Example of OMV's firewall

  • This is an example to show people how to use OMV's firewall. I have not included all services or limited sources as much as I could have. I am simply putting this out to give people an example of a firewall that will work and keep enough opened so the main functions of OMV are not hampered (updates, upgrades, etc..). I will probably update this later but many should find this helpful.


    At first you should setup these 3 rules....
    Link to picutres of thread where firewall rules are:
    Help setting up firewall (iptables)


    Rule 1



    Rule 2



    Rule 3



    The next 2 rules you should add would be port 22 for ssh and port 443 ( or port 80, depends on if you are using http or https) for access to OMV's web-gui.


    Here is an example of some rules...




    The last rule you want to enter is your drop or reject everything else rule. Once you do this ports not in the rules will be blocked so it is important that port 22 is open at the minimum. You can turn off iptables via port 22 if you made some error. I use REJECT instead of DROP as my OMV is already behind a firewall and I want a minimum response if I ping my OMV. Ser Erris and I discussed this in a way older post. Hopefully this will help many of you to be able to use the web-gui firewall in OMV. This just adds a litte more security if you are opening up ports to OMV. I think it is best to eventually get a vpn service working. I only have a port for vpn and plex open, so 2 ports, on my server but can access everything via the vpn.


    PS- There may be some rules that you do not need all the time. Say you want port 21 open just temporarily for FTP. When you want to use FTP have the rule be ACCEPT. When you don't want to use a specific rule edit it and the ACCEPT to REJECT, then save and apply. That will close down the port when you are not using it.

  • Some more info. on passive ports and ftp.


    You need to setup connection tracking for the passive ftp to work correctly.


    /etc/modprobe.d/options.conf


    options nf_conntrack_ftp ports=21,13000


    (where 13000 would be the passive port you are using. usually with passive ports you setup a range. i tried using 13000-13010 but it did not work. i found that you can enter multiple ports like this nf_conntrack_ftp ports 21,13000,13001,13002 but it seems there should be a way to enter a range. Whatever ports you choose for your passive ports need to be entered in the proftpd.conf via the plugin settings. If the nf_conntrack_ftp is working correctly you do not need to open the passive ports on the firewall. The firewall will handle traffic to those ports.)



    Then add this line in this file /etc/modules


    nf_conntrack_ftp


    then you have to reboot

  • Many of you may not know what this means... 192.168.1.0/24 (could be 10.0.0.0/24 too, examples are with most common home network setups)


    In the examples above this will limit the source of a packet to your LAN. So if a packets source is from a remote connection to a destination port in question it would be dropped, or rejected, depending on your final rule.

  • Hi,


    First of all, since this is my first post, thank you for creating such an awsome NAS distro. I have been runing a small home server now for a couple of years (Win 7, Ubuntu LTS and FreenNas) but OMV is by far the most stable (for me at least) and easiest to setup that I have tried so far.


    Now to my question, in your example what is 192.168.0.1/24 called? My router is running OpenWRT and it seems like my LAN Active IPv4-Routes Target is 192.168.0.0/24. Is that the one I should use (the ip of the router is 192.168.0.254). Similarly, what is the destination IP, the IP of your OMV box or? Also what are the two first rules in your example?

  • Rocket, everyplace I used 192.168.1.0/24 you will want to use 192.168.0.0/24. The destination shown in above rules is the ip of my omv. So you will want to replace that with your OMV's ip. The first rule deals with connection tracking for related and established connections. The 2nd low allows lo traffic. If you look at comments you will see. These first 2 rules are needed so you will be able to upgrade your omv and other things. The 3rd rule will let you ping it, otherwise you would get no response.


    Read this and it will help you to understand subnets and the amount of hosts you can have on a subnet. The /24 at end denotes a 255.255.255.0 subnet mask. It tells you have many hosts you can have on your subnet.


    Read:


    http://www.iplocation.net/tools/netmask.php

  • Hi again,


    Thanks tekkbebe, I played around a bit with the source settings and I was I able to set it up just like I wanted , i.e. restrict everything to my LAN except the DAAP server, which I enjoying listening to while on the go...


    Do you have any other security tips?

  • Hi!
    This is also my first post. Great thanks and excellent job to all that have made this possible!
    I have succesfully set up OMV in a Iomega Home Media Network Hard Drive CE, after my HD drive died, which I have replaced for a new one.
    However, I am having trouble setting up FTP, as I don't manage to get write access to an ftp user to a specific ftp folder not share in samba/nfs
    Perhaps its firewall??
    So I have tried with the first rule, but on commit I get the following error:


    Error #4000:
    exception 'OMVException' with message 'Failed to execute command 'sudo /etc/network/if-pre-up.d/iptables 2>&1': FATAL: Module ip_tables not found.
    iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    FATAL: Module ip_tables not found.
    iptables v1.4.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.' in /var/www/openmediavault/module/network.inc:167
    Stack trace:
    ...


    not sure what to do.
    help appreciated
    tanks

  • Thanks for the quick response!
    Yes, that is what I typed...
    I have applied those changes to options.conf and modules, and rebooted.
    The rule is there, and button to "commit" greyed, so I guess its applied?
    Created second rule, hit "commit", the first one wasn't applied.
    Same error
    Weird

  • There it goes:


    $ cat /etc/network/if-pre-up.d/iptables
    #!/bin/sh
    # ifpreup hook script for iptables
    # Generated by OpenMediaVault


    iptables -t filter -F
    iptables -A INPUT -p all -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED


    seems the rule has been inserted? or it was already there?


    I don't have trouble accesing the NAS, pinging, etc. Still troubleshooting FTP (it seems mainly rights, and the order of user/folder creation). It seems that if passive connections are still open, I can't open a new session (i get a weird message in filezilla, saying that an ftp session can't be established to an SFTP, but I haven't activated SFTP...). Passive is working.

  • FTP is working.


    But FW isn't. I'v upgraded from 0.3.0.20 to 0.3.10 and still the same error:



    i'm not familiar with the FW of linux...

  • got it from one of your posts:


    root@NAS:~# cat /etc/apt/sources.list
    # deb http://ftp.debian.org/debian squeeze main


    deb http://ftp.debian.org/debian squeeze main non-free contrib
    deb-src http://ftp.debian.org/debian squeeze main non-free contrib


    deb http://security.debian.org/ squeeze/updates main contrib non-free
    deb-src http://security.debian.org/ squeeze/updates main contrib non-free


    deb http://ftp.debian.org/debian squeeze-updates main contrib non-free
    deb-src http://ftp.debian.org/debian squeeze-updates main contrib non-free

  • I see this from your other post. If you are going to install packages from repos of other distros I can't help you. Why don't you just install .5. There are plugins for many of the things you want that won't break your system. You waste time in my life with this mess.


  • Hi
    thanks for the tip. Uninstalled all plugins, installed 0.4.38 (only had to manually install xmlstarlet). System clean.
    Same issue with FW.
    Which then its perhaps the kernel ? I' using an Iomega Home Media Network HD-CE. Says kernel:2.6.31.14 hmnhdce+v5, running on ARM.
    But NVM, if its the only thing not working, I can live with that and manage in the router as the FTP persistence works.
    Great job with OMV, far better than the IOMEGA stock.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!