Well this should be fun to test with. Looks like a wonderful addition!
Thanks @alefattorini, not exactly an expert but knowledgeable. I’d like to check but it may have to wait a week or 2. What version of NS are we talking about here?
Currently 
NethServer-testing
And you’re fine 
1 Like
The new firewall is already released and you can find it inside the updates repository
3 Likes
Hi.
I have just got this running and I have to say it works as intended so far. In my setup, NethServer is configured as the gateway and LAN hosts traffic goes through the correct WAN defined by this policy. I tested via ‘traceroute’.
I have an observation though. It seems that on NethServer itself the policy does not get applied. Doing a ‘traceroute’ on the NethServer machine shows that the traffic goes to the default WAN and not the one mentioned in the policy.
Is this normal behaviour?
Thanks!
Hi Ov1 and welcome on community,
Could you show your firewall and multiwan configuration?
Yes.
The technical reason is that the routing decision is taken in the pre-routing chain.
The rationale behind this behaviour is that you rarely need to do policy routing for the firewall and, if needed, it’s usually done with software specific options (i.e. tcp_outgoing_address for squid).
Finally, if you really need a route for traffic originating from the firewall, you could use a custom template for /etc/shorewall/tcrules to add a rule like:
0x20000 $FW 0.0.0.0/0 tcp 80
man shorewall-tcrules for the details.
Did you know that OpenMediaVault have a firewall configuration interface?
I just discover it:
The design is not really different, but have one advantage, we can see all rules.
Can we imagine the Nethserver GUI with all rules displayed, even the “zones” rules ( green, blue, oreange, red)?
2 Likes
I would like to di it.
Do you prefer these rules to be editable or not?
1 Like
Good question…
We have two paths here:
- The fisrt path: As Nethserver is a system for everybody, even for somebody who are not sysadmin, the rules can be only displayed, without possibility to edit.
These rules are displayed only to make things more transparent, and the apprentice sysadmin learn at the same time.
The sysadmin can only deal with these rules with the first setup script choosing how Nethserver will do ( firewall or server only ).
The second path: As Nethserver is very modular, and by consequence, versatile, all the rules are editable… This state let the sysadmin more responsable about these rules…
To prevent any accident, a possibility to cancel the last action ( when things gone bad ) or the ability to run the fisrt script to make these preset rules back.
And to make a wiki page with the preset rules to inform, learn and eventually create back there rules…
In my point of view, I have a preference for the second path, with the sysadmin more responsable
Why somebody who is not sysadmin can reach the NS settings?
The users have their own GUI, without interfere with NS settings.
The sysadmin, by definition, must do everything ( https://en.wikipedia.org/wiki/System_administrator ).
"A system administrator, or sysadmin, is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems; especially multi-user computers, such as servers.
The system administrator seeks to ensure that the uptime, performance, resources, and security of the computers he or she manages meet the needs of the users, without exceeding the budget.
To meet these needs, a system administrator may acquire, install, or upgrade computer components and software; provide routine automation; maintain security policies; troubleshoot; train and/or supervise staff; or offer technical support for projects."
The apprentice sysadmin can learn on VM.
Why are we tempted to complicate everything?
Because Nethserver is for everybody, from non-expert user to real skilled sysadmin.
I like to think that non-expert learn when using Nethserver and become more and more skilled 
I totally agree, for this reason I like the “second path”, make all firewall rules editables
Perfect! For all this guys there is VM. They must learn on fully functional NS, not on fake NS!
1 Like
It’s not just a question about “fake NethServer”. yes, we have to improve it with many features by web interface but I don’t like exploding NethServer with zillions of confusing settings, we’d rather have sensible out-of-box defaults that work for 90% of users and can be tweaked. But in some cases the needs are so divergent that a new setting must be added. This should be a method of last resort in my opinion. Don’t you think?
We have discussed it in many topics, for example:
How about we move forward there?
In what showing all the rules will add complexity?
It will add informations to display, it will add transparency about the configuration… But complexity, no.
1 Like
Sorry for “fake NethServer”. Is not about the meaning of “fake”.
In that moment I didn’t find a word for “not fully functional NethServer”! Neither now! 
It’s OK for me but I maintain my opinions! 
The sysadmin, by definition, must do everything. It is her/his job!
Why do you think that a sysadmin can damage a server only from GUI and from CLI cannot?
Why somebody who is not sysadmin can reach the NS settings?
The users have their own GUI, without interfere with NS settings.
That’s sound me something : NethSever-HijackSettings 
The purpose will be to bring to light all hidden settings, but the module whose purpose is to parameterize all services will be quickly a giant octopus 
1 Like
You are right. But others did it! We compare NS with others. From where? From what? Which is the “level” from where we will start to compare?
I like to compare NethServer with Sophos and Endian as UTM and with Zentyal as Email server and DC.
This policy-based routing is running perfectly. Approved!
2 Likes