Firewall for NAS

[jmichael]

Hello,

I'm using a QNAP 870 Pro. I need to allow non-local FTPS access to the device. The firewall interface provided in the NAS won't do this: the QNAP interface only seems to offer all-or-none per-IP range. So, to allow an IP range FTPS, I have to allow SSH and the web interface too. That's too risky, as I came to understand in another thread (and thanks again for the help there).

So, is there a recommended firewall solution?

• Even just a real iptables implementation would work I think.
• I don't think NAT/SPI or VPN is really necessary here (but maybe I'm wrong).
• Ideally we could handle 500 Mbps+.
• I know I can ssh to the device and use iptables, but I've gotten burned with this device as some changes made at the prompt revert when the device is rebooted -- it seems to load a system image from flash?
• The ZyWall 110 reviewed on SmallNetBuilder seems like it would do the job, but I'd rather not pay $350 if it can be helped. Our needs here are really simple.

Any thoughts would be sincerely appreciated.

 

[sinshiva]

Hello,

I hope I've posted this in the right place, if not I apologize.

I'm using a QNAP 870 Pro. I need to allow non-local FTPS access to the device. The firewall interface provided in the NAS won't do this: the QNAP interface only seems to offer all-or-none per-IP range. So, to allow an IP range FTPS, I have to allow SSH and the web interface too. That's too risky, as I came to understand in another thread (and thanks again for the help there).

So, is there a recommended firewall solution?

• Even just a real iptables implementation would work I think.
• I don't think NAT/SPI or VPN is really necessary here (but maybe I'm wrong).
• Ideally we could handle 500 Mbps+.
• I know I can ssh to the device and use iptables, but I've gotten burned with this device as some changes made at the prompt revert when the device is rebooted -- it seems to load a system image from flash?
• The ZyWall 110 reviewed on SmallNetBuilder seems like it would do the job, but I'd rather not pay $350 if it can be helped. Our needs here are really simple.

Any thoughts would be sincerely appreciated.

properly firewalling (half) gigabit doesn't come cheap. lesser firewalls such as soho routers require bypassing certain firewall features a la nat acceleration simply to achieve higher nat performance. you're probably on the right path with the firewall you linked unless somebody comes up with a better alternative.

 

[jmichael]

Thanks v. much sinshiva. Since I don't quite know what I'm doing, I appreciate the confirmation that at least this would be a reasonable option. I did hope that there was some sort of very simple, inexpensive firewall with high-throughput, but I guess (usually) you get what you pay for.

I'm temped to just go for the ZyWall which seems like a safe choice anyway. I realize it is inexpensive relative to the true enterprise grade devices (which easily cost $thousands)... just trying not to waste other people's money .

 

[thiggins]

What are you expecting the firewall to do? How are you connecting the QNAP to the internet?

 

[jmichael]

How are you connecting the QNAP to the internet?

It is connected via 10Gb ethernet with a routable IP. Nothing on our network is assigned private IPs.

I know the above goes against everything you (and others) so kindly taught me previously. So, I'm now using the QNAP iptables interface to limit access to the IPs in our netblock and enterprise VPN (this means that anyone accessing the box has been authenticated somewhere, with enforced antivirus policy, etc).

What are you expecting the firewall to do?

I need to expose some services (at least FTPS) more broadly. But, the QNAP firewall interface doesn't allow much granularity. As a concrete example, I need to allow access for some colleagues at a research station in Tanzania. I can allow their IP range, but not on a service-by-service basis. So, I cannot give FTP access without also exposing the QTS web interface and SSH, which I'm not willing to do. (I also suppose passive FTP will require some sort of stateful firewall, but nothing too complex.)

 

[thiggins]

But you must have something between the NAS and your ISP connection? I would apply port filtering there.

It sounds like you are just looking for basic service (port) access control and not UTM features.

No consumer or small-biz level router I know of has 10GbE.

 

[jmichael]

Thanks very much for your response.

But you must have something between the NAS and your ISP connection? I would apply port filtering there.

No, not that we control. From our point of view it is a direct connection. It's a big enterprise, and wouldn't be feasible to work at the gateway.

It sounds like you are just looking for basic service (port) access control and not UTM features.

Yes, though I couldn't find a firewall that would do only that. If the wisdom is that UTM is needed in this scenario, then the expense would be justified (my initial guess was that it isn't). Thus, the ZyWal seems a bit overkill, but was the least expensive device I could find that might not be a noticeable bottleneck (plus the review on this site, which I trust implicitly, seemed generally favorable).

No consumer or small-biz level router I know of has 10GbE.

Sorry, that's the LAN speed, but the port on the NAS is 1Gb. In practice the device maxes out about 90 MBps (700 Mbps) for encrypted transfers anyway (and that seems to be a CPU constraint).

 

[jmichael]

It does seem like something like the EdgeRouter Lite (reviewed on SmallNetBuilder) might do the job, and only costs about $90. if I understand correctly, it's a high-throughput router with a basic (not UTM)) firewall.

Any thoughts would be sincerely appreciated. I'm a bit afraid of the setup with this one as it seems there are many opportunities to get it wrong, but saving $300 (vs the ZyWall 110) would be nice.

 

[thiggins]

Actually, that's a good idea. But to reach its full flexibility you may need to use its command line interface.

They have added more features to the GUI since the review. Check the EdgeRouter Pro review for a more accurate look at current GUI capability.