How to enable the Software Firewall on a Synology DS 713+ running DSM 5.0-4458 or later

 
FYI: As of June 18, 2014, the latest DSM version on a Synology DS713+ is DSM 5.0-4493 Update 1.

The reason for this implementation is to have a successfully firewall solution that protects our SHASS Synology users who have an MIT kerberos username and password and access files from a machine in the MIT 18 ip range (or via MIT's VPN).

With your Synology running DSM 5.0-4458 or later, you can set the Synology’s Firewall allow access to MIT users in the 18.0.0.0/8 address block but deny access to everyone else.

How to do this:
  
1) Log into the web management tool via port 5000 or 5001.
2) Go to Control Panel -> "Security" -> Select the "Firewall" Tab
3) Click Create.  The "Create Firewall Rules" window will come up
4) Ports -> All
5) Source IP -> Subnet
6) IP Address: 18.0.0.0
7) Subnet Mask: 255.0.0.0
8) Action -> Allow
9) Click OK
10) Click on the "Save" button right under the tabs. If you forget to save like I often do, and try to leave the page or close the window, the Synology will tell you "Changes are not saved. Are you sure you want to leave?" Click on "No" and make sure you save the setting. If you don't, you'll need to go back and recreate the setting all over again, then actually save.

IMPORTANT: To confirm that the setting is saved, you should see a line with the new firewall setting allowing in all traffic from the MIT 18.0.0.0 IPv4 range and the "Save" button should be grayed out and no longer click-able. If the "Save" button is clickable it means you didn't save yet. Remember to save after each change.
  

To make your Synology even more secure, you can (and should if possible) restrict the access even further:

  1. Wired connections from their building(s); So it would be 18.##.0.0 where ## is the specific subnet number for the building.
  2. Secure Wireless connections 18.189.0.0
  3. VPN connections 18.101.0.0 & 18.100.0.0

 

Now that we’ve allowed anyone from MIT to access the server it is time to deny access to everyone else.
  
1) At the bottom of the Control Panel -> Firewall window there should be a line that starts with  “If no rules are matched”
2) Click on "Deny access”.
3) Again, remember to save.  Fortunately if you attempt to navigate away or close the window without saving, it will let you know again that changes are not saved. If it helps, get in the habit of just clicking on the "Save" button whenever you make any change.
  

LAN 1 and LAN 2
   
If you've connected both Ethernet connections of your Synology to the Internet, you will need to apply these settings to the firewall settings of EACH Ethernet LAN cards. On the tab level on the far right side you'll see a pull down menu. Select LAN 1 or LAN 2 to configure the appropriate ethernet card setting.
 

  • No labels