Synology Docker Image



Below I will explain how I reduced the number of direct attacks on my Synology NAS by correctly setting the GeoIP Firewall inside the powerful DSM operating system. I blocked all geographical regions except my own, my static ip and my subnet mask. Most brute force attempts came from outside my home country, Romania. With these detailed settings you will not only reduce the number of notifications received for possible attacks on port 22 like SSH login attempts, but also bring them down to almost 0. I thought I’d share how I implemented it for others wanting to reduce the surface area for attacks and make their Synology NAS device more secure.

Synology Docker Image

These images can then be pulled (downloaded) by a Docker host and then a container started from this image. Visual Studio has built-in support for pushing an image to Docker Hub and the Synology Docker app has the ability to pull images from Docker Hub. Images on Docker Hub can be public or private (depending on what plan you are using). Find and install Docker in the Package Center. Search the registry for haugene 3. Download the latest image for haugene/transmission-openvpn. While the image is downloading, we’ll complete the next steps. Create Transmission Directory. Next, we’ll create a couple of folders. The unofficial Synology forum for NAS owners and enthusiasts. Whether you need support for your Synology NAS device or other network matters, our well-educated users are at your disposal. The real command in Docker: docker pull ubuntu Image. Here you will find images available on your Synology, ready to create new containers using a wizard or directly with a docker run command. You can usually find this command on the official page with an image. The real command in Docker: docker images.

You will have to follow the scheme below exactly as it is: allow, allow, allow, deny. And the order of insertion must be respected! I’ve been running these firewall settings on my Synology NAS with geo ip deny rules for about a month now and everything seems to be working fine as I’ve had no unauthorized login attempts in my Log Center from all the countries I’ve denied.

After you finish completing it following all steps in this article, your Firewall profile should look like this:

  1. Ports All – Protocol All – Source Ip: “Your Subnet Mask” 192.168.0.0/255.255.255.0 Action: Allow.
  2. Ports All – Protocol All – Source Ip: “Your Static ip” Action: Allow (Set your Static IP if you have one from your Provider.) I strictly recommend having a static ip if you use Synology.
  3. Ports All – Protocol All – Source Ip: “Your Country” Action: Allow (I set my country to Romania, but you have to set your own country. You can access your NAS from any IP in the country you have chosen, for example from an IP from school or from your office.
  4. Port All – Protocol All – Source Ip All – Action: Deny. (You will block all ip’s from all over the world from accessing your Synology NAS, except for the ones in your chosen country. In my case, I only allow ports 80 and 443 to be visible from any country, so this is why you can read my blog from anywhere.
  5. Warning: The order of insertion must be respected. Rules are prioritized according to their positions in the list.
Synology docker image download failed

Please Support My work by Making a Donation.

Image

Go to Control Panel / Security / Firewall and follow the instructions in the image below.

After Clicking Apply go to “Edit Rules” / Create. Follow the instructions in the images below. First of all Select “All interfaces” in the drop-menu at the top right. Please disregard existing rules in the screenshot below – these will be created in the following steps using your preferences.

Follow the instructions in the images below to add first Firewall rule. Create your first firewall rule to allow your internal/home network.

Image 1

Synology Docker Image

Image 2(Read Note E at the end of the article.)

Warning: In my case, my Default Gateway is 192.168.0.0 but you might have a different Default Gateway. Discover what is your Default Gateway in Control Panel / Network / General / Default Gateway

Follow the instructions in the images below to add second firewall rule. Create your second firewall rule to allow your Static IP “WAN” from your ISP “Internet Service Provider”, if you have one.

Synology Docker Add Image From File

Follow the instructions in the images below to add third Firewall rule. Create your third firewall rule to allow your Country.

Follow the instructions in the image below to add the fourth rule. Create your fourth firewall rule to deny all countries/locations.

If you’re using your Synology NAS for web hosting or if you have a service which must be accessible to all, follow the instructions in the images below. As mentioned above, if you are using your Synology NAS for web hosting, MailPlus server etc, you have to select from a list of built-in applications and exclude your service. In my case I excluded from Deny list Virtual host port 80 and port 443 to make my website accessibile from all over the world. In the “Select from a list of built-in applications” you can choose which app/port/services can be accessible from all countries/locations.

File

Test-reach your Synology NAS on your internal network and from external networks in your country like your office, school or a free Wi-Fi area. You can also make sure (validate) if the firewall is working and blocking deny countries/locations by using a Tor browser or a VPN service to send traffic from a different country. Alternatively you can contact a friend from another part of the world by providing him with your synology Quickconnect or DDNS address. If he can’t connect, that means the firewall is working perfectly. These tests will help you see if your firewall rules are working properly. Contact me by leaving a message if you have any problems regarding Firewall Rules.

Synology Docker Image Update

Note A: Firewall rules are executed top to bottom. Meaning that all “Allow” rules must be at the top of the list, with a “Deny“rule at the bottom. When traffic enters the NAS, it will go through the list and if it isn’t explicitly permitted, the “Deny” rule will block the traffic.
Note B
: If you don’t have a static IP and you have a dynamic IP that changes every time you connect, set only Rule 1,Rule 3 and Rule 4 described in this article.
Note C: If you set only Rule 1 and Rule 3 because you have a dynamic IP, you can connect to your NAS with VPN if you are planning to visit other countries, or you can allow your destination country on Rule 3 before leaving your own country.
Note D: If you don’t allow your own Country on Rule 3 you will receive this message: Your computer has been blocked by the new firewall configuration. The firewall configuration has been reset to the previous state. Please make sure that no rule is blocking your computer and try again.


Note E
: If you continue to see following message “Your computer has been blocked by the new firewall configuration” when you save your rules, it means that Rule 1 on STEP 4 is not correct. In my case, my Default Gateway is 192.168.0.0 but you might have a different Default Gateway. Discover what is your Default Gateway in Control Panel / Network / General / Default Gateway. So on STEP 4Rule 1 (Image 2) you have to set YourDEFAULTgatewaynumber/255.255.255.0

Synology Docker Image Location

Note F: As you add new packages to your NAS, new “Allow” rules will need to be created. Your NAS will generally inform you that you need to create a new rule when you finish installing/configuring a new package.

Synology Docker Image Download Failed

This post was updated on Monday / October 19th, 2020 at 9:14 PM