Firewall blocking too much

rabauke · May 1, 2012, 7:55pm

Hey everybody!

I have a Synology NAS and openSUSE 12.1. Turning the firewall off I can browse samba shares, access the admin panel via the browser (port 5001) and print to the printer attached to the NAS.

In YaST’s firewall settings I have added several allowed service, including samba-client, zeroconf multicast dns, mdns/Bonjour. In the broadcast section I added samba-browsing.

SuSEfirewall2 status shows:

### iptables filter ###
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  152 11256 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   45 18759 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            
ctstate ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            
ctstate RELATED
   30  4647 input_ext  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            
limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source          destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            
limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT 74 packets, 7762 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  152 11256 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

Chain forward_ext (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
PKTTYPE = broadcast udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
PKTTYPE = broadcast udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
PKTTYPE = broadcast udp dpt:427
   15  2535 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            
PKTTYPE = broadcast
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            
icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            
icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp spt:137 ctstate RELATED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp spt:427 ctstate RELATED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp spt:137 ctstate RELATED
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            
limit: avg 3/min burst 5 tcp dpt:139flags: 0x17/0x02 LOG flags 6 level 4 
prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            
tcp dpt:139
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            
limit: avg 3/min burst 5 tcp dpt:445flags: 0x17/0x02 LOG flags 6 level 4 
prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            
tcp dpt:445
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            
limit: avg 3/min burst 5 tcp dpt:5000flags: 0x17/0x02 LOG flags 6 level 4 
prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            
tcp dpt:5000
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            
limit: avg 3/min burst 5 tcp dpt:5001flags: 0x17/0x02 LOG flags 6 level 4 
prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            
tcp dpt:5001
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp dpt:137
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp dpt:138
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp dpt:139
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp dpt:445
   11  1964 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
udp dpt:427
    3   108 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            
limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix "SFW2-
INext-DROP-DEFLT "
    3   108 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            
PKTTYPE = multicast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            
PKTTYPE = broadcast
    1    40 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            
limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
    1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain reject_func (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            
reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            
reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            
reject-with icmp-proto-unreachable

### iptables raw ###
Chain PREROUTING (policy ACCEPT 227 packets, 34662 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  152 11256 NOTRACK    all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 226 packets, 19018 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  152 11256 NOTRACK    all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

### ip6tables filter ###
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   30  8101 ACCEPT     all      lo     *       ::/0                 ::/0                
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 
ctstate ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 
ctstate RELATED
    0     0 input_ext  all      *      *       ::/0                 ::/0                
    0     0 LOG        all      *      *       ::/0                 ::/0                 
limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET "
    0     0 DROP       all      *      *       ::/0                 ::/0                

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all      *      *       ::/0                 ::/0                 
limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   30  8101 ACCEPT     all      *      lo      ::/0                 ::/0                
    2   132 ACCEPT     icmpv6    *      *       ::/0                 ::/0                

Chain forward_ext (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 
ipv6-icmptype 128
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 
ipv6-icmptype 133
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 
ipv6-icmptype 134
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 
ipv6-icmptype 135
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 
ipv6-icmptype 136
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 
ipv6-icmptype 137
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp spt:137 ctstate RELATED
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp spt:427 ctstate RELATED
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp spt:137 ctstate RELATED
    0     0 LOG        tcp      *      *       ::/0                 ::/0                 
limit: avg 3/min burst 5 tcp dpt:139flags: 0x17/0x02 LOG flags 6 level 4 
prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 
tcp dpt:139
    0     0 LOG        tcp      *      *       ::/0                 ::/0                 
limit: avg 3/min burst 5 tcp dpt:445flags: 0x17/0x02 LOG flags 6 level 4 
prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 
tcp dpt:445
    0     0 LOG        tcp      *      *       ::/0                 ::/0                 
limit: avg 3/min burst 5 tcp dpt:5000flags: 0x17/0x02 LOG flags 6 level 4 
prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 
tcp dpt:5000
    0     0 LOG        tcp      *      *       ::/0                 ::/0                 
limit: avg 3/min burst 5 tcp dpt:5001flags: 0x17/0x02 LOG flags 6 level 4 
prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 
tcp dpt:5001
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp dpt:137
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp dpt:138
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp dpt:139
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp dpt:445
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp dpt:5353
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp dpt:5353
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 
udp dpt:427
    0     0 LOG        all      *      *       ::/0                 ::/0                 
limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
    0     0 DROP       all      *      *       ::/0                 ::/0                

