I have a bunch of services running on my AS6302T with ADM 3.5.0.R5D3 and I'm running into problems trying to keep most of them restricted to my local network (because I don't like the idea of exposing random SMB shares to the world, for example). There's a workaround at the end for Samba if anyone has the same problem, but all other services will have to be dealt with case-by-case. The workaround is fragile and can be overwritten when other configurations are changed, so if anyone has a better solution for this I'd be very happy to adopt it (and in the meantime I'll ask Asustor to see if they can implement full IPv6 netfilter support in ADM).
I investigated ADM Defender first, and created a test rule to block access to a TCP port. Testing it from a remote host looks ok in IPv4:
Code: Select all
$ nmap -sT -p 139 <IPv4 address>
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 15:53 -03
Nmap scan report for <hostname> (<IPv4 address>)
Host is up (0.00040s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
MAC Address: <mac address> (Asustek Computer)
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
Code: Select all
$ nmap -6 -sT -p 139 <IPv6 address>
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 16:14 -03
Nmap scan report for <IPv6 address>
Host is up (0.00051s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
Code: Select all
$ sudo ip6tables -L
ip6tables v1.4.21: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
$ find /lib/modules -name "ip6*"
/lib/modules/4.14.x/ip6_tables.ko
/lib/modules/4.14.x/ip6_udp_tunnel.ko
/lib/modules/4.14.x/ip6table_mangle.ko
My workaround for Samba: edit /usr/builtin/etc/samba/smb.conf and add "hosts allow = x.y.z." in the [Global] section (see the smb.conf(5) man page for the exact syntax). Then, if you try to connect from outside the specified network, you get something like:
Code: Select all
$ smbclient -L <IPv6 address>
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE