Firewall
At Control Panel > Security > Firewall, you can enable firewall, create firewall rules, and configure firewall settings to prevent unauthorized login and control service access. You can decide whether to allow or deny access to certain network ports by specific IP addresses.
Firewall Management
You can create firewall rules for different firewall profiles, so as to easily and quickly switch to and apply the desired profile according to different security needs.
To enable firewall:
- Go to Control Panel > Security > Firewall, and check Enable firewall.
- Click Apply to save the settings.
To configure a firewall profile:
- Under the Firewall Profile section, click the + icon in the drop-down menu and enter a name to create a new profile.
- Select the desired profile from the drop-down menu and click Select.
- Click the Edit Rules button on the right, and click Create to create firewall rules for the chosen profile. (Please refer to the section below for more information about creating firewall rules.)
- Repeat the steps above until you have created all profiles and firewall rules you need.
To manage a firewall profile:
Under the Firewall Profile section, click the corresponding buttons in the drop-down menu to create, delete, rename, or clone the chosen profile.
To create a firewall rule:
- Under the Firewall Profile section, select a firewall profile from the drop-down menu and click the Edit Rules button on the right.
- Select a network interface from the drop-down menus in the upper right corner.
- Click Create.
- In the Ports section, select one of the following:
- Choose All to apply this firewall rule to all ports.
- Choose Select from a list of built-in applications and click Select. Select the built-in applications you want to apply this firewall rule to.
- Choose Custom and click Custom. Enter up to 15 ports separated by commas or specify a port range to apply this firewall rule to.
- In the Source IP section, select one of the following:
- Choose All to apply this firewall rule to all IP addresses.
- Choose Specific IP and click Select. You can specify an IP addresses or IP range to apply this firewall rule to.
- Choose Location and then specify up to 15 locations to apply this firewall rule to.
- In the Action section, select one of the following:
- Choose Allow to allow access by ports and source IP addresses you have specified.
- Choose Deny to deny access by ports and source IP addresses you have specified.
You can view LAN and PPPoE firewall rules by selecting these interfaces from the box in the upper right-hand corner. At the bottom of the rule list you can select Allow access or Deny access to allow or deny any access requests that do not match an existing firewall rule for the respective interface.
Note:
- Drag-and-drop to reorder the rules in the list.
- Rules are prioritized according to their positions in the list.
- If you have multiple network ports connecting to the same subnet, the firewall rules may not work properly.*
- When you combine multiple LAN ports with link aggregation, firewall will apply the rules from the first network interface, and retain the rules of the second network interface.
- If your Synology NAS device connects to the Internet via PPPoE, the related firewall rules must be configured on the corresponding PPPoE interface.
To apply a firewall profile:
- Under the Firewall Profile section, switch to the desired profile from the drop-down menu.
- Click Apply to save the changes. The chosen firewall profile will be applied and used as the active profile.
Firewall rule behavior
DSM Firewall will match rules according to priority. Once a rule is matched, it will be enforced and DSM Firewall will not continue matching remaining rules. If there are no rules matched, DSM Firewall will perform the default action specified in each interface.
Firewall rule priority:
- Rules defined in "All interface".
- Rules defined in respective interfaces for which the connection belongs to.
- Default rules in respective interfaces for which the connection belongs to.
____
* Applies to specific models only.
# This function includes GeoLite data created by MaxMind, available from http://www.maxmind.com.