on Synology Quickly!
Lon.TV
16K
7 Synology Apps YOU NEED TO USE in 2023
WunderTech
29K
COMPLETE Synology NAS Setup Guide for 2023 (Detailed for Beginners)
WunderTech
10K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.