Firewall rules for Synology DSM

Dear community,

I am running a node on a synology NAS. Beside the firewall and NAT of my router there is the synology-intern firewall.

What I want (and what is relatively common) is to open my NAS to the internet from country-wide IPs but not worldwide. What you want to do in that case is open all desired ports per IP and/or per country (Synology provides a lookup-service that categorizes the country the IP-request comes from and grants access or blocks).
At the end of the open-port-list you set an entry of “block all”. Since the topology is that the firewall rules are checked within the listed order and as soon as one rule fits, no further firewall check will be performed.

I now see trouble with the Storj node. Of course I have the TCP-service port 28967 incoming from any country open. The node works fine. Until a node update is performed. After that the node is down. I think this is because the satellites can not synchronize time or take any contact to the node. The satellites do not operate via TCP and not via 28967 as it seams.

I the synology Forum we already had the discussion but with no final result. There is said that beside the TCP28967 port there shall be the UDP-ports open for the satellite IPs (such as 104.198.14.52, 35.236.124.230, 35.205.31.184, etc.). And since the satellites communicate a random port ever time they contact, all ports shall be open to those special IPs.

So far so good.

My trouble now: This seams not to work very stable and fine. I am wondering what to do when the satelites change IP or a new satellite emerges?
Can any one help me find the correct firewall settings for my Synology NAS without exposing the whole NAS to the world? Is there even a possibility to run a node AND a county-based IP-Filter the same time?

This seems to be a NAS question and not StorJ related?

What port on your NAS do you want to open? This is more important. The only INCOMING port that you need to have open, and have a NAT rule for will be 28967

Your node needs to accept incoming traffic from customers. You need to allow all IP’s to connect to your nodes port, not just the satellites.

Ps. I edited the topic title to replace für with for to not dissuade people who don’t speak German from the topic, since your post is in English anyway. :wink:

I have of course the TCP 28967 Port open for every IP. As I write, the node works fine. Just until an update is performed and there needs to be certain communication with the satellites. There the error occures.
I attached a screenshot of the synology DSM firewall rules. As said, they are checked in their order from top to bottom. As soon as a rules fits, checking is over.

Usually I thought it is okay, when I grant all IPs coming in on the TCP28967 Port. So ALL communication of node-related stuff is granted (“zulassen”).

After that I can deny (“verweigern”) all other IPs. This is how the firewall is ussually set in a synology DSM.
Nowe in the synology forum we found out that the satellites need to synchronize time stamp etc. and they do it over a random port via UDP service. So as you see in the picture, I also added thos to be granted. Firewall and node worked fine. But again just as long as and update.

Maybe I am overseen something here. Maybe I is just not possible to open your NAS to the world and close it at the same time to the world… :slight_smile:

I am sure to be assured you have a save private NAS and meanwhile a oven storage node requires a seperate machin in a DMZ…

I answer my own post as follows. It is possilbe to realize a closed firewall in the DSM of the Synology and meanwhile have it open for the Storj node.

The solution was found in the german Synology Forum under
https://www.synology-forum.de/showthread.html?92657-Storj-Speicher-vermieten/page43&p=866990&viewfull=1#post866990

To be honest, I don’t see the point of letting the firewall of the Synology turned on if your LAN is behind a NAT router. It only makes sense if there are people in your LAN you don’t trust.

Let’s call it second defense line. Most costumers get equiped with a cheap router by the internet supplier. There always is a chance for a security issue.

Another reason might be this: Most router types do not support a lookup table of country specified IPs. The Synology DSM does. It know where the IP origin is that wants to gain access to the NAS. As you know there are several countries well-known for hacker attacks. I surely can see on my firewall logs what country those are from…