how to turn off some omv default configuration rules

  • Bonjour,


    I want to turn off some services configured by default by omv:


    1- automatic upgrade

    2- why is php enabled by default?

    3- firewalld, I prefer to use iptables.

    BTW, here, some ports are open (5355/tcp open llmnr, 35725/tcp open unknown, 42893/tcp open unknown, 46649/tcp open unknown, 46731/tcp open unknown)

    The graphical interface under the firewall tab gives no informaion about the default rules.


    Thank you for information.


    F.P.

  • automatic upgrade

    OMV doesn't automatically upgrade. It does download the updates daily. It is up to you to install them from the Updates tab.


    why is php enabled by default?

    Is this a serious question? OMV's backend is written in php. Hard to work if php isn't enabled.


    firewalld, I prefer to use iptables.

    OMV's firewall tab uses iptables already.

    BTW, here, some ports are open (5355/tcp open llmnr, 35725/tcp open unknown, 42893/tcp open unknown, 46649/tcp open unknown, 46731/tcp open unknown)

    These aren't ports from OMV services.


    The graphical interface under the firewall tab gives no informaion about the default rules.

    There are no default rules.

    omv 5.6.6 usul | 64 bit | 5.11 proxmox kernel | omvextrasorg 5.6.1
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • # systemctl list-unit-files | grep iptables


    answer= none

    So the firewall is useless?

    "useless" is the wrong description! Its not preventing to lock any communication and leaves it to the knowledgeable user to apply the desired walls. As main purpose of OMV is sharing data inside a private home network, defaults "walls" would hurt more than do good

    omv 5.6.5-1 (usul) on RPi4/4GB with Kernel 5.10.x and WittyPi 3 V2 RTC HAT

    2x 6TB HDD formatted with ext4 in Icy Box IB-RD3662-C31 / hardware supported RAID1

    For Read/Write performance of SMB shares hosted on this hardware see forum here

  • "useless" is the wrong description! Its not preventing to lock any communication and leaves it to the knowledgeable user to apply the desired walls. As main purpose of OMV is sharing data inside a private home network, defaults "walls" would hurt more than do good

    As the private network has an access to the internet, it is useful to control the traffic on network interfaces.

  • access to the internet is absolutely no issue.

    The risk comes when access from the internet is enabled.

    Only persons having the knowhow for securing a computer for this scenario should attempt this as it involves creation of proper firewall rules.

    omv 5.6.5-1 (usul) on RPi4/4GB with Kernel 5.10.x and WittyPi 3 V2 RTC HAT

    2x 6TB HDD formatted with ext4 in Icy Box IB-RD3662-C31 / hardware supported RAID1

    For Read/Write performance of SMB shares hosted on this hardware see forum here

  • Probably because it doesn't have iptables in its name. https://github.com/openmediava…tables/10firewall.sls#L51

    Yes. I found something:

    /etc/iptables/openmediavault-firewall.sh


    That's what I was searching a script which could annihilate all attempts to build a firewall using the debian default one (nftables/iptables). Reading that script you can see:

    start)

    ;;

    It does nothing when starting and:

    stop)

    iptables -t filter -F INPUT

    iptables -t filter -F OUTPUT

    iptables -P INPUT ACCEPT

    iptables -P OUTPUT ACCEPT

    ip6tables -t filter -F INPUT

    ip6tables -t filter -F OUTPUT

    ip6tables -P INPUT ACCEPT

    ip6tables -P OUTPUT ACCEPT

    ;;


    flush all tables when stopping and changes them to default accept anything from anywhere...


    So, for me:

    systemctl mask openmediavault-firewall.service


    And use my own iptables scripts to protect my machine (like others on my network!)

    F.P.

  • access to the internet is absolutely no issue.

    The risk comes when access from the internet is enabled.

    Thank you so much and happy new year! I learnt something today: I can't get the Covid if I don't go outside and invite nobody in my home.

    Only persons having the knowhow for securing a computer for this scenario should attempt this as it involves creation of proper firewall rules.

    You maybe think that if someone asks for a tool, this fellow might know how to use the tool.... No?

  • Well the first 2 questions didn't lead to confidence

    omv 5.6.5-1 (usul) on RPi4/4GB with Kernel 5.10.x and WittyPi 3 V2 RTC HAT

    2x 6TB HDD formatted with ext4 in Icy Box IB-RD3662-C31 / hardware supported RAID1

    For Read/Write performance of SMB shares hosted on this hardware see forum here

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!