Freds Tips and Tricks

"Tech Solutions... so you don't feel like you are living in the stone age!"

NOTE!!! NEWLY UPDATED!!!

 

This YouTube video tutorial describes how the Synology DSM Firewall and Auto-Block mechanisms work with each other, and how to figure out whats happening when things don’t work as expected. Practical look at a real setup in operation.

In the video…
-2 places for rules:
  #1-CP> Security> Firewall  #Set actual firewall rules (This is MAIN firewall engine)
  #2-CP> Security> Account #Set “AutoBlock”(allow/block lists) and #attempts/WithinMinutes

SEE FULL TEXT BELOW…

NOTE!!! NEWLY UPDATED!!!

 

This YouTube video tutorial describes how the Synology DSM Firewall and Auto-Block mechanisms work with each other, and how to figure out whats happening when things don’t work as expected. Practical look at a real setup in operation.

In the video…
-2 places for rules:
  #1-CP> Security> Firewall  #Set actual firewall rules (This is MAIN firewall engine)
  #2-CP> Security> Account #Set “AutoBlock”(allow/block lists) and #attempts/WithinMinutes

  …i think #2 is only relating to SSH logins, not other ports, etc
-Notes:
  -Rules apply AT TIME OF ATTACHMENT, so if already attached, changes not til NEXT attachment/login!
  -Most restrictive applies… in these cases anyways (as tested by fj)…
    -If #1 has a deny, and #2 has allow, it is DENIED
    -If #1 has an allow BELOW a deny rule, it is BLOCKED/DENIED (order is important)
    -If #1 has an allow, and #2 has entry in the AUTO-BLOCK, it is DENIED
    -If #2 has entries in both AUTO-BLOCK(ALLOW) AND (BLOCK) list, it is BLOCKED
      (…thus, if you add an “allow” to #2, be sure to REMOVE them from the “block” list!)
-For #1… 
  -ORDER of entries is important (higher processed before lower lines)
  -The “All Interfaces” gets priority (if no rule in here, THEN “EACH” interface rule is looked at
  -It seems like the rule gets applied AT LOGIN (eg for SSL), so if you change while accessed, it keeps allowing til next SSH login
   …soooo REBOOT after a change if you want to FORCE everyone to re-attach, and have firewall rules applied
   …also, for TESTING, you can get thrown off, if you’re not aware of this!!!
-For #2…
  -#1 take precedence over #2 (so if you ALLOW in #2, but block in #1, it is BLOCKED) 

  …so you can ALLOW in the auto-block area, but still #1 firewall rules apply (eg if port 22 is blocked, then still can’t access) 

Share this post

Share on facebook
Share on twitter
Share on print
Share on email

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.