2015-08-23 NAS4Free released!
2015-08-12 NAS4Free released!
Don't use Extended GUI on any 10.x series yet!
Please we need your help with https://translations.launchpad.net/nas4free/trunk/+pots/nas4free translations


Only Admin's or Moderators can move thread's to this sub-forum.
Nobody should start a new thread on this sub-forum.
Anybody can reply to a thread on this sub-forum.
Forum rules
Set-Up GuideFAQsForum Rules
Posts: 68
Joined: 26 Jun 2012 21:35
Status: Offline


Postby ldkraemer » 01 Jul 2012 04:16

[HOWTO] - NAS4Free IPFW RULES for SSH & SFTP to your NAS4Free Server

NAS4Free Current Version - Embedded

What is a Computer Network?

If you simply connect your four computers at home together via Ethernet, you have what is called a LAN (Local Area Network).
If everything is within walking distance, it's usually called a LAN, however many machines are connected to it, and whatever
you've built the network out of. If your LAN has a Wifi Router and you are using Laptops, Phones, or Desktops with Wifi
capability, then you also have WLAN (Wireless Local Area Network).

The other end of the spectrum is a WAN (Wide Area Network). If you have one computer in Lahore, Pakistan, one in Birmingham,
UK and one in Santiago, Chile, and you manage to connect them, it's a WAN (Wide Area Network).

If you would like to know more see this site for more details:

What is the `Internet'?

The Internet is a "WAN" which spans the entire globe: it is the largest computer network in existence. The phrase `internetworking'
refers to connecting separate networks to build a larger one, hence `The Internet' is the connection of a whole pile of subnetworks.

So, now we look at the above items and ask ourselves: What is the Internet's size, physical details, and protocols?

The size is already established: it's global.

The physical details are varied however: each little sub-network is connected differently, with a different layout and physical nature.
Attempts to map it in a useful way have generally met with abject failure.

The protocols spoken by each link are also often different: all of the "link-level protocols" are used, and many more.

How Does The Internet Work?

The question then arises: how come every node on the Internet can talk to the others, if they all use different link-level protocols to
talk to each other?

The answer is fairly simple: we need another protocol which controls how stuff flows through the network. The link-level protocol describes
how to get from one node to another if they're connected directly: the `network protocol' tells us how to get from one point in the network
to any other, going through other links if necessary.

For the Internet, the network protocol is the Internet Protocol (version 4), or `IP'. It's not the only protocol out there (Apple's AppleTalk,
Novell's IPX, Digital's DECNet and Microsoft's NetBEUI being others) but it's the most widely adopted. There's a newer version of IP called
IPv6, but it's still not common.

So, to send a message from one side of the globe to another, your computer writes a bit of Internet Protocol, sends it to your modem,
which uses some modem link-level protocol to send it to the modem it's dialed up to, which is probably plugged into a terminal server
(basically a big box of modems), which sends it to a node inside the ISP's network, which sends it out usually to a bigger node, which
sends it to the next node... and so on. A node which connects two or more networks is called a `router': it will have one "interface"
for each network.

Groups of IP Addresses: Network Masks

There is one last detail: there is a standard notation for groups of IP addresses, sometimes called a `network address'. Just like a phone
number can be broken up into an area prefix and the rest, we can divide an IP address into a network prefix and the rest.

It used to be that people would talk about `the 1.2.3 network', meaning all 256 addresses from to Or if that wasn't a
big enough network, they might talk about the `1.2 network' which meant all addresses from to

We usually don't write ` -'. Instead, we shorten it to `'. This weird `/16' notation (it's called a `netmask')
requires a little explanation.

Each number between the dots in an IP address is actually 8 binary digits (00000000 to 11111111): we write them in decimal form to make
it more readable for humans. The `/16' means that the first 16 binary digits is the network address, in other words, the `1.2.' part is the
the network (remember: each digit represents 8 binary digits). This means any IP address beginning with `1.2.' is part of the
network: `' and `' are, and `' is not.

To make life easier, we usually use networks ending in `/8', `/16' and `/24'. For example, `' is a big network containing any
address from to (over 16 million addresses!). is smaller, containing only IP addresses from to is smaller still, containing addresses to

To make things confusing, there is another way of writing netmasks. We can write them like IP addresses:

Finally, it's worth noting that the very highest IP address in any network is reserved as the `broadcast address', which can be used to send
a message to everyone on the network at once.

