[Help] I cannot get Firewall working on TOS 6 F4-424 pro

Topics related to system security only
User avatar
EriChan
TM Support
Posts: 196
Joined: 06 Jan 2026, 12:27
United States of America

Re: [Help] I cannot get Firewall working on TOS 6 F4-424 pro

Post by EriChan »

jwhitejr wrote: 25 Apr 2026, 06:32
Thanks for providing the detailed screenshots and feedback. We completely understand your concerns, the current configuration logic indeed seems unintuitive.

1. The Issue: Stateless vs Stateful
In your commonly used ufw, the firewall is typically "stateful," automatically tracking ESTABLISHED connections. That is: if you actively initiate an outbound request (such as pinging Google or checking for updates), the firewall will automatically allow the corresponding response packets.
In the existing logic of the TOS firewall, it currently operates in stateless mode. When you set "Incoming: All - Deny":
  • It not only blocks external attacks.
  • It also indiscriminately blocks response packets to requests you initiated.
  • Since the IPs for CDN (system updates), DNS, and NTP services are dynamic or widely distributed, once Deny All is enabled, your NAS essentially becomes a "local area network island".
2. Why Do Tailscale and Docker Stop Working?
Your rules currently only allow the physical LAN segment (192.168.4.0/22), but:
  • Tailscale uses a virtual subnet (typically 100.64.0.0/10) and relies on UDP handshakes.
  • Docker containers communicate through bridge networks (such as 172.17.0.0/16).
Faced with Deny All, these virtual traffic flows are dropped immediately upon reaching the network interface because they don't match your physical LAN rules.

Recommended Optimization Strategy

To balance security and usability, it's recommended that you adjust your firewall approach, moving from "full IP blocking" to "critical port protection":

Option A: Change "Deny All" to "Deny Specific Sensitive Ports" (Recommended)
Remove the Deny All Incoming at the end and instead deny common high-risk ports for All IPs. This can both prevent external scanning and infiltration, and won't affect internet connections actively initiated by your NAS (such as system updates).

Option B: Manually Complete the "Return Path"
If you insist on using Deny All, you must add the following rules above it:
  • Allow Tailscale: 100.64.0.0 / 255.192.0.0 (please adjust according to your actual situation)
  • Allow Docker: 172.17.0.0 / 255.255.0.0 (please adjust according to your actual situation)
  • Allow DNS Responses: UDP 53 (from All IP)
Your feedback is very valuable. We have communicated this issue as a high-priority requirement to the product team to prevent similar situations from occurring.
User avatar
nikolasalexander1
Posts: 3
Joined: 26 Jun 2026, 08:25
United States of America

Re: [Help] I cannot get Firewall working on TOS 6 F4-424 pro

Post by nikolasalexander1 »

When applying a "deny all" rule at the end, you need to explicitly allow established and related connections first, otherwise returning traffic from internet requests gets blocked. For Tailscale, make sure you have allowed the specific UDP ports (like 41641) and the Tailscale subnet interface before the final drop rule.
Post Reply

Return to “Security”