- There is a bug in the firewall of the DSM when using multiple ports at the same time (LAN1 and LAN2).
- Instead of using a different CHAIN for the 2 network ports they both share the INPUT chain, which means you cannot allow a certain port on the IP of LAN1 but block it on LAN2 (different IP).
- On top of that, if you set the firewall to "If no rules are matched Deny Access" on LAN1 the "DROP ALL -- rule is INSERTED before the rules from LAN2, resulting in all the rules for LAN2 beeing useless since traffic is already dropped before they reach them.
- I suggest this is solved by giving LAN1 and LAN2 their own chain, that way you can set specific ports for specific ip's (if you have different ips for lan1 and land2) and also it would be possible to properly use the drop all.
- Clarification, i want all my web/public services running on a external IP on LAN1 thus blocking SSH etc etc on that port, and on LAN2 is a different external IP used for backend services like SSH etc.
- Above creates a security risk since if you want the rules for LAN2 to be properly working you will have to set the LAN1 to "allow everything if no rules match" which will again be inserted before the rules from LAN2, basicly setting the whole system wide open.
- For now im using a BOND on LAN1&2 but this is just a temp solution to minimise the security risk.
- Please have this fixed as soon as possible.
- Thank you
a guest Apr 10th, 2012 20 Never
RAW Paste Data