TOS 5.1 - Firewall

[gimatech]

Hello,
I can't understand how the firewall works...
I am trying to setup Cloud Sync with my OneDrive account.
If I don't add any firewall rules everything works and synchronize well.
If I add a single rule to only allow inbound connections from my local network 192.168.0.1 / 255.255.255.0, I still have access to my NAS, but no synchronization is possible with my OneDrive account...it is like outbound connections have been forbidden too ! (I didn't activate the isolated mode by the way).
So how to configure the firewall to access my NAS from my local network AND allow it to connect to the OneDrive account for synchronization ?
Thanks for the help!

[TMzethar]

In TOS5, when you set an allow rule, it will automatically disable other parts outside the allowed range.
You can try to confirm the IP address you need to connect to the cloud disk server and add an "allow" rule to allow connections to the cloud disk.

[gimatech]

Thank you for your answer but as far as I know, the NAS is the client trying to connect somewhere on the internet (the OneDrive server)…
It is an outbound connection, should not be blocked as the firewall settings are for inbounds connections only in the application.
And I can’t have the « IP address » of OneDrive… at best a domaine name.

[TMzethar]

What you said may be suitable for some usage scenarios.
Depending on the type of service and usage scenario, the server sometimes needs to be able to access the client to establish a connection.

[gimatech]

Let’s say you are rights
The client initiate a connection to the server… and the server initiate a new connection back to the client (I am pretty sure, as I am in the business, that’s not the case here). I need to open a port (probably not the 443) to allow the server to connect… and to whitelist its IP.
I can’t find any information about the port to open, so which one please?
I am quite sure that the outbound traffic is also blocked!

Or, please just tell me how to do the configuration I need, without having the IP of OneDrive, to allow this synchronization without having all the inbound connections open?

In addition, what is the difference between my config (only one rule allowing my private network, and the isolated mode ?

[Gremlin]

as I am in the business

In that case, you should look at 'iptables' in cli. That will show you exactly how TM has set things up. (For clarity 'iptables -S' and 'iptables -L'). Frankly I don't see much point in 'firewalling' the NAS if it is open to LAN anyway. (Attacks are quite likely to come through local devices.) A good firewall on the LAN to protect that - and turn off upnp on your router. Belt and braces is all very well but, as here, it can lead to all sorts of complexity when the designers and users have different ideology. Just my 2cents.

[gimatech]

Ok to go lower level using the cli if not possible using the user interface…
But in my opinion as this is a retail application, it is not normal to have to do it this way.
Even windows has a complete UI to manage inbound and outbound rules of its firewall separately and with granularity…

[Gremlin]

I wasn't suggesting using the cli for creation of firewall rules in this case. Just so that you can see how TM are using it.

[gimatech]

I am sorry if I misunderstood your point

[TMzethar]

The firewall used by TOS does not distinguish between entry and exit stations。
Your firewall configuration is consistent with the firewall rules automatically created by the security isolation mode.
We are currently unable to provide information regarding the port and server IP for OneDrive.