Locking down FreeNAS (FreeBSD) to just a single IP address

Question

I want to host a FreeNAS server (Server B) on the Internet for remote ZFS replication. Server A is a FreeNAS server in an office with a dedicated IP behind a Firewall, which will be sending ZFS data to Server B.

I realize there are many ways to lock down Server B but I have to decided to keep it as simple as possible. My goal is to only allow traffic to Server B if it is coming from the IP Address of Server A.

I don't want to lockdown specific ports, I simply want to ignore/drop all traffic that doesn't originate from the IP Address of Server A. Likewise, I want to allow all traffic originating from Server A's IP address. Since I don't know what ports FreeNAS uses and might use in the future, I want to avoid picking and choosing points as to prevent a maintenance nightmare.

I probably know 3 or 4 Unix commands, so I'm far from an expert. Does anyone know the commands I need to run to lockdown my FreeNAS server to just a single IP?

Answer 1

If you can get a root shell on Server B, you can use ipfw to only allow access from Server A (assuming IP 10.20.30.40 for Server A):

ipfw add allow all from me to me keep-state
ipfw add 40 allow ip from 10.20.30.40 to any
ipfw add 50 deny ip from any to any

This will only allow 10.20.30.40 to access it. Anything else will be denied. Just take care to not lock yourself out.

You could put that on a script, and add a sleep 120 ; ipfw add 10 allow ip from any to any on the last line of it, and run the script. If you somehow locks yourself out, ipfw will allow you back after 120 seconds.