Synology Inc. Online Community Forum

[jbouwh]

Shortly i have configured ipv6 using the ipv6 tunnel. This works fine.
I found out there is no firewall rules set to the tun interface.
When I examine the result of the firewall tool I see only rules for device eth0 are generated.

My feature request would be the possibility to specify the networkadapter (or all adapters) when configuring a firewall rule. Extra adapters would be:
- IPv6 tunnel adapter(s)
- Wireless LAN adapter (if installed)
- PPPoE adapter?

[jbouwh]

Is there any one to confirm this problem. The latest update to DSM 3.2 build 1944 did not solve this issue.

[jbouwh]

Again in DSM 3.2 build 1955 this issue is not solved.
Is there any one using the IPV6 tunnel functionality?
It would be of great importance to also have a working filewall. Now every port is open!

[Fit]

I am not using the IPv6 tunnel, but I agree with your request. Security is very important to me on these boxes, and it should be for anyone. A network connection without firewall is unacceptable these days.


Furthermore it is a utterly basic functionality to be able to choose on which network interface you open up a port.

+ 1 vote... times 1000!!!

[thunderbird]

It's also not possible to specify firewall rules for VPN connections. A VPN connection can access any port on the NAS and on the LAN. It must be possible to specify which ports on the NAS and LAN can be accessed. Come on Synology, VPN is available for quite a while now and still your firewall is not supporting it?!?
I even sent you a support request and there was no reaction to it, I would expect more!

[jbouwh]

Still no progress on the Firewall functionality in DSM 4.0-2219 .
Recently tried the DHCP server Port UDP 67 needs to be opened for all IP's. There is no predefined 'DHCP server' in the list.
Would be nice to add this port aswell.

[GoGoGo]

Hi,

IPv6 firewall configuration must be enhanced. As of now (DSM4.0), I can't access any service via IPv6.
Please add an "IPv6 source address" section in the firewall configuration panel.

In the current firewall configuration panel, there's a "Source IP" section. This section allows one to restrict the rule to a host or subnet. Unfortunately, it's IPv4 only ! Any rule with an host or subnet set isn't declared in the IPv6 firewall. With a "block everything by default" policy, the service is blocked over IPv6.

The result is seen in this example :

Code: Select all

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
modprobe: chdir(2.6.32.12): No such file or directory
modprobe: chdir(2.6.32.12): No such file or directory
ACCEPT     tcp  --  192.168.2.0/24       anywhere            multiport dports afpovertcp,5006
ACCEPT     udp  --  192.168.2.0/24       anywhere            udp dpt:5353
ACCEPT     icmp --  192.168.0.0/16       anywhere           
ACCEPT     tcp  --  192.168.0.0/16       anywhere            multiport dports ftp,55536:55539,sunrpc,nfs,892,ssh
ACCEPT     udp  --  192.168.0.0/16       anywhere            multiport dports syslog,5353,snmp,sunrpc,nfs,892
ACCEPT     tcp  --  anywhere             anywhere            multiport dports 7111,6690,6881,5006,https,http,smtp,imap,5111,5000
ACCEPT     udp  --  anywhere             anywhere            udp dpt:6881
DROP       all  --  anywhere             anywhere           


ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere            state RELATED,ESTABLISHED
modprobe: chdir(2.6.32.12): No such file or directory
modprobe: chdir(2.6.32.12): No such file or directory
ACCEPT     tcp      anywhere             anywhere            multiport dports 7111,6690,6881,5006,https,http,smtp,imap,5111,5000
ACCEPT     udp      anywhere             anywhere            udp dpt:6881
ACCEPT     icmpv6    anywhere             anywhere           
DROP       all      anywhere             anywhere

[jbouwh]

For IPV6 the command ip6tables is available.

ip6tables -L gives me the following output:

Code: Select all

nas> ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere            state RELATED,ESTABLISHED
modprobe: chdir(2.6.32.12): No such file or directory
modprobe: chdir(2.6.32.12): No such file or directory
ACCEPT     tcp      anywhere             anywhere            multiport dports 6881,http,5000
ACCEPT     udp      anywhere             anywhere            udp dpt:bootps
ACCEPT     icmpv6    anywhere             anywhere
DROP       all      anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


It should not be so difficult to add a IPV6 firewall tab including the IPv6tunnel interface, LAN interface and PPPoE as a wrapper around ip6tables.

What I can see is Then the IPv6 firewall is working but only for the fixed LAN connections and PPPoE, not for IPV6-tunnels.

The forllowing command shows thant only eth0 is configured.

Code: Select all

nas>
 ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
modprobe: chdir(2.6.32.12): No such file or directory
modprobe: chdir(2.6.32.12): No such file or directory
-A INPUT -i eth0 -p tcp -m multiport --dports 6881,80,5000 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p icmpv6 -j ACCEPT
-A INPUT -i eth0 -j DROP


using ifconfig you can get out the active interfaces including the ipv6 tunnel I configures (IP numbers are changed).

Code: Select all

nas> ifconfig
eth0      Link encap:Ethernet  HWaddr 00:11:32:04:9A:DD
          inet addr:192.168.1.200  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd8b:3362:769e:84e5::2:0/64 Scope:Global
          inet6 addr: fe80::211:32ff:fe04:9add/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5933247 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12898284 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:855927752 (816.2 MiB)  TX bytes:4236525358 (3.9 GiB)
          Interrupt:11

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:52357 errors:0 dropped:0 overruns:0 frame:0
          TX packets:52357 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:181379142 (172.9 MiB)  TX bytes:181379142 (172.9 MiB)

tun       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet6 addr: 2001:5c0:1234:::1234/128 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          RX packets:58 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:6693 (6.5 KiB)  TX bytes:5980 (5.8 KiB)