Example of OMV's firewall

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Example of OMV's firewall

      This is an example to show people how to use OMV's firewall. I have not included all services or limited sources as much as I could have. I am simply putting this out to give people an example of a firewall that will work and keep enough opened so the main functions of OMV are not hampered (updates, upgrades, etc..). I will probably update this later but many should find this helpful.

      At first you should setup these 3 rules....
      Link to picutres of thread where firewall rules are:
      Help setting up firewall (iptables)

      Rule 1

      [IMG:http://img51.imageshack.us/img51/1120/dga1.jpg]

      Rule 2

      [IMG:http://imagizer.imageshack.us/v2/xq90/10/mpbk.jpg]

      Rule 3

      [IMG:http://img856.imageshack.us/img856/7484/789w.jpg]

      The next 2 rules you should add would be port 22 for ssh and port 443 ( or port 80, depends on if you are using http or https) for access to OMV's web-gui.

      Here is an example of some rules...

      [IMG:http://img62.imageshack.us/img62/9479/u9tx.jpg]


      The last rule you want to enter is your drop or reject everything else rule. Once you do this ports not in the rules will be blocked so it is important that port 22 is open at the minimum. You can turn off iptables via port 22 if you made some error. I use REJECT instead of DROP as my OMV is already behind a firewall and I want a minimum response if I ping my OMV. Ser Erris and I discussed this in a way older post. Hopefully this will help many of you to be able to use the web-gui firewall in OMV. This just adds a litte more security if you are opening up ports to OMV. I think it is best to eventually get a vpn service working. I only have a port for vpn and plex open, so 2 ports, on my server but can access everything via the vpn.

      PS- There may be some rules that you do not need all the time. Say you want port 21 open just temporarily for FTP. When you want to use FTP have the rule be ACCEPT. When you don't want to use a specific rule edit it and the ACCEPT to REJECT, then save and apply. That will close down the port when you are not using it.

      The post was edited 1 time, last by tekkb ().

    • Re: Example of OMV's firewall

      Some more info. on passive ports and ftp.

      You need to setup connection tracking for the passive ftp to work correctly.

      /etc/modprobe.d/options.conf

      options nf_conntrack_ftp ports=21,13000

      (where 13000 would be the passive port you are using. usually with passive ports you setup a range. i tried using 13000-13010 but it did not work. i found that you can enter multiple ports like this nf_conntrack_ftp ports 21,13000,13001,13002 but it seems there should be a way to enter a range. Whatever ports you choose for your passive ports need to be entered in the proftpd.conf via the plugin settings. If the nf_conntrack_ftp is working correctly you do not need to open the passive ports on the firewall. The firewall will handle traffic to those ports.)


      Then add this line in this file /etc/modules

      nf_conntrack_ftp

      then you have to reboot
    • Re: Example of OMV's firewall

      Many of you may not know what this means... 192.168.1.0/24 (could be 10.0.0.0/24 too, examples are with most common home network setups)

      In the examples above this will limit the source of a packet to your LAN. So if a packets source is from a remote connection to a destination port in question it would be dropped, or rejected, depending on your final rule.
    • Re: Example of OMV's firewall

      Hi,

      First of all, since this is my first post, thank you for creating such an awsome NAS distro. I have been runing a small home server now for a couple of years (Win 7, Ubuntu LTS and FreenNas) but OMV is by far the most stable (for me at least) and easiest to setup that I have tried so far.

      Now to my question, in your example what is 192.168.0.1/24 called? My router is running OpenWRT and it seems like my LAN Active IPv4-Routes Target is 192.168.0.0/24. Is that the one I should use (the ip of the router is 192.168.0.254). Similarly, what is the destination IP, the IP of your OMV box or? Also what are the two first rules in your example?
    • Re: Example of OMV's firewall

      Rocket, everyplace I used 192.168.1.0/24 you will want to use 192.168.0.0/24. The destination shown in above rules is the ip of my omv. So you will want to replace that with your OMV's ip. The first rule deals with connection tracking for related and established connections. The 2nd low allows lo traffic. If you look at comments you will see. These first 2 rules are needed so you will be able to upgrade your omv and other things. The 3rd rule will let you ping it, otherwise you would get no response.

      Read this and it will help you to understand subnets and the amount of hosts you can have on a subnet. The /24 at end denotes a 255.255.255.0 subnet mask. It tells you have many hosts you can have on your subnet.

      Read:

      iplocation.net/tools/netmask.php
    • Re: Example of OMV's firewall

      Hi again,

      Thanks tekkbebe, I played around a bit with the source settings and I was I able to set it up just like I wanted , i.e. restrict everything to my LAN except the DAAP server, which I enjoying listening to while on the go...