Here is a table of network masks:

Code: Select all

       Short   Full                    Maximum        Comment
       Form    Form                   #Machines

       /8      /             16,777,215      Used to be called an `A-class'
       /16     /               65,535      Used to be called an `B-class'
       /17     /             32,767
       /18     /             16,383
       /19     /              8,191
       /20     /              4,095
       /21     /              2,047
       /22     /              1,023
       /23     /                511
       /24     /                255      Used to be called a `C-class'
       /25     /              127
       /26     /               63
       /27     /               31
       /28     /               15
       /29     /                7
       /30     /                3
       /31     /                2
       /32     /                1

As an example, an address specified as{128,35-55,89} or{128,35-55,89}
will match the following IP addresses:, to,


To properly setup CIFS, FTP, SSH, and NFS refer to the Setup Guide, Sections 2 & 6 at:

I decided to setup my NAS4Free services in an orderly fashion, and I started with NFS. Once NFS was working I setup SSH, FTP, and CIFS/SMB.
I tested each as I enabled the service, and after I FORWARDED my Router Port 22, I kept an eye on the Diagnostics | Log files so I knew
what was happening with my server. I also scanned my Ports after turning on each service so I knew what Ports were OPEN on my NAS4Free Server.


Now, realizing that your NAS4Free ports must have access to the Internet before anyone from the outside can access your NAS4Free Server,
we can DELAY Forwarding any Router Ports until the NAS4Free Setup and Configuration is complete. The NAS4Free Ports will be “OPEN” to
any LOCAL Computer that is connected to our Local Area Network (LAN), but not the WAN because your Router Port must be MANUALLY FORWARDED allowing Server access via WAN.

There is one thing you need to understand about setting up your router. If your Client Software is accessing your neighbors NAS4Free Server
sitting behind your neighbors router on the WAN, ONLY your neighbor needs to FORWARD his router's Port 22 to his NAS4Free Server for you
to be able to access it via ssh. Your router doesn't need Port 22, or any others FORWARDED. So, with your Router Ports CLOSED, you are
now ready to setup your NAS4Free Server with some computer connected to your Local Area Network.

For more detailed information on the Port Number Usage see: http://www.iana.org/assignments/port-numbers


So, what does a typical LAN look like? The following photo shows what my present LAN contains. We should have covered in some
detail all the items in the photo except for the External IP Addresses. The External IP Address is the IP address returned by http://www.whatismyip.com
These IP Addresses will be used in your IPFW (IP FireWall Rules)

Notice that my Galaxy Tablet ( can connect to my server on my LAN, and likewise it can connect to my neighbors
OPEN Linksys Router, and access my NAS4Free Server. This makes it nice for testing my IPFW Rules. All of the network devices
attached to my Router will be in the range of 200 thru 250 ( –


At this point you are ready to use a Computer on your LAN to test your NFS Service. When that is working properly, you may want to start with
CIFS/SMB or SSH. CIFS/SMB was easily setup by using my Galaxy Tablet with Android FTP (AndFTP) and worked well on my LAN. You won't
be able to use CIFS/SMB from the WAN as most ISP Providers have those Port automatically Blocked to reduce SPAM, and Security concerns.

So, you should now have tested, and setup your Services from your LAN and the last step is to FORWARD your Router External Port 22 to
Internal Port 22 to allow you access to your NAS4Free Server from the WAN. BE VERY CAREFUL, because as soon as you do this your
system will be attacked, and Port 22 will receive numerous attempts to gain entry. You should be using a DSA Key and not have Password
Authentication ENABLED.

Here is a listing of the IP addresses that immediately started probing my system, trying to gain access.

As you can see they needed to be immediately blocked, and I initially started adding each IP address to the Network|Hosts Host access control list.

Unauthorized Login Attempts:

If your ssh Diagnostics|Log show multiple login attempts by &, you can “DENY” their access by adding their
IP address to (/etc/hosts.allow as hosts.deny is depreciated). By adding these IP addresses to NAS4Free you will actually be inserting the specific
IP Address in /etc/hosts.allow as DENY.

