I keep forgetting how to do this so I’m finally gonna write it down. Synology DSM does not allow you to define arbitrary firewall rules. I especially want to define more paranoid firewall rules attached to openvpn connections. Sadly the GUI does not know about selective firewall rules for these so I had to do it myself. Synologys openvpn client calls

/usr/syno/etc.defaults/synovpnclient/scripts/ovpn-up

once the connection is established and

/usr/syno/etc.defaults/synovpnclient/scripts/ip-down

on disconnect. To define my own firewall rules I figured I would have to add to these two scripts. Unfortunately synology only sets its firewall rules some time after the scripts have run. So when I just add my own firewall rules to the two scripts, they are overwritten seconds later by synologys firewall. My solution is the following: at the end of the synology scripts

ovpn-up

and

ovpn-down

I add my own firewall setup script via:

# above here is synologys original code
# save the return code of the synology ip-up/down logic
returncode=\$?

# call my script and send it to the background
nohup /opt/bin/iptables.sh &

# pass the original return code to the calling process
exit $returncode

In my own firewall script I begin with:

sleep 10

before I proceed to remove the synology firewall rules and replace them with my own.

WARNING: DSM Updates may overwrite your custom settings. Whenever you update DSM make sure that your settings are preserved.