How to Set Up the Firewall on a Synology NAS

  • Post author:WunderTech
  • Post published:May 20, 2022
  • Post last modified:November 14, 2023
  • Post category:Synology
  • Reading time:16 mins read

Share what you're reading!

In this tutorial, we will look at how to set up the firewall on a Synology NAS.

When you set up a Synology NAS, the firewall is a feature that many disregard. The firewall on a Synology NAS will monitor traffic to and from the device. Based on the rules specified, traffic will either be permitted or blocked.

This allows you to effectively manage exactly what should and should not be permitted and gives you confidence that anything that’s not permitted will immediately be blocked.

This tutorial will explain how to set up the firewall on a Synology NAS, but I highly suggest you watch the video above on how to set up the firewall on a Synology NAS as it’s explained in great detail. This is one step that you can use towards securing your Synology NAS.

1. How to Set Up the FIrewall on a Synology NAS

The actual setup process for the firewall is extremely straightforward and is just a checkbox. However, actually configuring the firewall is where it gets slightly more complicated.

1. Open the Control Panel and select Security.

selecting security in control panel of dsm.

2. Select Firewall, then select Enable Firewall and Apply the settings.

How to Set Up the Firewall on a Synology NAS - the firewall section of dsm.

3. The default firewall profile will be used, but you can create multiple firewall profiles if you’d like by using the dropdown menu. When you’d like to modify the current firewall profile, select Edit Rules.

selecting different firewall profiles in dsm.

4. You’ll be brought to a blank firewall page. One thing to take note of is that by default, you’ll modify the rules for All Interfaces. If you’d like to modify the rules for a specific interface, use the dropdown menu.

editing the default profile of the dsm firewall.

2. Creating Firewall Rules

Now that you’re at the firewall section, you need to create your allow/deny rules. The first thing that you need to do is create a firewall rule so that you can access DSM. If you do not create this rule, you risk locking yourself out of your NAS.

1. Select Create to create a new firewall rule, then choose select from a list of built-in applications.

creating a firewall rule in dsm.

2. Select the Management UI for both DSM HTTP/HTTPS ports, leave all other settings as the default and then select OK to create the rule.

selecting the dsm ports in synology dsm.

3. By default, this will create a rule that allows all users from all IP addresses to access DSM. However, since the DSM port is not port forwarded (and shouldn’t be outside of specific scenarios), you’re only allowing everyone from your local network to access DSM.

showing the firewall rules in synology dsm.

4. Create firewall rules for each of your services. Common services that people use are Synology Photos, Synology Drive Server, VPN Server, SSH, and especially file-sharing services (SMB, NFS, CIFS).

You’ll have to create firewall rules for every single service. You can group them in an individual rule if you’d like, but this limits the customization you can do in further steps, so I generally recommend creating an individual firewall rule for each service.

NOTE: The default SMB port is 445 which can be allowed by using the Windows File Server application.

the services that can be exposed in synology dsm.

5. You should now have a list of all of the services that should be accessible on your Synology NAS.

a display of the firewall rules created in dsm.

2.1 Creating Firewall Rules for Custom Ports

By default, installed applications will be listed in the select from a list of built-in applications list, however, as you start to create custom services on applications like Docker, you’ll have to open custom ports.

1. To create a custom port rule, create a new firewall rule, then select Custom.

creating a firewall rule for a custom port.

2. Leave the Type as Destination Port, then change the Protocol to TCP, UDP, ICMP, IGMP, or All. Enter the port(s) that you’d like to open or select a port range.

NOTE: You’ll generally be creating TCP/UDP rules.

showing that tcp port 8443 was selected.

3. Your custom port rules will now exist in the list that we have been creating.

displaying all firewall rules created in the tutorial.

2.2 Limiting Access

The rules we’ve created up to this point will allow anyone that has access to your Synology NAS to access the NAS on those ports. However, you can modify individual rules to limit access further by following the instructions below.

2.2.1 Limiting Access to IP Addresses, Subnets, or Ranges

1. Edit a firewall rule that you already created.

showing how the rules can be edited in the firewall.

2. In the Source IP section, there are two options you can use to limit access. Specific IP and Location. Select Specific IP, then Select.

limiting access with a specific ip address

3. At this screen, you’ll have three options that you can use: single host, subnet, and IP range.

  • Single Host: An individual IP address. Use this option if you want a single IP address to access your Synology NAS for this specific service/port.
setting the ip address that can access the firewall rules.
  • Subnet: You can limit access to an entire subnet if you’d like by using the subnet mask/prefix length. You can use this cheat sheet to determine the netmask you will have to use.
narrowing a firewall rule down to a subnet.
This rule allows all traffic from the subnet
  • IP Range: You can limit access to an IP range if you’d like by using the from and to fields.
changing the firewall rule to use an IP range.

4. The Source IP will update to the IP address, subnet, or IP range that you entered.

showing the firewall section with the source IP addresses specified.

2.2.2 Limiting Access to a Location

It’s extremely important to understand that if you limit access to a certain country or multiple countries, you’ll only be able to access them externally and your internal network will be blocked on that port.

For this reason, if you use this functionality, create a second firewall rule that allows access to your local network using step 2.2.1 above.

1. Edit a firewall rule that you already created.

editing a firewall rule in synology dsm.

2. In the Source IP section, there are two options you can use to limit access. Specific IP and Location. Select Location, then Select.

selecting a location in the firewall setup.

3. Select the location(s) that you’d like to limit access to, then select OK to save the rule.

selecting the united states as a location.

4. The Source IP will update to the country or countries that you selected.

showing the location in the default firewall page.

3. Block All Rule

This section is extremely important. The rules that we created above will allow traffic, but without a block all rule, all traffic will be permitted.

I will reiterate that point due to its importance. If you do not create a block all rule, no traffic will be blocked and all traffic will be permitted (as if you weren’t using the firewall).

To block traffic, we will be using a block all firewall rule. The block all rule is placed at the very bottom of the firewall rules and should be your last rule.

The reason is that traffic is permitted from top to bottom. When you’re trying to access a service, the rules will start from the top, check each and every rule in order from top to bottom, and if traffic is not permitted, it will be blocked by the final firewall rule. This is explained in detail in the YouTube video above.

1. Create a Deny All rule.

creating a deny all rule in synology dsm and adding it to the very bottom.

2. Ensure that the Deny All rule is at the bottom of all firewall rules.

displaying the deny all rule at the bottom.

3. This will ensure that if the service is not permitted, it will be blocked by the final rule. Once again, without this rule, all traffic will be permitted.

This is also the first time that you can lock yourself out of DSM and/or specific services, so make sure that a DSM allow rule has been created before applying these settings.

4. Conclusion & Final Thoughts

This tutorial looked at how to set up the firewall on a Synology NAS. This is something that most people should set up, especially if you’re exposing anything on your NAS to the outside internet. Please be careful, as you must ensure that you allow access to DSM in order to continue accessing it (as well as any other services).

Thanks for checking out the tutorial on how to set up the firewall on a Synology NAS. If you have any questions on how to set up the firewall on a Synology NAS, please leave them in the comments of the YouTube video!