Logging Firewall Traffic on a Synology NAS

by 15th April 2022Security, Synology, Technological Thoughts

I’ve seen a lot of queries on the internet about logging firewall traffic on a Synology server, because, somewhat surprisingly, it’s not something that Synology have implemented in their Log Center (sic) or feel is important enough, despite providing the functionality to easily create firewall rules in the Control Panel.

Underneath it all, Synology uses IPTables to implement firewall rules. It’s not easy or straightforward to manage these on the command line, which is why, thankfully, Synology have provided a nice GUI to allow you to add and change rules on the fly. Confusingly, they don’t provide a method to audit or troubleshoot why a rule might not be working.

Getting Firewall Logs into Synology Log Center

There is a solution to this, and one that doesn’t require you to delve into the innards of the server (although you can if you want!). The configuration is designed to withstand reboots (since IPTables revert to their default configuration whenever the server reboots) and to be managed from within Synology DSM. It also doesn’t mess around with any Synology defaults or specific configurations, so in theory, should always work.

Creating a Task to Enable Firewall Logging

First off, log into your Synology DSM and open the Control Panel, and under the Services section, select “Task Scheduler”.

In the Task Scheduler screen, select the Create button and then the “User-defined script” under the “Triggered Task” menu option, since we are going to set something up that will always run on boot-up.

Enter a name for your task, so you know what it’s for and make sure the “User” field is set to “root” and the “Event” field to “Boot-up”.

Click on the Task Settings tab. Then in the “User-defined script” field, enter the following code:

#!/bin/bash
conf='/usr/local/etc/syslog-ng/patterndb.d/Firewall.conf'
echo 'destination d_iptables {' > $conf
echo 'syslog("127.0.0.1" port(514) transport("udp"));' >> $conf
echo '};' >> $conf
echo 'filter f_iptables { match("--Firewall--"); };' >> $conf
echo 'log { source(src); filter(f_iptables); destination(d_iptables); };' >> $conf
iptables -N LOGGING
iptables -I INPUT 1 -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix '--Firewall--' --log-level 6

Click on the OK button. The task is now set up to enable firewall logging whenever your Synology is rebooted.

Bear in mind that the code hasn’t been run yet, so the logging hasn’t been configured. You can reboot your server to set it up, but we’re going to stick with doing everything through Synology DSM.

Highlight your newly created task in the Task Scheduler and click the Run button at the top of the screen. Now your server is configured to send firewall logs to Synology Log Center.

Limiting the Logging to External Traffic

If you want to limit the logging to only monitor external traffic, then you can insert the following line before line 10:

iptables -A LOGGING -s 192.168.1.0/24 -j RETURN

Replace “192.168.1.0/24” in the line with your local network range. The /24 at the end is known as CIDR (Classless Inter-Domain Routing), and means that it will not log any traffic coming in from 192.168.1.0 to 192.168.1.255.

The full script is then:

#!/bin/bash
conf='/usr/local/etc/syslog-ng/patterndb.d/Firewall.conf'
echo 'destination d_iptables {' > $conf
echo 'syslog("127.0.0.1" port(514) transport("udp"));' >> $conf
echo '};' >> $conf
echo 'filter f_iptables { match("--Firewall--"); };' >> $conf
echo 'log { source(src); filter(f_iptables); destination(d_iptables); };' >> $conf
iptables -N LOGGING
iptables -I INPUT 1 -j LOGGING
iptables -A LOGGING -s 192.168.1.0/24 -j RETURN
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix '--Firewall--' --log-level 6

Enabling Logging in Synology Log Center

We’ve set up Synology so that firewall logging is configured and will survive a reboot of your server, but it’s still not logging. Firstly, we haven’t configured Log Center to receive the data, and we haven’t told it to read the newly created configuration file.

Open up Log Center in Synology DSM and click on the Log Receiving tab, then click on the Create button at the top.

Type in a name for your rule so you know what it relates to and make sure you have selected the IETF Log format. By default, the transfer protocol should be “UDP” and the Port should be “514”.

Finally, click on the OK button and make sure your rule is enabled.

Viewing the Firewall Logs

You’re done! Your Synology should now be sending (and receiving) the firewall logs in Log Center. To check that, go to the Logs tab. By default, you will see all of the general logs for the server.

We’ve configured the Synology to send the firewall logs to the server rather than trying to hack around with the Synology server itself, so click in the drop-down where it says “Local”. The name of your Server should now be displayed underneath (in my case, “Gaia”).

You should now be able to see all of your incoming firewall logs, in their raw format in Log Center.

A Word of Explanation

If you’re interested in what the code does, I’ve broken it down line by line here.

#!/bin/bash

Tells Synology to use the Bash shell to run the commands.

conf='/usr/local/etc/syslog-ng/patterndb.d/Firewall.conf'

Sets a variable to define where we are going to create the Firewall logging configuration.

echo 'destination d_iptables {' > $conf

Writes the first line defining where the firewall logs should go to the Firewall logging configuration.

echo 'syslog("127.0.0.1" port(514) transport("udp"));' >> $conf

Writes the second line telling syslog to send all logs to the local server using UDP over port 514.

echo '};' >> $conf

Writes the third line closing the destination details.

echo 'filter f_iptables { match("--Firewall--"); };' >> $conf

Writes a line to look for logs that include –Firewall– in the log itself.

echo 'log { source(src); filter(f_iptables); destination(d_iptables); };' >> $conf

Writes the command that tells syslog where to get the logs from, what to filter for and where to send it.

iptables -N LOGGING

Creates a LOGGING chain in the iptables configuration.

iptables -I INPUT 1 -j LOGGING

Makes sure that any traffic going through the IP Table firewall rules must also go to the LOGGING chain.

iptables -A LOGGING -s 192.168.1.0/24 -j RETURN

If the source IP address is in the local network (192.168.1.0 to 192.168.1.255) return the traffic and don’t process the next rule.

iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix '--Firewall--' --log-level 6

Tell iptables to make sure that any firewall log is prefixed with –Firewall– (so we can filter on that), and to suppress duplicate logs so we don’t get a flurry of the same information in the log file. Finally, it sets the level of information to 6, which is “INFO”. If you want to only display “WARNING” logging, then the level is 4, “EMERGENCY” is 0 and the most verbose, “DEBUG”, is 7.

Matthew Cunliffe

Matthew Cunliffe

Author

Matthew is an IT specialist with more than 23 years experience in software development and project management. He has a wide range of interests, including international political theory; playing guitar; music; hiking, kayaking, and bouldering; and data privacy and ethics in IT.

0 Comments

Submit a Comment

Your email address will not be published.

Share this post