A couple of Firewall questions

Topics pertaining to SRM usage, usability and management
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu

2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
I'm New!
I'm New!
Posts: 1
Joined: Tue May 08, 2018 3:43 am

A couple of Firewall questions

Unread post by TamaraB » Wed May 16, 2018 11:02 pm


I am totally new to Synology. I am setting up an RT2600AC router, and have a couple of questions related to the firewall. I have one server on the localnet doing SMTP and IMAPS with ports 25 and 993 port forwarded. I have also activated Synology VPN services, and noticed proper firewall entries allowing ports 1194, 443, 500, 4500, and 1701 access to the VPN server.

In my firewall I begin with some Geo-Block deny lines, then some security related deny lines, then the VPN-generated allow lines which I modified to allow only U.S. source IPs to access. The final default for the firewall (checked at the bottom of the page) is “Deny”. Note: there is NO allow entry for the port-forwarded e-mail server, which works without one. This gave me some concern, as in my experience, this should have failed. No explicit allow for the mail server told me that possibly the RT2600 was not applying the firewall rules to the port forwarded machine, or VPN? Horrors!!

The documentation and discussions on this topic is unclear. Some sugesting that port-forwarding bypasses the firewall. So, I tested. From outside I tested to the mail server, Ok. Now, I put in a firewall rule explicitly denying access to the IP address I was testing from. Wonderful!! The deny entry blocked my access.

So, it appears that the firewall rules are indeed applied to port-forwarded localnet machines. It also seems that a port-forwarded machine is automatically added to the “allow” list even though it does not show up in the firewall properties page. And it is added before the final “deny” default.

My first question — is what I believe happening as to service order accurate??

My second question: I now want to Geo-filter access to the Mail server, allowing only U.S. based IPs access. Not having an allow entry for the server, and having the port-forwarding mechinism assign control access means what? I do not know? Can I put an explicit allow from U.S. only in the firewall? Will that over-ride the “ALL” allow the port-forwarding system seems to have assigned?

The SRM put explicit allow entries into the firewall (which I happily edited) when it set up the VPN. Why did it not do the same when I set up port forwarding? What are the ramifications of that? The documentation is poor on the specifics on how this exactly all works.

Finally — Is there a listing of the CLI commands relevent to firewall? I can find no documentation on the CLI at all. where is it?


Posts: 1157
Joined: Tue Jul 26, 2016 10:47 am

Re: A couple of Firewall questions

Unread post by Babylonia » Thu May 17, 2018 5:07 pm

For explanation and examples see:
https://forum.synology.com/enu/viewtopi ... 29#p452529

And the difference described here if checkmarks are changed:
https://forum.synology.com/enu/viewtopi ... 29#p452543
RT1900ac / DS213j / DS415+ / DS218+ (at different locations).

Post Reply

Return to “Installation and Configuration”