Firewall and NTP issue

[Revamp]

Hello All,

I need NTP to run normally, I find sometimes when I log on that the NAS is sometimes an hour out or even 6 hours after a week of up time.

I have set up two Firewall rules, this to isolate my NAS from the internet and to allow external access for the time sync function (NTP)

Isolation mode off..
NTP service not running (that is server service not enabled and not required).

1. First rule.. Set Internal LAN access only..
Allow all protocols and an INTERNAL LAN IP RANGE (range inclusive of the NAS IP) which is just outside my DHCP reservation pool as I have set a manual static IP for the No1 RJ45 interface. This works fine...

2. Second rule ..NTP..
Allow all IP's (as I don't know or cant find the IP listing that is static enough for the europe NTP) set UDP protocol only, allow 1 port of "123" only.

The above rule 2 should allow the unit to remain isolated but allow traffic from what ever IP for UDP on port 123 for the basic NTP function once you hit the time update button. (Not to be confused with the NTP service which I believe is to allow the NAS to be the NTP sync server for other devices on the LAN, don't need this).

This fails but only after a long time out, which takes longer than normal to fail so I believe it is trying.

So I don't know if I am doing something wrong with the rules here or my question for the TM staff is..

Have you changed the standard port number for the NTP function as a different port number?

Any direction much appreciated..

Revamp

[TMzethar]

Hi, there can only be one scope "allow" rule. When you set "Allow", the non-allowed parts will be blocked.

[Revamp]

{L_BUTTON_AT}TMzethar

Hi, thanks for your response..

So the answer would to find several NTP IP ranges to include in the original first rule for time syncing?

Is the above correct or not?

TIA..

Revamp..

[TMzethar]

Yes. But there may be difficulties in setting up this, and you can also consider using the 'prohibit' rule to disable unnecessary ranges.

[Revamp]

{L_BUTTON_AT}TMzethar

Morning, I'm a little confused..

• Deny

.. Requires lots of knowledge on IP ranges and ports that you need to know to do this. Surely it is better to deny all and set allow ( much safer for a noobie like me ) This is the logic I have implemented.

• As there is not any examples given and limited documentation on your firewall, even after searching, is the Firewall on by default or off by default?

Some systems deny (block all) and you have to allow but other systems allow all and you have to block.

• Which way is it with your system?

• In other words, can you confirm which way T0S5's Firewall works out of the box (without any rules written in it)?

If you have any decent documentation and examples on how best to implement TOS5's Firewall rules I would much appreciate it.

• TIA for your answers on this.

Revamp

[TMwuu]

{L_BUTTON_AT}Revamp

For related instructions, you can check this link.https://help.terra-master.com/TOS5/view ... g/Security

[Revamp]

{L_BUTTON_AT}TMwuu

Hello,

Thank you for your pointer and listed page post.

however as I have already said in my previous post that I have read this limited instructional page and it does not help!.

The firewall has limited entry capability and does not state anywhere that you can only have one allow rule!

Logic dictates that it it fully open but that is bad to assume because you can have a special config set to allow administration and necessary core services to run (punch holes) while blocking all else. Who knows what you have configured.

So default action is that we have to deny everything but thats not the case is it?

When I isolate the system from the internet time slips very badly on my F4 423..

Ok seeing that you are not going to answer properly, any of my previous questions.

Can you please tell me how to setup the firewall to allow and accept an NTP pool while only allowing a select list of private IP address to access the unit?

So say..

LAN only.... (31 IP addresses)
Allow:
Protocol: UDP, TCP, ICMP.
Ports: ALL
IP: 192.168.1.99, 192.168.1.130

This has the effect of locking out everything except the small IP range as above.

NTP...
Allow:
Protocol: UDP
Ports: 123
IP: 0.europe.pool.ntp.org

So how do we implement the above as it is a host name for a pool of fluctuating IP's and we can only have 1 allow rule?

I would love to have a PM on this if you cant say it on an open forum.

TIA

Revamp.