Network | Hosts

Code: Select all

#ftpd : xxx.xxx.xxx.xxx : deny
#sshd : .example.com : deny
#in.tftpd : xxx.xxx.xxx.xxx : deny
#bsnmpd : xxx.xxx.xxx.xxx : deny
sshd : : deny
sshd : : deny
sshd : : deny
sshd : : deny
ALL : ALL : allow

But, as you can also see, this listing grew day by day, and I soon figured out there had to be a better way to BLOCK all the unwanted IP Addresses,
while still allowing myself, and my specific IP Addresses NAS4Free access while BLOCKING all others.


If you have searched the old FreeNAS forum for an answer to your IPFW Rule Problems you have found the following typical answers:
1. You can use the firewall to limit access, see WebGUI|Network|Firewall|Rule|Add
2. See ipfw manual.
3. FreeBSD Handbook > Chapter 31 Firewalls > 31.6 IPFW

Now, while these typical answers didn't help me define my IPFW Rules, or help me with any of my problems, it did help me understand
that the IPFW Manual is written for the underlying system, and the Network | Firewall Rules is just a User GUI allowing easy setup of
the Rules, once you have an understanding of the system.

Once I had printed out that section of the manual, and read it over about 50 times, and tried to define some rules to test my system,
I did brute force my way through the process and got a functional system.

So, lets see what we can do to assist you to get through the painful process.........


When you install NAS4Free, there are three Rules that are already defined, but not ENABLED. Let's have a look at these rules as shown below.

I have ENABLED the SYSTEM FIREWALL, and also ENABLED the first RULE shown here as (100). Notice that Rules (200) & (300) have not been
ENABLED and they are grey, while the ENABLED Rule is WHITE. Now, the actual IPFW Rules that are stored for the NAS4Free System are located
at /etc/rc.firew~uxrules and these rules are explained in the IPFW Manual. WHEW! Now we are making progress, and we have a clue as to
where these rules are stored on our NAS4Free System, and the IPFW Manual explains the Rules.

The choices for Protocol are UDP, TCP, ICMP, and ALL. SSH typically uses TCP.
The Choices for Direction are IN, OUT, and ANY. SSH typically uses IN.
You can also “Log packets that are handled by this rule to syslog”.

So, we need to add a Rule to BLOCK all of the ssh access as shown below. Notice that this rule is ENABLED, and a duplicate of the rule (200)
which was one of our pre-defined rules. This is OK for the time being. This Rule allows us to BLOCK ALL SSH access to our NAS4Free Server.
But, this situation isn't exactly what we want to end up with because we don't have access to our own Server.



While defining your Rules, you never want to end up defining a rule as shown below because you will never have access to your NAS4Free SYSTEM.
If you make this mistake you can use the NAS4Free Console to restore the system to DEFAULT, then reload your saved Configuration.



The Ordering of your IPFW Rules is very important, as the rules are evaluated First to Last, and the First Matching rule applies.

..more rules
..more rules


To allow us WAN access to our own NAS4Free Server we will add the Rule shown below. Remember that I am jumping in on my neighbors Syslink
Router that has an External IP address of: and we will be accessing our NAS4Free Server via Port 22 with SSH. So, we just need
to make the appropriate entries in the ALLOW Rule.

At this point we can toggle rule (400) ON/OFF and try to access the NAS4Free Server via my Galaxy Android Tablet with AndFTP. DISABLING Rule (400)
BLOCKS access, and ENABLING Rule (400) ALLOWS me WAN Access. So, now we just need to add another ALLOW Rule for LAN Access.



To allow us LAN access to our own NAS4Free Server we will add the ALLOW Rule shown below. This Rule is a bit different and needs some explanation.
As you can see the rule uses the Network Addressing Scheme, and allows lots of flexibility in defining who on my LAN can have access.

The IP Address is specified as{200,203-206} which will match the following IP address's:, to I could just as easily have skipped around selecting exactly the IP's I wanted
such as{200,202-204,207}

At this point we can toggle rule (500) ON/OFF, and try to access the NAS4Free Server via my Galaxy Android Tablet with AndFTP.
DISABLING Rule (500) BLOCKS access, and ENABLING Rule (500) ALLOWS me LAN Access.

