NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Is the firewall on the ReadyNAS far below acceptable level?
Hi All,
I'm installing a ReadyNAS Pro 6, that will have "some" connections to the outside world. Given that this essentially is a Linux box, and SSH-access is possible, i figured it had some decent firewalling on-board. Since company policies dictate that every file-server should protect its own assets through several layers (firewalling being a mondatory one), the ReadyNas would be a decent solution.
To my surprise I found out that the iptables implementation is done in an extremely bad manner. The following options are completely missing in the ip-tables options:
Basically you end up statelessly filtering ipnumbers and ports without any intelligent limits, state and no way of logging exceptions. This is far below the acceptable level for a system that is on an internal network, and outright unacceptable for a system that has any open port to the internet.
Is there any way to enable these options (AFAIK, these are kernel-compiled options, and I'm not in the business of correcting major errors of suppliers by rebuilding the darn thing)? I mean, there are other people using these things for FTP, Wordpress, etc., also openly connected to the internet. I can't believe I am the only one dealing with this issue?
Jaap
I'm installing a ReadyNAS Pro 6, that will have "some" connections to the outside world. Given that this essentially is a Linux box, and SSH-access is possible, i figured it had some decent firewalling on-board. Since company policies dictate that every file-server should protect its own assets through several layers (firewalling being a mondatory one), the ReadyNas would be a decent solution.
To my surprise I found out that the iptables implementation is done in an extremely bad manner. The following options are completely missing in the ip-tables options:
- -m state --state RELATED,ESTABLISHED
- -m limit --limit 1/min
- -m mac --mac-source
- -j LOG
Basically you end up statelessly filtering ipnumbers and ports without any intelligent limits, state and no way of logging exceptions. This is far below the acceptable level for a system that is on an internal network, and outright unacceptable for a system that has any open port to the internet.
Is there any way to enable these options (AFAIK, these are kernel-compiled options, and I'm not in the business of correcting major errors of suppliers by rebuilding the darn thing)? I mean, there are other people using these things for FTP, Wordpress, etc., also openly connected to the internet. I can't believe I am the only one dealing with this issue?
Jaap
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
