QuFirewall and container Station

[plainlytbrown]

Hello Everyone,

I have recently decided to buy a Qnap after using Synology for a long time. Needless to say there are some difference between the two. Current I have a TS-977XU-RP. definitely overkill for my current needs but I plan to utilize it better in the future.

Currently my issue is with the firewall and container station. I spun up Bitwarden on the container station. I don't use Bitwarden's SSL with Let's Encrypt. Instead I have a pi cluster running an Nginx server with pihole, PiVpn, fail2ban etc. I use the Pi as my single entry for anything I have internet facing. When I ran Bitwarden on Synology I setup a rule where only port 1234(not the real port I use) could talk to my PiCluster. Simple enough on the Synology. Have a blanket Deny all rule at the bottom, allow port 1234 to only talk to IP 192.168.1.111(again not the real IP of the cluster)

When I do this with Qnap Qufirewall it still allows me to ping port 1234, and even typing 192.168.1.111:1234 into my browser allows my to pull up Bitwarden. Of course I can't login because Bitwarden will only allow login over SSL with a valid Certificate. When running the container port 8080 is the internal port used by Bitwarden, and I change that to an obscure port and expose it. What I don't understand is why QuFirewall won't block access to that port except from the IP I have listed. I tried all three levels of firewall profiles. I feel like I'm missing something really simple.

Thanks

[Moogle Stiltzkin]

https://www.qnap.com/en-us/how-to/tutor ... qufirewall

https://www.reddit.com/r/qnap/comments/ ... to_access/

[plainlytbrown]

Moogle thanks for the links. I have reviewed the How to from Qnap before the post, but that didn't seem to help. While the reddit post suggest that if I have a dedicated firewall I shouldn't need to use Qnap's. I do have a dedicated firewall, and vlans setup where only trusted devices have access to my main lan, I still prefer to try and use best practices and only allow access to my devices from IP's or other devices I deem.

I notice that one the preset rules that Qnap sets is the Application rule, when I look at that it show's my container networks, and allows all. I have disabled that firewall rule and moved it below the Deny all rule hoping that would fix my issue. but for some reason I cannot block the desired port.

Currently the only ports I allow access to is 443 and 445 for the Qnap UI and SMB. I tested and took 445 off, and I could not access SMB over my network. I know that the firewall is working just not for the containers.

[googleg]

I share your disappointment. It's a shame Qfirewall is not capable of dealing properly with firewall rules automatically created by Container Station. I think it boils down to how Docker inserts its own rules in the IPTABLES configuration.

I believe this can be fixed manually via CLI. I'll try to take a look...

[googleg]

Quick update... I was able to control the damage by disabling in Qfirewall the rule "Application" and by manually creating the rules below on the NAS via ssh:

Code: Select all

sudo iptables -I DOCKER-USER  -s 0.0.0.0/0 -j DROP
sudo iptables -I DOCKER-USER  -s 0.0.0.0/0 -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
sudo iptables -I DOCKER-USER  -s 192.168.1.0/24 -j RETURN
sudo iptables -I DOCKER-USER  -s 172.29.8.0/22 -j RETURN
sudo iptables -I DOCKER-USER  -s 172.16.1.0/24 -j RETURN

I explicitely authorize 192.168.1.0/24 (my LAN), 172.29.8.0/22 (the docker network so that containers can talk to each other) and 172.16.1.0/24 (my VPN network), all the rest is dropped.

Now I need to find a solution so that this change is permanent and survives reboot, will probably add it to the autorun.sh script.