Chain reject_func (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp      *      *       ::/0                 ::/0                 
reject-with tcp-reset
    0     0 REJECT     udp      *      *       ::/0                 ::/0                 
reject-with icmp6-port-unreachable
    0     0 REJECT     all      *      *       ::/0                 ::/0                 
reject-with icmp6-addr-unreachable
    0     0 DROP       all      *      *       ::/0                 ::/0                

### ip6tables mangle ###
Chain PREROUTING (policy ACCEPT 30 packets, 8101 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 30 packets, 8101 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 32 packets, 8233 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 32 packets, 8233 bytes)
 pkts bytes target     prot opt in     out     source               destination         

### ip6tables raw ###
Chain PREROUTING (policy ACCEPT 30 packets, 8101 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   30  8101 NOTRACK    all      lo     *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 32 packets, 8233 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   30  8101 NOTRACK    all      *      lo      ::/0                 ::/0

However, if the computer starts I cannot access the NAS, neither via the browser, nor via smb:/. If I check the logs I see:

MAC=01:00:5e:00:00:01:00:26:4d:07:e3:26:08:00 SRC=192.168.2.1 DST=224.0.0.1  LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=21265 OPT (94040000) PROTO=2

If I shut down the firewall it works. Enabling it again without rebooting does not brake it for the next ~10 minutes, i.e. it works with enabled firewall. After that I cannot access the NAS again. Windows and TVs can access the NAS fine.

Apparmor is disabled.

Does anyone use a Synology NAS and could tell me which services/ports to open via YaST? Or does somebody know why multicast 224.0.0.1 is still blocked although it is allowed?

glistwan · May 1, 2012, 8:46pm

W dniu 01.05.2012 o 19:56 rabauke <rabauke@no-mx.forums.opensuse.org>
pisze:

