If you're like me and want to harden your OMV instance while not losing functionality, I have some tips for you.
General Rules of thumb to get started:
-Rules will be geared towards ingress/inward/inbound/input traffic. Since egress/outward/outbound/output traffic is coming from your NAS, which you already trusted enough to put on your network.
-Due to some protocols having back-and-fourth handshakes that involve "ephemeral ports" there will be some near-identical rules that have minor tweaks. Both rules have to be in your list. Example: if the port initiates on source port 443, and your NAS randomly decides it likes ephemeral port 52525 to handle it, then it may circumvent your one allow rule.
-Some basic knowledge of CIDR IP Addressing is very helpful, so study up. 0.0.0.0/0 means "anything". We will use this instead of leaving blanks in some rules, because it isn't always clear if the service is talking to 127.0.0.1 (Loopback) OR to your device's IP (192.168.0.x). Firewalls are generally facing the device IP and not the Loopback, so if you leave it blank you can lock out some services. 192.168.0.1/24 means all IP addresses from 192.168.0.1 to 192.168.0.255. Change according to your network.
-We will be using "Drop" instead of "Reject", because it's best practice in I.T. "Drop" means the person on the other end isn't even sure if they hit an endpoint/server/etc. "Reject" will let them know for sure they did.
-Firewall rules follow "top down", so use the navigation arrows at the top to prioritize them. You don't want your "lock everything out" at the top, because then it won't let you in even!
-Before you get into the weeds, create rules so you don't lock yourself out of the web browser. Please position these two at the top of the list as you go.
Examples:
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ACCEPT | 0.0.0.0/0 | 0.0.0.0/0 | 443 | TCP | Allows HTTPS Connection to OMV. | |
INPUT | ACCEPT | 0.0.0.0/0 | 0.0.0.0/0 | 80 | TCP | Allows HTTP Connection to OMV. |
=============================================================================================================================
Create the following to deny all inbound traffic and put it at the bottom of your list:
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | DROP | 0.0.0.0/0 | ALL | Stops the flow of traffic from any source. |
Create the following to allow SSH from home network:
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 192.168.0.1/24 | 22 | TCP | Allows SSH and SSH2 connections. |
Create the following to allow PING from home network:
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 192.168.0.1/24 | ICMP | Allows ping responses to be received. |
Create the following to allow SMB/SAFT from home network:
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 192.168.0.1/24 | 445 | TCP | Allows SMB/CIFS connections. | ||
INPUT | ALLOW | 192.168.0.1/24 | 487 | TCP | Allows SAFT connections. |
Create the following to allow DLNA from home network:
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 192.168.0.1/24 | 8200 | TCP | Allows DLNA connections. |
Create the following to allow NTP (For time syncing):
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 0.0.0.0/0 | 0.0.0.0/0 | 123 | UDP | Allows NTP connections to OMV's Port 123. | |
INPUT | ALLOW | 0.0.0.0/0 | 123 | 0.0.0.0/0 | UDP | Allows NTP connections to OMV from Outside source using Port 123. |
*NTP is Net Time Protocol and is CRITICAL in services and features talking to each other. If your time sync is more than 5 minutes off, then nothing will work.
Create the following to allow SMTP (For Notifications):
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 0.0.0.0/0 | 0.0.0.0/0 | 25 | TCP | Allows SMTP connections to OMV Port 25(TCP). | |
INPUT | ALLOW | 0.0.0.0/0 | 0.0.0.0/0 | 25 | UDP | Allows SMTP connections to OMV Port 25(UDP). | |
INPUT | ALLOW | 0.0.0.0/0 | 25 | 0.0.0.0/0 | TCP | Allows SMTP connections to OMV from Source using Port 25(TCP). | |
INPUT | ALLOW | 0.0.0.0/0 | 25 | 0.0.0.0/0 | UDP | Allows SMTP connections to OMV from Source using Port 25(UDP). | |
INPUT | ALLOW | 0.0.0.0/0 | 587 | 0.0.0.0/0 | TCP | Allows Email Service (such as GMAIL) to connect to OMV. | |
INPUT | ALLOW | 0.0.0.0/0 | 587 | 0.0.0.0/0 | UDP | Allows Email Service (such as GMAIL) to connect to OMV. |
*The four rules involving Destination and Source port 25 are for the Loopback Mail server (127.0.0.1:25 and [127.0.0.1]:25) to spin up to prepare the email. Source port 587 is for the Email Provider (E.G. Gmail) to be able to request the information and send it. A mixture of UDP and TCP is necessary, as these protocols alter depending on which information is being exchanged.
Create the following to allow HTTP (For Updates):
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 0.0.0.0/0 | 0.0.0.0/0 | 80 | TCP | Allows HTTP connections. | |
INPUT | ALLOW | 0.0.0.0/0 | 80 | 0.0.0.0/0 | TCP | Allows HTTP connections. |
*Some services update over HTTP-only, so it's unavoidable. You need this one.
Create the following to allow HTTPS (For NGINX and Secure Updates):
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 0.0.0.0/0 | 0.0.0.0/0 | 443 | TCP | Allows HTTPS connections. | |
INPUT | ALLOW | 0.0.0.0/0 | 443 | 0.0.0.0/0 | TCP | Allows HTTPS connections. |
*NGINX is vital on your computer as a lot of background processes will use HTTPS. NGINX is a web server that your NAS can spin up for mass exchanges. This rule also supports secure server updates.
Create the following to allow DNS (For Website Resolution):
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 0.0.0.0/0 | 0.0.0.0/0 | 53 | UDP | Allows DNS connections to OMV's Port 53. | |
INPUT | ALLOW | 0.0.0.0/0 | 53 | 0.0.0.0/0 | UDP | Allows DNS connections to OMV from Outside source using Port 53. |
*DNS is vital, because everything on your NAS will attempt to find a website. If you do notifications it may try to resolve smtp.google.com or if you have clamav it may try to find the clamav domain to update its signatures. you NEED this.
Create the following to allow uPnP (For Local Network Discovery):
Direction | Action | Source | Port | Destination | Port | Protocol | Function |
INPUT | ALLOW | 192.168.0.1/24 | 1900 | UDP | Allows uPnP connection to OMV Port 1900 (UDP) |
*uPnP is vital, because certain services like SMB/CIFS and DLNA need to discover each other for proper access.
After the above are input, and the Deny All rule is at the bottom, you'll have a pretty secure box! Only vital traffic is allowed, and you can create new rules as you go for additional plugins and services. I find when most people "break" something with OMV Firewall, they forgot the DNS, NTP, or HTTP rules. Read your syslogs, people!
P.S. if your SMB Share is only reachable by IP address instead of Hostname after you put up a firewall you can do one of two things:
A) Edit your "Hosts" file to have a record that force resolves the Hostname to IP address. *Make sure your antivirus won't overwrite your change ~cough~ Bitdefender ~cough~
OR
B) Add an "A Record" in your Router or DNS server to resolve the Hostname to IP Address.