QFirewall + VPN on router

[Gael82]

(posting here as I can't see a more suitable place but feel free to move elsewhere)

Hi all
After the painfull / costly experience of Deadbolt I took serious setups to secure my NAS.

I already deactivated UPnP and port-sharing on the router. Then I set up a VPN on the router using Open VPN and manage to connect to my TS-253A from the outside. So far so good.

But then I thought of adding a firewall - I therefore activated QFirewall with the basic settings. Doing so seems to block any connection from the outside, even with the VPN.

So I have several questions:
- is the firewall a useful addition given the above security steps ?
- if so how to configure the firewall to allow remote connections to the NAS using the VPN ?

Thanks a lot !

Gaël

[dolbyman]

Get rid of the firewall..no need (and QNAPs firewall is bad at best anyways)

[Moogle Stiltzkin]

How to Make QNAP NAS Secure
https://www.youtube.com/watch?v=fL2qGwRUq38

Secure Your QNAP NAS Immediately From Latest Wave of Attacks
https://www.servethehome.com/secure-you ... f-attacks/

QNAP Secure Hosting: Is it Even Possible?
https://www.youtube.com/watch?v=Moe2YtUnUtI


check these that explain.

and no qufirewall shouldn't be a primary means to protect u from the internet. use a solid router firewall like pfsense (or opnsense). and don't expose your nas online by port forwarding and using upnp.

remote access is still possible but only do it if you truly need it. and only by means of VPN, usually by setting up vpn server on the router. either openvpn or wireguard. but whenever doing remote access capability, u need that more diligent in updating EVERYHING regularly (client devices, router, NAS..etc.... if u can't do this, than u better not do remote at all), and to maintain a clean network as possible (this means not to browse dodgy sites, download pirated stuff with possible malware, etc)

[Gael82]

Thanks both - looks like the VPN is a good option then.
Is there a legal way to test whether the NAS is exposed on the outside ?

[Moogle Stiltzkin]

https://www.shodan.io/explore/search?query=tags%3Anas

just shows u how many people inappropriately exposing their qts admin ui to the web X_X: its crazy

and it's not limited to qnap either. the problem is the users. they do stuff they shouldn't be doing, then cry and whine about it when they get hit

yes we can blame some things on the brand of our nas to some extent they are responsible for (why didnt u disclose bug earlier once known? why did it take so long to patch? why are u making the software code so insecure?. but some of the responsibility also falls under the users as well (why did u expose your nas online? why dont u regularly update your client devices? why do u not keep backups? why did u go visit those adult sites and download pirated stuff possibly riddled with malware? when was the last time u scanned for virus/malware?), something often conveniently ignored


anyway using pfsense firewall as an example. the default setting is secure (just add a password). in that state, you are not exposed. still recommended to update though, even routers need patching every so often.

it's when u modify settings beyond that, like port forwarding (especially ports u shouldnt), doing other improper settings like enabling upnp, or incorrect settings that allow stuff to get through your firewall

[dolbyman]

currently 200k+ exposed QNAP systems out there .. the next malware wave will come and tears and anger will flow once more

exposed_QNAP_Nov2022.jpg