Please enable configuration and management of a host firewall in TrueNAS. Users wish to have the flexibility to use the IP packet filter functionality in FreeBSD to configure host security policy at the network level. Users' use cases differ and for many users, the ability to specify with some granularity who may talk to the NAS holding senstive data via the management interface or exposed services will make TrueNAS a better fit in some environments than it can be today.
For my use case, I wish to block access to the administrative interface of TrueNAS (443/tcp) to a given privileged VLAN or to a series of locked down jumphosts. I wish to allow access to exposed storage services from only select LAN user subnets. I wish to expose other services on TrueNAS to other network clients, but to be more specific about allowed sources that can communicate with those services, and to enable advanced features like scrubbing traffic from some sources or rate limiting connections. Currently implementing access control with each service's access control list configuration is error prone and inconsistent. In many environments, the most suitable configuration for this is achieved with IP access control lists.
Some users suggest that the best way to secure a NAS is not to host it on the internet. This goes without saying. Even devices on private, internal networks are subject to attack from malicious inside users and from attackers who have gained access to the network and move laterally to then find and exfiltrate or encrypt data on other internal devices. Some others have suggested that the role of a firewall is different that the role of a NAS and therefore a packet filter need not be configured on a NAS. This is an illogical argument given that nearly all types of devices running a commonplace operating system today expose a packet filter regardless of their role. The lack of this feature in TrueNAS is unexpected and leaves a gap for many.
FreeBSD provides both ipfw and PF firewalls out of the box and it appears a default ipfw policy is loaded:
uname -a FreeBSD nas 12.2-RELEASE-p9 FreeBSD 12.2-RELEASE-p9 2ee62d665f0(HEAD) TRUENAS amd64
sudo ipfw show 65535 468808050 442458652382 allow ip from any to any
sudo pfctl -sr
It would be helpful to have an interface in the management UI to manage the ruleset for one of these packet filters. The default ipfw policy is already present and operational. Users that do not benefit from this can continue to run the defaults, and other users could then use this feature as needed.
Activity
Show:
Kris Moore
July 18, 2024 at 5:55 PM
Thank you for submitting this feature request! To better accommodate and gauge community interest for future versions of TrueNAS we have moved the submission process to our TrueNAS Community Forums. If this feature is still important and relevant for consideration, please refer to the links below on how to submit it for community voting and TrueNAS roadmap review.
Low
Please enable configuration and management of a host firewall in TrueNAS. Users wish to have the flexibility to use the IP packet filter functionality in FreeBSD to configure host security policy at the network level. Users' use cases differ and for many users, the ability to specify with some granularity who may talk to the NAS holding senstive data via the management interface or exposed services will make TrueNAS a better fit in some environments than it can be today.
For my use case, I wish to block access to the administrative interface of TrueNAS (443/tcp) to a given privileged VLAN or to a series of locked down jumphosts. I wish to allow access to exposed storage services from only select LAN user subnets. I wish to expose other services on TrueNAS to other network clients, but to be more specific about allowed sources that can communicate with those services, and to enable advanced features like scrubbing traffic from some sources or rate limiting connections. Currently implementing access control with each service's access control list configuration is error prone and inconsistent. In many environments, the most suitable configuration for this is achieved with IP access control lists.
Some users suggest that the best way to secure a NAS is not to host it on the internet. This goes without saying. Even devices on private, internal networks are subject to attack from malicious inside users and from attackers who have gained access to the network and move laterally to then find and exfiltrate or encrypt data on other internal devices. Some others have suggested that the role of a firewall is different that the role of a NAS and therefore a packet filter need not be configured on a NAS. This is an illogical argument given that nearly all types of devices running a commonplace operating system today expose a packet filter regardless of their role. The lack of this feature in TrueNAS is unexpected and leaves a gap for many.
FreeBSD provides both ipfw and PF firewalls out of the box and it appears a default ipfw policy is loaded:
uname -a
FreeBSD nas 12.2-RELEASE-p9 FreeBSD 12.2-RELEASE-p9 2ee62d665f0(HEAD) TRUENAS amd64
sudo ipfw show
65535 468808050 442458652382 allow ip from any to any
sudo pfctl -sr
It would be helpful to have an interface in the management UI to manage the ruleset for one of these packet filters. The default ipfw policy is already present and operational. Users that do not benefit from this can continue to run the defaults, and other users could then use this feature as needed.