Rootmanual:freenas: Skillnad mellan sidversioner
Knase (diskussion | bidrag) (Add example firewall configuration) |
Knase (diskussion | bidrag) (add description for enabling pf firewall) |
||
Rad 58: | Rad 58: | ||
== Firewall == |
== Firewall == |
||
Setup pf on the FreeNAS box |
Setup pf on the FreeNAS box: |
||
pf is installed by default so all we need to do is create a configuration and enable it. |
|||
To enable, open /etc/rc.conf with some editor (vi) and add the following at the end: |
|||
pf_enable="YES" |
|||
pf_rules="<absolute path to your pf.conf with rules>" |
|||
gateway_enable="YES |
|||
pf.conf example: |
pf.conf example: |
||
Rad 82: | Rad 89: | ||
#Allow traffic out |
#Allow traffic out |
||
pass out on $ext_if from any to any keep state |
pass out on $ext_if from any to any keep state |
||
End with starting the service: |
|||
service pf start |
Versionen från 27 januari 2017 kl. 16.27
Useful documentation
After installing FreeNAS the User Guide documentation for the current version is available in the "Guide" tab.
Setting up a FreeNAS box
Go through the installation process. After the install make sure that you have the correct address assigned to the box. If not you could use the console menus to set it or drop to a shell.
Using the shell:
ifconfig
Lists all the interfaces and note the interface you want to use
ifconfig <interface> inet <IPv4 address/subnetmask> add
Sets the IPv4 for the interface you want to use
ifconfig <interface> inet <IPv4 address> -alias
If you by accident set a address to the wrong interface
route add default <gateway address>
Sets the default gatway
service nginx restart
Nginx needs to be restarted since it does not serve on the correct address.
Go to System/Advanced:
Enable Console Menu = false
Certficates & syslog server
Make sure that you start by using https, for this you need to have a valid certificate. You could if there for the moment are no signed certificate for the machine, generate a self-signed certificate.
To enable https and set syslog server, go to System/General:
Certificate = your certificate Protocol = HTTPS WebGUI HTTP -> HTTPS redirect = yes Syslog server = <Logserver with FQDN>
Kerberos
Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it.
NIS
Setup NIS settings: Directory/NIS
NIS domain = lysator NIS servers = nis.lysator.liu.se,ns-slave.lysator.liu.se Secure mode = yes Enable = yes
And save.
NFS
Setup the default nfs server settings: Service/nfs
Number of Servers = 6 Serve UDP = yes Enable NFSv4 = yes support > 16 groups = yes Log mountd = yes Log rpc.statd & rpc.lockd = yes
Firewall
Setup pf on the FreeNAS box:
pf is installed by default so all we need to do is create a configuration and enable it.
To enable, open /etc/rc.conf with some editor (vi) and add the following at the end:
pf_enable="YES" pf_rules="<absolute path to your pf.conf with rules>" gateway_enable="YES
pf.conf example:
#External interface ext_if="<interface name of external interface>" table <bruteforce> persist set skip on lo0 set block-policy return scrub in all block in all block out all block quick from <bruteforce> #Allow from management HTTP/HTTPS only pass in on $ext_if proto tcp from <management host> to any port 80 flags S/SA keep state pass in on $ext_if proto tcp from <management host> to any port 443 flags S/SA keep state #Allow internal traffic pass in on $ext_if from 130.236.254.0/24 to any keep state pass in on $ext_if from 2001:6b0:17:f0a0::0/64 to any keep state #Allow ssh from management only block in on $ext_if proto tcp from 130.236.254.0/24 to any port { ssh } block in on $ext_if proto tcp from 2001:6b0:17:f0a0::0/64 to any port { ssh } pass in on $ext_if proto tcp from <management host> to any port { ssh } #Allow traffic out pass out on $ext_if from any to any keep state
End with starting the service:
service pf start