Server Rack Pet-Project: Firewall

What server rack project would it be without a firewall?! I got myself another bargain deal with a WatchGuard Firebox XTM25. I should have enough fun with some Stateful Packet Inspection and Threat protection (such as DoS attacks, fragmented & malformed packets, blended threats, and more), and if I manage to reactivate a WatchGuard subscription I might even get: IPS, Data Loss Prevention, APT Blocker, and a bunch of other features…

and here it is, a shiny little red box standing out from the rest.
so, after countless reboots and resets mostly due to PEBKAC issues, I log in again.
so many items to be checked, it’ll take to figure out everything…
simple and nice dashboard, pretty quiet so far

I started to play a little with port forwarding, but couldn’t make it work, maybe I was trying to do something not quite right, so I ended up configuring a VPN in order to have access to all the internal resources.

aand I’m connected!

Here is my simple OpenVPN configuration:

dev tun
proto tcp
remote-cert-eku "TLS Web Server Authentication"
remote 443
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
tls-cipher "DEFAULT:@SECLEVEL=0"
auth SHA512
reneg-sec 3660
;remember_connection 0
;auto_reconnect 0

Once connected, only internal traffic ( is routed into the tunnel (which is super great because I believe I made a split-tunnel):

$ ip route
default via dev wlan0 proto dhcp metric 600 via dev tun0 dev tun0 proto kernel scope link src dev wlan0 proto kernel scope link src metric 600 

The next steps are configuring the firewall to shield the NAS properly. And, hopefully in the near future shield a Kubernetes cluster as well.

creating a new policy for controlling NFS access (2049/tcp and 2049/udp) for the NAS
denying access from anywhere to the NAS IP address
allowing access from any trusted source (ie and to the NAS IP address

So now, I finally have a NAS, protected by my new firewall, that is accessible only from the trusted range of IP addresses (either a VPN use or a VM running in the rack). The next post will be about networking cables, and how I learned how to make one. I made lots of discoveries during this pet project!