Allow my NAS to go only to one place?



  • G'afternoon you all lovers of the greatest firewall in the world  ;D

    Could I ask a question, because I am stuck  :-[

    I have a Synology NAS on which Sabnzbd is installed (usenet). As the NAS also contains private information, I want to keep some control over what kind of 'phone home' and other kind of connections this machine is making. So ideally I want to block any outbound connections to anywhere from the NAS, [b]except for the connection that Sabnzbd makes to the usenet provider I use.

    So it worked for a while:

    • On the LAN-interface I add a rule to allow out to the usenet provider (I used an Alias, type 'hosts', and added the domain name in there. The corresponding table for this alias showed the correct IP, so this worked).
    • The next LAN-rule was then to block all outgoing access from the NAS.
    • So given rules are processed top-down: yes, you may go to the usenet provider (rule1) but nowhere else (rule2).

    However, after some hours this stops, and the logs show that the NAS wants to go to 192.168.1.1:53 UDP. I take it this does have to do with the usenet process, but what is happening here I don't understand. The Alias table is still filled with the right usenet-provider-IP, so it should know where it is going.

    I looked into the DNS Forwarder service, and added a 'host override' for the usenet provider with his IP-address, but for sure that was a stupid idea as this doesn't change anything  :P

    Would anybody be willing to tell me what I am doing wrong/how I can achieve what I want? I'm in your debt for that  ;D

    Thank you in advance,

    Bye,

    EDIT: I forgot: I also used the Package capture to see if the IP-adress was correct; this it was; Sabnzbd only wants to connect to the Ip-adres in the Alias-table (that Pfsense derived itself). I just ran it again: now, from the NAS, the package capture only shows the same DNS-requests port 53, and then 'UDP port unreachable'.


  • LAYER 8 Global Moderator

    so application wants to go to www.somewhere.com – how do you think that application is going to look up what IP that is if you do not allow dns (udp/tcp 53)?

    before your deny all rule, allow this host to talk to your pfsense IP on tcp/udp 53 -- then it can ask pfsense hey whats the ip address of www.something.com..  Once it has the IP, it will try and go there.  Then pfsense will look in the rules to see if that IP is in your allow alias if not then it would be blocked.

    But your application is never going even try to go where it wants to go if it can not find the IP address for it.  Your other option if you really don't want the box to even lookup stuff would be to create a host file on the machine that resolves the FQDN (fully qualified domain name) it is trying to look up to access your usenet provider.

    Its great you created a record on pfsense to resolve something via over ride - but your not even allowing your client to ask pfsense what that is if you do not allow udp/tcp 53 to pfsense.



  • @johnpoz:

    so application wants to go to www.somewhere.com – how do you think that application is going to look up what IP that is if you do not allow dns (udp/tcp 53)?

    before your deny all rule, allow this host to talk to your pfsense IP on tcp/udp 53 -- then it can ask pfsense hey whats the ip address of www.something.com..  Once it has the IP, it will try and go there.  Then pfsense will look in the rules to see if that IP is in your allow alias if not then it would be blocked.

    But your application is never going even try to go where it wants to go if it can not find the IP address for it.  Your other option if you really don't want the box to even lookup stuff would be to create a host file on the machine that resolves the FQDN (fully qualified domain name) it is trying to look up to access your usenet provider.

    Its great you created a record on pfsense to resolve something via over ride - but your not even allowing your client to ask pfsense what that is if you do not allow udp/tcp 53 to pfsense.

    You, sir, thank you very much for this help  ;D

    What you write makes perfectly sense, and I feel - once again  :P - a noob for not having thought about this myself.

    So, thank you again, I will try it out immediately but I have no doubt this will work  :D


Log in to reply