      Do you have any other security tips?
    • Re: Example of OMV's firewall

      Hi!
      This is also my first post. Great thanks and excellent job to all that have made this possible!
      I have succesfully set up OMV in a Iomega Home Media Network Hard Drive CE, after my HD drive died, which I have replaced for a new one.
      However, I am having trouble setting up FTP, as I don't manage to get write access to an ftp user to a specific ftp folder not share in samba/nfs
      Perhaps its firewall??
      So I have tried with the first rule, but on commit I get the following error:

      Error #4000:
      exception 'OMVException' with message 'Failed to execute command 'sudo /etc/network/if-pre-up.d/iptables 2>&1': FATAL: Module ip_tables not found.
      iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
      Perhaps iptables or your kernel needs to be upgraded.
      FATAL: Module ip_tables not found.
      iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
      Perhaps iptables or your kernel needs to be upgraded.' in /var/www/openmediavault/module/network.inc:167
      Stack trace:
      ...


      not sure what to do.
      help appreciated
      tanks
    • Re: Example of OMV's firewall

      There it goes:

      $ cat /etc/network/if-pre-up.d/iptables
      #!/bin/sh
      # ifpreup hook script for iptables
      # Generated by OpenMediaVault

      iptables -t filter -F
      iptables -A INPUT -p all -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED

      seems the rule has been inserted? or it was already there?

      I don't have trouble accesing the NAS, pinging, etc. Still troubleshooting FTP (it seems mainly rights, and the order of user/folder creation). It seems that if passive connections are still open, I can't open a new session (i get a weird message in filezilla, saying that an ftp session can't be established to an SFTP, but I haven't activated SFTP...). Passive is working.
    • Re: Example of OMV's firewall

      FTP is working.

      But FW isn't. I'v upgraded from 0.3.0.20 to 0.3.10 and still the same error:

      Source Code

      1. Error #4000:
      2. exception 'OMVException' with message 'Failed to execute command 'sudo /etc/network/if-pre-up.d/iptables 2>&1': FATAL: Module ip_tables not found.
      3. iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
      4. Perhaps iptables or your kernel needs to be upgraded.
      5. FATAL: Module ip_tables not found.
      6. iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
      7. Perhaps iptables or your kernel needs to be upgraded.' in /var/www/openmediavault/module/network.inc:154
      8. Stack trace:
      9. #0 [internal function]: OMVNetworkModule->updateIptables(Array)
      10. #1 /usr/share/php/openmediavault/notify.inc(123): call_user_func_array(Array, Array)
      11. #2 /var/www/openmediavault/rpc/iptables.inc(163): OMVNotifyDispatcher->notify(8, 'org.openmediava...', Array)
      12. #3 [internal function]: IptablesRpc->setRules(Array)
      13. #4 /usr/share/php/openmediavault/rpc.inc(262): call_user_func_array(Array, Array)
      14. #5 /usr/share/php/openmediavault/rpc.inc(98): OMVRpc::exec('Iptables', 'setRules', Array)
      15. #6 /var/www/openmediavault/rpc.php(44): OMVJsonRpcServer->handle()
      16. #7 {main
      Display All


      i'm not familiar with the FW of linux...
    • Re: Example of OMV's firewall

      got it from one of your posts:

      root@NAS:~# cat /etc/apt/sources.list
      # deb ftp.debian.org/debian squeeze main

      deb ftp.debian.org/debian squeeze main non-free contrib
      deb-src ftp.debian.org/debian squeeze main non-free contrib

      deb security.debian.org/ squeeze/updates main contrib non-free
      deb-src security.debian.org/ squeeze/updates main contrib non-free

      deb ftp.debian.org/debian squeeze-updates main contrib non-free
      deb-src ftp.debian.org/debian squeeze-updates main contrib non-free
    • Re: Example of OMV's firewall

      I see this from your other post. If you are going to install packages from repos of other distros I can't help you. Why don't you just install .5. There are plugins for many of the things you want that won't break your system. You waste time in my life with this mess.

      Source Code

      1. Got it workign on 0.3.10
      2. Now I have to upgrade to 0.4.x. Uninstalled the plugings, but I don't see unisntall for omv.sh.
      3. There is a problem with the some of the packages of mint that prevents the upgrade:
      4. Err http://debian.linuxmint.com testing/non-free armel Packages
      5. 404 Not Found
      6. Fetched 25.8 kB in 2s (12.8 kB/s)
      7. W: Failed to fetch http://debian.linuxmint.com/latest/mult ... ackages.gz 404 Not Found
      8. W: Failed to fetch http://debian.linuxmint.com/latest/mult ... ackages.gz 404 Not Found
      9. E: Some index files failed to download, they have been ignored, or old ones used instead.
    • Re: Example of OMV's firewall

      Hi
      thanks for the tip. Uninstalled all plugins, installed 0.4.38 (only had to manually install xmlstarlet). System clean.
      Same issue with FW.
      Which then its perhaps the kernel ? I' using an Iomega Home Media Network HD-CE. Says kernel:2.6.31.14 hmnhdce+v5, running on ARM.
      But NVM, if its the only thing not working, I can live with that and manage in the router as the FTP persistence works.
      Great job with OMV, far better than the IOMEGA stock.