FTP sessions from foreign IPs

    • OMV 4.x
    • 220.132.255.239
      CHTD, Chunghwa Telecom Co.,Ltd.
      Taipei, Taiwan, 100

      119.177.160.27
      China Unicom Shandong Province Network
      No.21,Jin-Rong Street
      Beijing,100033
      P.R.China

      You exposed the service to the touch of the world, various strange things will touch it. Limit the IP range using firewall or hide ftp behind nat. Unless you have to expose the service to the world, take into account that different bs will try to connect. If your car is standing on the street, anyone who wants to pass by can simply touch it and check if the doors are closed or can be opened.

      The post was edited 1 time, last by JohnStiles ().

    • The question is, do you need to have ftp publicly available to the whole world. If not, block all IPs and allow only those that belong to you and need access to ftp. Same for other services you have running in omv!
      If something does not have to be available from outside your lan block access to it. If you need to have access to your omv somewhere outside your lan maybe think of a zerotier or vpn.

      I have already published firewall rules in this forum. If you're interested, you can search. But nobody was interested in it ...
      And of course, always make sure that the software is up-to-date and that there is no anonymous access to services.

      Your car is publicly available. Anyone can touch it. No law prohibits this. For this, put it in a private guarded garage!!!
    • JohnStiles wrote:

      I have already published firewall rules in this forum. If you're interested, you can search.
      I didn´t find your post straightaway. There are several threads related to this topic.

      JohnStiles wrote:

      But nobody was interested in it ...
      I would not assume, that nobody is interested in. Firewall rules are generally a very complex issue and only view users are familiar with it.


      Look at your spoiler from the other thread:
      ;( ;( ;( ;( ;( ;( ;( ;( ;( ;( ;( ;( ;(
      -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
      -A INPUT -f -j DROP
      -A INPUT -m state --state INVALID -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
      -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
      -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 8080 -j DROP
      -A INPUT -p udp -m udp --dport 8080 -j DROP
      -A INPUT -p tcp -m tcp --dport 3389 -j DROP
      -A INPUT -s 192.168.1.1/32 -i enx001e0630caa8 -j ACCEPT
      -A INPUT -d 127.0.0.0/8 -j DROP
      -A INPUT -s 127.0.0.0/8 -i lo -j DROP
      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -j DROP
      -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -d 127.0.0.0/8 -j DROP
      -A OUTPUT -d 9.9.9.9/32 -p udp -j ACCEPT
      -A OUTPUT -d 9.9.9.9/32 -p tcp -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -m tcp -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -m tcp -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -m tcp -j ACCEPT
      -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
      -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
      -A OUTPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
      -A OUTPUT -p icmp -m icmp --icmp-type any -j DROP
      -A OUTPUT -j DROP
      ;( ;( ;( ;( ;( ;( ;( ;( ;( ;( ;( ;( ;( ;(
      OMV 3.0.99 (Gray style)
      ASRock Rack C2550D4I C0-stepping - 16GB ECC - 6x WD RED 3TB (ZFS 2x3 Striped RaidZ1)- Fractal Design Node 304
    • cabrio_leo wrote:

      Firewall rules are generally a very complex issue and only view users are familiar with it.
      Yes and no. A few simple rules for the average user at home I would rather not call complicated. And no matter what fw or operating system. We are not building here a set of rules for a large complex network where the level of threats is high.
      I am always sad when so few people use a firewall. It is not about any complicated rule sets but rather a simple in / out control policy and awareness of what the user's computer or network is doing. If soho routers did not have NAT then the situation would be absurd with the number of publicly available services without people being aware of what their computer is doing.
      Of course, I advise against doing copy / paste without knowing at least to a minimum what the rules do. Because you can block or open something that you did not plan.
      Unfortunately, also a very large number of guides on the web is now quite outdated and often introduces more errors to the user's thought process.

      in my opinion, a firewall should be treated like a door with locks and this is how the user should think about it. But even in the linux world there is such a narrative that a firewall is not especially needed for a novice user. And thus you don't develop habits of using and learning it.
    • Users Online 1

      1 Guest