At this point we have ALLOW Rules for LAN, WLAN, and WAN. Rules (600) and (700) haven't been discussed, but are just other folks that
I have given access to my NAS4Free Server. You shouldn't have any trouble figuring out these rules.


My complete IPFW Rule listing is shown below.


I've added one more DENY Rule showing one way to DENY Access to a Block of IP Addresses. You may not want to use it, or have another
method of doing the same sort of Group Blocking.


And with this information it pretty well wraps up what I know about the IPFW Rules. If you have suggestions and/or other ideas that need to be
incorporated please add that feedback and it will make the tutorial better.


There is one other small detail that you may need to help you access your NAS4Free Server from the WAN. Since you can't log into the WebGUI,
and change settings while you are on the road, you may find times when you really need to be able to modify your Rules, or access your Server.

If you are using SSH to connect to your NAS4Free Server you can access the WebGUI by doing SSH tunneling from your Linux Box:

Code: Select all

    ssh -v -p 22 -L 8888:localhost:443 username@your.NAS4FreeorRouter.IP.address

Then open your Linux Box's web browser, and type this address:

Code: Select all


and you are at the WebGUI Login screen.

Unfortunately, I couldn't get this to work if I was forwarding an External Router Port of 51001 to Internal Router Port 22, without adding another
IPFW Rule. By adding my IP to the Firewall Rules I was able to access the system remotely.


So, now I can access my NAS4Free Server by using the new External Port with:

Code: Select all

ssh -v -p 51001 -L 8888:localhost:443 username@your.NAS4FreeorRouter.IP.address

Then open your Linux Box's web browser, and type this address:

Code: Select all


and you are at the WebGUI Login screen.

You do not have the required permissions to view the files attached to this post. You must LOGIN or REGISTER to view these files.
Last edited by ldkraemer on 18 Aug 2015 13:16, edited 7 times in total.

Engaged User
Engaged User
Posts: 325
Joined: 23 Jun 2012 06:36
Status: Offline


Postby sleid » 01 Jul 2012 15:11

For remote access from dynamic address

With a cron job like this "/etc/rc.d/ipfw restart " every hours you can replace in rule the fixed address by a dynamic (myname.dyndns.org).
One dynamic address by rule only.

cordially - Prester (revision 1803) x64-embedded on Intel(R) Core(TM) i3-3225 CPU @ 3.30GHz
Pool of 2 vdev Raidz1: 3 x WDC WD20EARS + 3 x WDC WD30EZRX
Intel PRO/1000 PT Dualport 2x Gigabit-LAN PCIe x4

Posts: 68
Joined: 26 Jun 2012 21:35
Status: Offline


Postby ldkraemer » 02 Jul 2012 12:28

Thanks for the reply............I'm having a hard time understanding what restarting ipfw every hour and using a dynamic address would do for me.

Can you supply a typical Rule with more details?

Then I'll add it to my posting.



Engaged User
Engaged User
Posts: 325
Joined: 23 Jun 2012 06:36
Status: Offline


Postby sleid » 02 Jul 2012 21:41

Cron job for restarting ipfw is for solve ip when it changes. One hour gives good chance to retain access.

in this case the NAS address is

for example to allow an external SFTP user with a dynamic ip and a dyndns account.

Protocole Source Port Destination Port <-> Description
TCP xxxxx.dyndns.org * 22 IN François SFTP

If the router has a firewall do not forget to open port 22 to the address of the NAS. - Prester (revision 1803) x64-embedded on Intel(R) Core(TM) i3-3225 CPU @ 3.30GHz
Pool of 2 vdev Raidz1: 3 x WDC WD20EARS + 3 x WDC WD30EZRX
Intel PRO/1000 PT Dualport 2x Gigabit-LAN PCIe x4

Posts: 23
Joined: 29 Apr 2015 10:19
Status: Offline


Postby arxaios » 09 Jun 2015 06:56


I Would like to ask a question.

Is the Allow Host Access in the WebGui has anything to do with the firewall rules ???? For example , I have allowed all external IPs in WebGUi to access my server from the outside world but I put some deny rules in firewall for the SSH. Will they be conflicting these addresses or is something else?? Thank you.

Return to “[HowTo]”

Who is online

Users browsing this forum: No registered users and 1 guest