11.3 hosts.allow wipes on reboot

Not a bug.

Feel free to create a new Suggestion ticket so it can be upvoted by community.

This isn't just an enterprise-level "application". Consumers do not always have the luxury of owning/affording/managing another system. Regardless, this is a bug, and should be addressed.

Prescribing how users use the system is beyond the scope of this bug.

> We strongly believe the NAS is not the right place to set up security measures, but in your own firewall.

A firewall is only going to be aware of the brute force attempts on itself, most will not be able to inspect Layer7 to tell you that someone is failing to connect to a downstream host repeatedly because of bad auth.

If allowing SSH inbound fail2ban or a hostlist of some kind is a great idea regardless of the destination hosts role. Ideally sure there would be a bastion host exposed to the internet that isn't the FreeNAS box. Someone could also set up an IDS/IPS on a span port but that's far beyond the scope of a SOHO user. 

For enterprise i agree, but most home firewalls (mine included) don't have this kind of feature sets.

Curious why proftpd requires it to be turned off, would it just require no proftpd items?

Thanks for the clarification.

We strongly believe the NAS is not the right place to set up security measures, but in your own firewall.

That said, we could transform this into a Suggestion for adding official support for Allow/Deny Hosts in the UI/API, but I dont really see it gaining much traction myself.