Firewall
A firewall is a common network security feature. It functions as a virtual barrier that inspects and handles network traffic from external sources (e.g., the Internet) according to a defined rule set.
Depending on the rule set, a firewall will allow or deny access. By controlling which applications and services are permitted access, SRM firewall can keep your network secure from potential cyber threats.
Contents
Create firewall rules
Before SRM firewall rules can monitor network traffic effectively, you must define a firewall rule set. A rule set consists of one or more firewall rules used to regulate network traffic. SRM firewall rules are defined using the following parameters:
- Name: Names are used to identify each firewall rule.
- Protocol: There are several standard protocols used to exchange information. TCP and UDP are used to exchange information between systems. ICMP is mainly used to relay error and query messages. If you are unsure of which protocol to specify, you can specify all protocols.
- IP: The IP addresses where the network traffic originates (source IP) or is destined (destination IP). They can be on the local network hosted by the Synology Router or the Internet
- Network interface: Network interfaces are mediums connecting your Synology Router with local networks or the Internet; they can be divided into source interfaces and destination interfaces.
- Port: Ports are where the network traffic comes out of or enters a device; they can be divided into source ports and destination ports.
- Action: Action determines what SRM firewall does when any network traffic matches conditions specified by port number, source IP, and network interface.
- Hit: It shows the number of times a firewall rule is triggered.
If you have network administrative permissions, make sure you know each user's network needs to ensure that users can successfully access their necessary applications and services. If you do not have the required permissions, consult your network administrator to avoid any firewall issues.
To create a firewall rule:
- Go to Network Center > Security > Firewall.
- Click Create.
- In the Name section, enter a name for the firewall rule.
- In the Protocol section, select the protocol of the traffic regulated by this firewall rule.
- In the Source section, select one of the following:
- Network Interface:
- All: Apply this firewall rule to all network interfaces.
- Internet: Apply this firewall rule to the interface of Internet.
- LAN: Apply this firewall rule to network interfaces of specific local networks (LANs). After clicking Select, you can choose your target local networks.
- IP Address:
- All: Apply this firewall rule to all source IP addresses.
- Specific IP: Apply this firewall rule to specific source IP addresses. After clicking Select, you can specify an IP address, subnet, or IP range.
- Region: Apply this firewall rule to network traffic from specific areas. After clicking Select, you can specify up to 15 locations.
- Ports: Apply this firewall rule to all or specified ports.
- Network Interface:
- In the Destination section, select one of the following:
- Network Interface:
- All: Apply this firewall rule to all network interfaces.
- Internet: Apply this firewall rule to the interface of Internet.
- LAN: Apply this firewall rule to network interfaces of specific local networks (LANs). After clicking Select, you can choose your target local networks.
- IP Address:
- All: Apply this firewall rule to all destination IP addresses.
- SRM: Apply this firewall rule to the Synology Router only, and network traffic to its hosted local network will not be affected.
- Specific IP: Apply this firewall rule to specific destination IP addresses. After clicking Select, you can specify an IP address, subnet, or IP range.
- Region: Apply this firewall rule to network traffic destined for specific areas. After clicking Select, you can specify up to 15 countries.
- Ports: Apply this firewall rule to all or specified ports or to selected applications.
- Network Interface:
- In the Action section, select either of the following:
- Allow: Allow the network traffic that matches all the specified conditions.
- Deny: Block the network traffic that matches all the specified conditions.
- Click OK to finish the setup.
- Click Save to save this rule.
To set up firewall notifications:
You can also set up notifications for when SRM firewall denies access.
- Click on Settings.
- Make sure the Enable firewall notifications box is checked.
- Click OK to save your changes.
Once you have enabled the setting above, a message will pop up whenever an application or service is blocked by your firewall rules.
Note:
- You can create up to 128 firewall rules.
- Firewall rules only apply to the following types of network traffic:
- Traffic between the Internet and a local network
- Traffic between local networks
- Network traffic within the same local network or between the wired and wireless connections is not subject to firewall rules.
- If a private port in a port forwarding rule coincides with the destination port in a firewall rule or UPnP client list rule, these rules will be prioritized for enforcement in the following order: firewall rules > port forwarding rules > UPnP client list rules.
- If you want to set up a firewall rule to target certain traffic guided by port forwarding, please specify the destination port in the firewall rule as the same as the private port in the port forwarding rule.
Modify SRM firewall policies
To reorder firewall rules:
SRM firewall enforces rules according to a set order. If several rules conflict with each other, the rule placed higher on the list takes precedence.
- Go to Network Center > Security > Firewall.
- Select an existing rule.
- Change its position by dragging and dropping.
- Click Save to apply your changes.
To edit default firewall rules:
You can strengthen the firewall around your Synology Router and client devices with default firewall rules. Default rules are applied to allow or block network traffic that does not match any created rule.
- Go to Network Center > Security > Firewall.
- On the page bottom, adjust the default policies to suit your needs:
- If IPv4 WAN-to-SRM traffic matches no rules: Allow/deny access of incoming IPv4 traffic destined for the SRM management interface.
- If IPv4 WAN-to-LAN traffic matches no rules: Allow/deny access of incoming IPv4 traffic destined for subordinate devices of the Synology Router.
- If IPv6 WAN-to-SRM traffic matches no rules: Allow/deny access of incoming IPv6 traffic destined for the SRM management interface.
- If IPv6 WAN-to-LAN traffic matches no rules: Allow/deny access of incoming IPv6 traffic destined for subordinate devices of the Synology Router.