NOTE!!! NEWLY UPDATED!!!

 

This YouTube video tutorial describes how the Synology DSM Firewall and Auto-Block mechanisms work with each other, and how to figure out whats happening when things don’t work as expected. Practical look at a real setup in operation.

In the video…
-2 places for rules:
  #1-CP> Security> Firewall  #Set actual firewall rules (This is MAIN firewall engine)
  #2-CP> Security> Account #Set “AutoBlock”(allow/block lists) and #attempts/WithinMinutes

SEE FULL TEXT BELOW…

NOTE!!! NEWLY UPDATED!!!

 

This YouTube video tutorial describes how the Synology DSM Firewall and Auto-Block mechanisms work with each other, and how to figure out whats happening when things don’t work as expected. Practical look at a real setup in operation.

In the video…
-2 places for rules:
  #1-CP> Security> Firewall  #Set actual firewall rules (This is MAIN firewall engine)
  #2-CP> Security> Account #Set “AutoBlock”(allow/block lists) and #attempts/WithinMinutes

  …i think #2 is only relating to SSH logins, not other ports, etc
-Notes:
  -Rules apply AT TIME OF ATTACHMENT, so if already attached, changes not til NEXT attachment/login!
  -Most restrictive applies… in these cases anyways (as tested by fj)…
    -If #1 has a deny, and #2 has allow, it is DENIED
    -If #1 has an allow BELOW a deny rule, it is BLOCKED/DENIED (order is important)
    -If #1 has an allow, and #2 has entry in the AUTO-BLOCK, it is DENIED
    -If #2 has entries in both AUTO-BLOCK(ALLOW) AND (BLOCK) list, it is BLOCKED
      (…thus, if you add an “allow” to #2, be sure to REMOVE them from the “block” list!)
-For #1… 
  -ORDER of entries is important (higher processed before lower lines)
  -The “All Interfaces” gets priority (if no rule in here, THEN “EACH” interface rule is looked at
  -It seems like the rule gets applied AT LOGIN (eg for SSL), so if you change while accessed, it keeps allowing til next SSH login
   …soooo REBOOT after a change if you want to FORCE everyone to re-attach, and have firewall rules applied
   …also, for TESTING, you can get thrown off, if you’re not aware of this!!!
-For #2…
  -#1 take precedence over #2 (so if you ALLOW in #2, but block in #1, it is BLOCKED) 

  …so you can ALLOW in the auto-block area, but still #1 firewall rules apply (eg if port 22 is blocked, then still can’t access) 

Share this post

Share on facebook
Share on twitter
Share on print
Share on email

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.