[titanrx8]

{L_BUTTON_AT}TMwuu

Hello, Thank you for your pointer and listed page post. however as I have already said in my previous post that I have read this limited instructional page and it does not help!. The firewall has limited entry capability and does not state anywhere that you can only have one allow rule! Logic dictates that it it fully open but that is bad to assume because you can have a special config set to allow administration and necessary core services to run (punch holes) while blocking all else. Who knows what you have configured. So default action is that we have to deny everything but thats not the case is it? When I isolate the system from the internet time slips very badly on my F4 423.. Ok seeing that you are not going to answer properly, any of my previous questions. Can you please tell me how to setup the firewall to allow and accept an NTP pool while only allowing a select list of private IP address to access the unit? So say.. LAN only.... (31 IP addresses) Allow: Protocol: UDP, TCP, ICMP. Ports: ALL IP: 192.168.1.99, 192.168.1.130 This has the effect of locking out everything except the small IP range as above. NTP... Allow: Protocol: UDP Ports: 123 IP: 0.europe.pool.ntp.org So how do we implement the above as it is a host name for a pool of fluctuating IP's and we can only have 1 allow rule? I would love to have a PM on this if you cant say it on an open forum. TIA Revamp.

Not sure if this will work for you but before TM created security isolation mode I wrote many firewall rules like yours above. Try turning off security isolation mode and just writing your own firewall rules. Ntp probably has a block of a range of IP addresses that you can look up and write rules for a few of them.

[Revamp]

[at=titanrx8 post_id=30037 time=1696029494 user_id=2017][/at]

Hi thank you for your input and suggestion..

• I think thats the way I will have to go, I have looked this up on Opensource.com

If you are not comfortable with openly sharing would it be possible with a PM to provide a copy of your script if you still have the code to hand ?

• I could configure it to suit and would save me a royal headache and lots of time as I am soak testing this unit at the moment so there is no data on the drives and will not be until I am happy with it's configuration and testing.

Because there is no verbos detailed information, instructions, examples, so far I have bricked the unit 4 times and had to rebuild it testing different rules and orders to get a feel of how TM's (GUI) FW works.

• I'm constructing my new internal network with 3 VLAN's ( Personal - IoT - Guest on pFsense with specific logging ) but until all the hardware is in place, I want to protect the unit from an internal attack via other users devices punching from inside the paper bag so to speak.

Having a large fibre pipe in the country is like a honeypot our friends and their devices... I don't feel comfortable or confident using the guest facility on my router either.

• If you feel uncomfortable sharing any script or setup as a head start then I totally understand.. No worries..

And again thanks for your response.

• TIA

Revamp

[titanrx8]

[at=titanrx8 post_id=30037 time=1696029494 user_id=2017][/at]

Hi thank you for your input and suggestion..

• I think thats the way I will have to go, I have looked this up on Opensource.com

If you are not comfortable with openly sharing would it be possible with a PM to provide a copy of your script if you still have the code to hand ?

• I could configure it to suit and would save me a royal headache and lots of time as I am soak testing this unit at the moment so there is no data on the drives and will not be until I am happy with it's configuration and testing.

Because there is no verbos detailed information, instructions, examples, so far I have bricked the unit 4 times and had to rebuild it testing different rules and orders to get a feel of how TM's (GUI) FW works.

• I'm constructing my new internal network with 3 VLAN's ( Personal - IoT - Guest on pFsense with specific logging ) but until all the hardware is in place, I want to protect the unit from an internal attack via other users devices punching from inside the paper bag so to speak.

Having a large fibre pipe in the country is like a honeypot our friends and their devices... I don't feel comfortable or confident using the guest facility on my router either.

• If you feel uncomfortable sharing any script or setup as a head start then I totally understand.. No worries..

And again thanks for your response.

• TIA

Revamp

I would certainly share it if I still had it. Sorry. I added a hardware firewall to my network 2 years ago and subsequent TOS updates have blown away my rules. I do remember that because of my VPN the rules were pretty simple. First I allowed all local IP addresses so I wouldn't lock myself out. Then I added a block to all non-local traffic. Then selectively added IPs that I would allow. Since I don't run apps on the NAS units I only needed a few specific external sites ie my cloud backup service, ntp, VPN service.

Once all that was sorted I added reserved IPs for secure local devices ie PCs that were always behind the secure firewall and the firewall was enforcing specific white lists for the device. Then all the non-secure local devices like IP cameras were blocked from local communication with the NAS servers.

It wasn't that difficult and needed only about 6 rules and worked well. What I disliked and caused me to add the network firewall was that the TOS firewall rules were executed later in the boot cycle and the TOS machines were doing outbound calls before the firewall rules were in force. This wouldn't be an issue if you leave the TOS systems powered up 100% but I run daily power cycles on the TOS units and felt that the outbound calls presented a greater risk than I would tolerate.