>
> Hey everybody!
>
> I have a Synology NAS and openSUSE 12.1. Turning the firewall off I can
> browse samba shares, access the admin panel via the browser (port 5001)
> and print to the printer attached to the NAS.
>
> In YaST’s firewall settings I have added several allowed service,
> including samba-client, zeroconf multicast dns, mdns/Bonjour. In the
> broadcast section I added samba-browsing.
>
> SuSEfirewall2 status shows:
>
>
> Code:
> --------------------
> ### iptables filter ###
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 152 11256 ACCEPT all – lo * 0.0.0.0/0
> 0.0.0.0/0
> 45 18759 ACCEPT all – * * 0.0.0.0/0
> 0.0.0.0/0
> ctstate ESTABLISHED
> 0 0 ACCEPT icmp – * * 0.0.0.0/0
> 0.0.0.0/0
> ctstate RELATED
> 30 4647 input_ext all – * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 LOG all – * * 0.0.0.0/0
> 0.0.0.0/0
> limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> "SFW2-IN-ILL-TARGET "
> 0 0 DROP all – * * 0.0.0.0/0
> 0.0.0.0/0
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG all – * * 0.0.0.0/0
> 0.0.0.0/0
> limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> "SFW2-FWD-ILL-ROUTING "
> Chain OUTPUT (policy ACCEPT 74 packets, 7762 bytes)
> pkts bytes target prot opt in out source
> destination
> 152 11256 ACCEPT all – * lo 0.0.0.0/0
> 0.0.0.0/0
> Chain forward_ext (0 references)
> pkts bytes target prot opt in out source
> destination
> Chain input_ext (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> PKTTYPE = broadcast udp dpt:5353
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> PKTTYPE = broadcast udp dpt:5353
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> PKTTYPE = broadcast udp dpt:427
> 15 2535 DROP all – * * 0.0.0.0/0
> 0.0.0.0/0
> PKTTYPE = broadcast
> 0 0 ACCEPT icmp – * * 0.0.0.0/0
> 0.0.0.0/0
> icmptype 4
> 0 0 ACCEPT icmp – * * 0.0.0.0/0
> 0.0.0.0/0
> icmptype 8
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp spt:137 ctstate RELATED
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp spt:427 ctstate RELATED
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp spt:137 ctstate RELATED
> 0 0 LOG tcp – * * 0.0.0.0/0
> 0.0.0.0/0
> limit: avg 3/min burst 5 tcp dpt:139flags: 0x17/0x02 LOG flags 6 level
> 4
> prefix "SFW2-INext-ACC-TCP "
> 0 0 ACCEPT tcp – * * 0.0.0.0/0
> 0.0.0.0/0
> tcp dpt:139
> 0 0 LOG tcp – * * 0.0.0.0/0
> 0.0.0.0/0
> limit: avg 3/min burst 5 tcp dpt:445flags: 0x17/0x02 LOG flags 6 level
> 4
> prefix "SFW2-INext-ACC-TCP "
> 0 0 ACCEPT tcp – * * 0.0.0.0/0
> 0.0.0.0/0
> tcp dpt:445
> 0 0 LOG tcp – * * 0.0.0.0/0
> 0.0.0.0/0
> limit: avg 3/min burst 5 tcp dpt:5000flags: 0x17/0x02 LOG flags 6
> level 4
> prefix "SFW2-INext-ACC-TCP "
> 0 0 ACCEPT tcp – * * 0.0.0.0/0
> 0.0.0.0/0
> tcp dpt:5000
> 0 0 LOG tcp – * * 0.0.0.0/0
> 0.0.0.0/0
> limit: avg 3/min burst 5 tcp dpt:5001flags: 0x17/0x02 LOG flags 6
> level 4
> prefix "SFW2-INext-ACC-TCP "
> 0 0 ACCEPT tcp – * * 0.0.0.0/0
> 0.0.0.0/0
> tcp dpt:5001
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp dpt:137
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp dpt:138
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp dpt:139
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp dpt:445
> 11 1964 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp dpt:5353
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp dpt:5353
> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> udp dpt:427
> 3 108 LOG all – * * 0.0.0.0/0
> 0.0.0.0/0
> limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4
> prefix "SFW2-
> INext-DROP-DEFLT "
> 3 108 DROP all – * * 0.0.0.0/0
> 0.0.0.0/0
> PKTTYPE = multicast
> 0 0 DROP all – * * 0.0.0.0/0
> 0.0.0.0/0
> PKTTYPE = broadcast
> 1 40 LOG all – * * 0.0.0.0/0
> 0.0.0.0/0
> limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> "SFW2-INext-DROP-DEFLT "
> 1 40 DROP all – * * 0.0.0.0/0
> 0.0.0.0/0
> Chain reject_func (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp – * * 0.0.0.0/0
> 0.0.0.0/0
> reject-with tcp-reset
> 0 0 REJECT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> reject-with icmp-port-unreachable
> 0 0 REJECT all – * * 0.0.0.0/0
> 0.0.0.0/0
> reject-with icmp-proto-unreachable
> ### iptables raw ###
> Chain PREROUTING (policy ACCEPT 227 packets, 34662 bytes)
> pkts bytes target prot opt in out source
> destination
> 152 11256 NOTRACK all – lo * 0.0.0.0/0
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 226 packets, 19018 bytes)
> pkts bytes target prot opt in out source
> destination
> 152 11256 NOTRACK all – * lo 0.0.0.0/0
> 0.0.0.0/0
> ### ip6tables filter ###
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 30 8101 ACCEPT all lo * ::/0 ::/0
> 0 0 ACCEPT all * * ::/0 ::/0
> ctstate ESTABLISHED
> 0 0 ACCEPT icmpv6 * * ::/0 ::/0
> ctstate RELATED
> 0 0 input_ext all * * ::/0 ::/0
> 0 0 LOG all * * ::/0 ::/0
> limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> "SFW2-IN-ILL-TARGET "
> 0 0 DROP all * * ::/0 ::/0
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG all * * ::/0 ::/0
> limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> "SFW2-FWD-ILL-ROUTING "
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 30 8101 ACCEPT all * lo ::/0 ::/0
> 2 132 ACCEPT icmpv6 * * ::/0 ::/0
> Chain forward_ext (0 references)
> pkts bytes target prot opt in out source
> destination
> Chain input_ext (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT icmpv6 * * ::/0 ::/0
> ipv6-icmptype 128
> 0 0 ACCEPT icmpv6 * * ::/0 ::/0
> ipv6-icmptype 133
> 0 0 ACCEPT icmpv6 * * ::/0 ::/0
> ipv6-icmptype 134
> 0 0 ACCEPT icmpv6 * * ::/0 ::/0
> ipv6-icmptype 135
> 0 0 ACCEPT icmpv6 * * ::/0 ::/0
> ipv6-icmptype 136
> 0 0 ACCEPT icmpv6 * * ::/0 ::/0
> ipv6-icmptype 137
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp spt:137 ctstate RELATED
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp spt:427 ctstate RELATED
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp spt:137 ctstate RELATED
> 0 0 LOG tcp * * ::/0 ::/0
> limit: avg 3/min burst 5 tcp dpt:139flags: 0x17/0x02 LOG flags 6 level
> 4
> prefix "SFW2-INext-ACC-TCP "
> 0 0 ACCEPT tcp * * ::/0 ::/0
> tcp dpt:139
> 0 0 LOG tcp * * ::/0 ::/0
> limit: avg 3/min burst 5 tcp dpt:445flags: 0x17/0x02 LOG flags 6 level
> 4
> prefix "SFW2-INext-ACC-TCP "
> 0 0 ACCEPT tcp * * ::/0 ::/0
> tcp dpt:445
> 0 0 LOG tcp * * ::/0 ::/0
> limit: avg 3/min burst 5 tcp dpt:5000flags: 0x17/0x02 LOG flags 6
> level 4
> prefix "SFW2-INext-ACC-TCP "
> 0 0 ACCEPT tcp * * ::/0 ::/0
> tcp dpt:5000
> 0 0 LOG tcp * * ::/0 ::/0
> limit: avg 3/min burst 5 tcp dpt:5001flags: 0x17/0x02 LOG flags 6
> level 4
> prefix "SFW2-INext-ACC-TCP "
> 0 0 ACCEPT tcp * * ::/0 ::/0
> tcp dpt:5001
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp dpt:137
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp dpt:138
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp dpt:139
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp dpt:445
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp dpt:5353
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp dpt:5353
> 0 0 ACCEPT udp * * ::/0 ::/0
> udp dpt:427
> 0 0 LOG all * * ::/0 ::/0
> limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> "SFW2-INext-DROP-DEFLT "
> 0 0 DROP all * * ::/0 ::/0
> Chain reject_func (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT tcp * * ::/0 ::/0
> reject-with tcp-reset
> 0 0 REJECT udp * * ::/0 ::/0
> reject-with icmp6-port-unreachable
> 0 0 REJECT all * * ::/0 ::/0
> reject-with icmp6-addr-unreachable
> 0 0 DROP all * * ::/0 ::/0
> ### ip6tables mangle ###
> Chain PREROUTING (policy ACCEPT 30 packets, 8101 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain INPUT (policy ACCEPT 30 packets, 8101 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain OUTPUT (policy ACCEPT 32 packets, 8233 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain POSTROUTING (policy ACCEPT 32 packets, 8233 bytes)
> pkts bytes target prot opt in out source
> destination
> ### ip6tables raw ###
> Chain PREROUTING (policy ACCEPT 30 packets, 8101 bytes)
> pkts bytes target prot opt in out source
> destination
> 30 8101 NOTRACK all lo * ::/0 ::/0
> Chain OUTPUT (policy ACCEPT 32 packets, 8233 bytes)
> pkts bytes target prot opt in out source
> destination
> 30 8101 NOTRACK all * lo ::/0 ::/0
> --------------------
>
>
> However, if the computer starts I cannot access the NAS, neither via
> the browser, nor via smb:/. If I check the logs I see:
>
>
> Code:
> --------------------
> MAC=01:00:5e:00:00:01:00:26:4d:07:e3:26:08:00 SRC=192.168.2.1
> DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=21265 OPT (94040000)
> PROTO=2
> --------------------
>
>
> If I shut down the firewall it works. Enabling it again without
> rebooting does not brake it for the next ~10 minutes, i.e. it works with
> enabled firewall. After that I cannot access the NAS again. Windows and
> TVs can access the NAS fine.
>
> Apparmor is disabled.
>
> Does anyone use a Synology NAS and could tell me which services/ports
> to open via YaST? Or does somebody know why multicast 224.0.0.1 is still
> blocked although it is allowed?
>
>
It’s not allowed as far as I can see. For example this rule allows
broadcasts

> 0 0 ACCEPT udp – * * 0.0.0.0/0
> 0.0.0.0/0
> PKTTYPE = broadcast udp dpt:5353

But only for udp packets with destination port of 5353. What You see in
the logs is a packet without destination port so it doesn’t hit any of the
allow rules.

IMHO You would need a rule like this :


0     0 ACCEPT     any  --  *      *       192.168.2.1/32
0.0.0.0/0

or


0     0 ACCEPT     any  --  *      *       192.168.2.1/32
224.0.0.1/32

–
Best regards,
Greg