# NAS4Free or plain FreeBSD to implement Port Knock?



## EuroN00B (Jan 19, 2013)

Hello everybody,

I am a very much a n00b in anything but Windows. As far as Windows is concerned I have been in IT for several years, building, repairing hardware and software, managed some Active Directory, wrote some code and few scripts. I have set up MineOS to function as Minecraft Server, also used Knoppix bootdisks to repair Windows / recover data. This pretty much should give you an idea where I am skills wise.

What I would like to do is to build a home NAS server that would be accessible from LAN, and hopefully over internet. This last requirement makes me very uneasy, and so I've been researching some security options, which brought me to port knock. My main goal data wise is to insure nothing ever happens to my data, I am ready to sacrifice speed and redundancy (meaning the uptime of access). This makes me look at using ZFS, because it is intelligent enough to not copy corrupted files. I don't think I need any sort of RAID, as I do not want to lock myself out of my data due to OS failure / hardware failure. My idea is to simply have my data on one drive (1TB for now), and copy / mirror / sync it to another drive on schedule by any means other than raid.

From what I read, I should use NAS4Free, but I am absolutely unclear on how to finalize my design choice since I want to include port knocking features.

So, my question to you is this: Is it possible to add port knocking to NAS4Free (full or embedded?) or is this something that will require plain FreeBSD? I understand that NAS4Free is very easy, but it doesn't provide port knocking features in its ready made easy interface. Having my data secured from unauthorized access is a huge concern and if there is no go with NAS4Free for port knocking, then I will have to go thru a pain of FreeBSD learning curve, no questions about that. But I don't know that such is the necessity.

If anyone have dealt with something similar, please, advise. Thank you.


----------



## EuroN00B (Jan 20, 2013)

Hmm... So many views and no responses.
I've heard that NIX community can be very strict. So, I am guessing I am not asking the right way. I should probably restate my question in a more concise manner.

Experience in Windows: 10+ years
Experience level in Windows: Average IT
Experience in NIXes: Little to None, "touched the boot media, loaded pre-made distro, followed pre-chewed configuration examples".

Project:
Home NAS Server, 1TB, emphasis: Data Security
Solutions considered (must have ZFS): NAS4Free, FreeBSD
Unsolved complications: Must have access to NAS from internet.

I want to implement Port Knocking to further secure the access to NAS Server from the Internet. Behind this, there will be SSH. The goal here is that if more than a single request is received by a Port Knock implementation that is also happens to be a correct sequence, then all ports are to be shut closed for 24 hours, or until reset from LAN.

Question: Help me choose which of the two would allow me to install Port Knocking: NAS4Free or FreeBSD.

Other White Noise:
The answer probably seems way to simple to you, but believe me, from a Windows world perspective, this is kind of hard to guess. I already know (heard) that it is possible with FreeBSD. What is hard for me to predict is how much NAS4Free is modified / removed / locked down from it's core (FreeBSD)? Will it allow me to do what I want? The super steep learning curve of NIX-es means that if I am unable to use point-and-click simplicity of NAS4Free, then learning the arcane Unix CLI of FreeBSD will turn this in a "forever" project. I will have to not only figure out how to install and configure Port-Knock, but how to manually configure every other aspect of NAS itself. Which is OK, the way the Windows went after XP I hate absolutely, so sooner or later I will have to start learning Unix, but in this case, I will not buy the hardware until I am comfortable (I can dream) with the dreaded, scary, unforgiving CLI.

Thank you,


----------



## wblock@ (Jan 20, 2013)

Most likely very few people here use NAS4Free.  Special-purpose canned distributions like that or FreeNAS take FreeBSD and customize it.  Adding or modifying things is done differently than in FreeBSD.  Setup of those for the features they support is easy.  Adding features they don't support could be difficult or impossible.  Or it might break their management programs if you do something outside of them.

With FreeBSD, you'll end up re-implementing some of this stuff, and might not have the web UI.  That turns out to be less of a problem than people think.  I saw that there was a port knocking app in ports a while back, but have not looked further.  There are probably several.  Anyway, "plain" FreeBSD may take longer to set up, but you can get exactly what you want.


----------



## Nukama (Jan 21, 2013)

Are you willing to set up your port knocking sequence each day before you leave home to make your proposed port knocking method somehow secure? 
Even than an attacker could intercept and modify (src-ip) your packets from the first port knocking sequence while dropping your packets and replaying his modified packets.

An *s*ingle *p*acket *a*uthorization would be a better fit.
More information on SPA: http://www.cipherdyne.org/fwknop/

Try to convince NAS4Free maintainers to include an option for installing and configuring security/fwknop.
Try this at their forums.


----------



## EuroN00B (Jan 22, 2013)

wblock@,

This is what I suspected might happen. My Port Knocking implementation might either break NAS4Free or refuse to work within it. It is true I would not miss the GUI so much after everything is working, but even trying to setup a Minecraft Server on a Pre-made distro (MineOS) was a nerve-wrecking experience because of CLI. Don't know if I am though enough to configure a NAS on FreeBSD. 

I should look further for those "ports" you've mentioned (those mean "plugins" in UNIX language, right?).
I assume then those were pre-made packages for either NAS4Free of FreeNAS.

Thank you for the answer!


----------



## EuroN00B (Jan 22, 2013)

Nukama,

I was actually looking at SPA, because in my scenario the NAS will be behind hardware NAT, thus I can't have very many ports to knock at, as every one of those will have to be forwarded. I thought that SPA is a type of Port Knock in general, but with added encryption.

The security policy choice I have decided on will be that one wrong authorization attempt will trigger a complete closure of all ports for 24 hours, or until reset from the second NIC which is on LAN only. This is to limit the number of attempts someone can take guessing things to exactly one. If I want, I can keep it closed simply by sending a wrong packet every now and then. The obverse side, that there will be no service if someone is either guessing or playing around doesn't bother me at all, - I can live with inconvenience, but not with vulnerability. Not sure if this was what you meant by asking if I am willing to set the policy before leaving...

Not very clear on how this can be done yet, but looking into it, I want the key to be dynamically changed synchronously with that running on a client, after every successful authorization, but not simply set during the authorized access session.

Thinking about it now, you're right in that I should have specifically mention SPA, not just Port Knocking in general, since I am asking for an advice that might be very specific. The link you have posted is the implementation I have in mind, the "fwknop".

Also, fwknop offers to be run on hardware firewall/NAT device itself (WRT), but, I don't think I can manage to figure out how to set that up (now we talking all this weirdness plus working with not quite a computer). And, I don't feel confident in estimating how secure such a solution could be.

Thank you for your answer!


----------



## wblock@ (Jan 22, 2013)

Ports or packages are the way that FreeBSD installs applications.  See Using the Ports Collection.


----------

