On something like a TrueNAS system, you would be in full control of everything opening ports. A firewall is effectively pointless.
If you don’t trust your TrueNAS system for whatever reason, then running a firewall on said system would again be effectively pointless, since how could you trust it to perform it’s job, you just concluded it wasn’t to be trusted.
Put it behind a security appliance if you want to filter or limit access; in most home environments, that would be your router.
Fully agree on this one and have no issue upvoting this if it goes as a feature.
A part of my actual work we deploy cloud containers and resources all the time, and each one of them would have a dedicated network security rule set in front, then you’d have the overall virtual network or physical network firewall/network rule.
It’s like: You wouldn’t run a Windows production server with Windows Firewall off, you’d have it correctly configured to what you want.
Same applies to any other production resources, it should be setup as you want, granted in homelabs it’s really not worth it. Without extra context from OP, I can’t comment on the feasibility of what he is trying to achieve with a OS level firewall, but almost always they are better than not at all.
This concept is perfect for the “Defense in Depth” theory, even though you should make sure your actual firewall is configured correctly for network security, stuff goes wrong and ideally OS-Level Firewalls will provide that last lock before a breach if they manage to get into the firewall layer - such as the amazing SSLVPN attacks going on at the moment.
There would be another way one could take care of that: run the FW/router in a VM or container.
The question is just if the networking (pass through of physical NICs and virtual NICs) can be set up accordingly.
If so, the physical device hosting your NAS can be an edge device, without TrueNAS Logically becoming becoming one and getting feature bloated.
With devices becoming ever more powerful and with TrueNAS hosting things like Nextcloud, the desire to reduce the device count and power consumption in a SOHO environment is real and legitimate.
But that’s the beauty of virtualization.
So it’s better to improve the existing virtualization environment to allow such a setup than coaxing a firewall directly into the TrueNAS OS itself.
If you can live with possibly your entire Internet access or even your local network (think DNS, DHCP & friends) being down when you perform maintenance for the NAS - yes, agreed.
OPNsense runs perfectly fine in a VM on TrueNAS, CORE or CE. Been doing both.
