Hello Everyone,
I have recently decided to buy a Qnap after using Synology for a long time. Needless to say there are some difference between the two. Current I have a TS-977XU-RP. definitely overkill for my current needs but I plan to utilize it better in the future.
Currently my issue is with the firewall and container station. I spun up Bitwarden on the container station. I don't use Bitwarden's SSL with Let's Encrypt. Instead I have a pi cluster running an Nginx server with pihole, PiVpn, fail2ban etc. I use the Pi as my single entry for anything I have internet facing. When I ran Bitwarden on Synology I setup a rule where only port 1234(not the real port I use) could talk to my PiCluster. Simple enough on the Synology. Have a blanket Deny all rule at the bottom, allow port 1234 to only talk to IP 192.168.1.111(again not the real IP of the cluster)
When I do this with Qnap Qufirewall it still allows me to ping port 1234, and even typing 192.168.1.111:1234 into my browser allows my to pull up Bitwarden. Of course I can't login because Bitwarden will only allow login over SSL with a valid Certificate. When running the container port 8080 is the internal port used by Bitwarden, and I change that to an obscure port and expose it. What I don't understand is why QuFirewall won't block access to that port except from the IP I have listed. I tried all three levels of firewall profiles. I feel like I'm missing something really simple.
Thanks
QuFirewall and container Station
-
- New here
- Posts: 2
- Joined: Mon Jul 19, 2021 1:25 am
- Moogle Stiltzkin
- Guru
- Posts: 11445
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: QuFirewall and container Station
https://www.qnap.com/en-us/how-to/tutor ... qufirewall
https://www.reddit.com/r/qnap/comments/ ... to_access/
https://www.reddit.com/r/qnap/comments/ ... to_access/
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- New here
- Posts: 2
- Joined: Mon Jul 19, 2021 1:25 am
Re: QuFirewall and container Station
Moogle thanks for the links. I have reviewed the How to from Qnap before the post, but that didn't seem to help. While the reddit post suggest that if I have a dedicated firewall I shouldn't need to use Qnap's. I do have a dedicated firewall, and vlans setup where only trusted devices have access to my main lan, I still prefer to try and use best practices and only allow access to my devices from IP's or other devices I deem.
I notice that one the preset rules that Qnap sets is the Application rule, when I look at that it show's my container networks, and allows all. I have disabled that firewall rule and moved it below the Deny all rule hoping that would fix my issue. but for some reason I cannot block the desired port.
Currently the only ports I allow access to is 443 and 445 for the Qnap UI and SMB. I tested and took 445 off, and I could not access SMB over my network. I know that the firewall is working just not for the containers.
I notice that one the preset rules that Qnap sets is the Application rule, when I look at that it show's my container networks, and allows all. I have disabled that firewall rule and moved it below the Deny all rule hoping that would fix my issue. but for some reason I cannot block the desired port.
Currently the only ports I allow access to is 443 and 445 for the Qnap UI and SMB. I tested and took 445 off, and I could not access SMB over my network. I know that the firewall is working just not for the containers.
-
- Getting the hang of things
- Posts: 90
- Joined: Sun Mar 14, 2010 2:20 pm
Re: QuFirewall and container Station
I share your disappointment. It's a shame Qfirewall is not capable of dealing properly with firewall rules automatically created by Container Station. I think it boils down to how Docker inserts its own rules in the IPTABLES configuration.
I believe this can be fixed manually via CLI. I'll try to take a look...
I believe this can be fixed manually via CLI. I'll try to take a look...
-
- Getting the hang of things
- Posts: 90
- Joined: Sun Mar 14, 2010 2:20 pm
Re: QuFirewall and container Station
Quick update... I was able to control the damage by disabling in Qfirewall the rule "Application" and by manually creating the rules below on the NAS via ssh:
I explicitely authorize 192.168.1.0/24 (my LAN), 172.29.8.0/22 (the docker network so that containers can talk to each other) and 172.16.1.0/24 (my VPN network), all the rest is dropped.
Now I need to find a solution so that this change is permanent and survives reboot, will probably add it to the autorun.sh script.
Code: Select all
sudo iptables -I DOCKER-USER -s 0.0.0.0/0 -j DROP
sudo iptables -I DOCKER-USER -s 0.0.0.0/0 -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
sudo iptables -I DOCKER-USER -s 192.168.1.0/24 -j RETURN
sudo iptables -I DOCKER-USER -s 172.29.8.0/22 -j RETURN
sudo iptables -I DOCKER-USER -s 172.16.1.0/24 -j RETURN
Now I need to find a solution so that this change is permanent and survives reboot, will probably add it to the autorun.sh script.