Nethserver Firewall vs PFSense

We have improved this scenario with NethServer 7 and the centralized account management (so-called “multi-site”) and you can have different installations (firewall, mailserver, etc…) on different hardware with the same account management.

1 Like

Hi Rob :slight_smile:

Indeed that’s the point! I definitely don’t know enough of Nethserver yet to comment on this, I mean at features level or capability to split features on multiple servers if design deserves it. No doubt it works however :smile:

You’re point about scenario’s is exactly what I feel to be the correct approach: infrastructure and solution complexity (which is associated with completion of features, redundancy or whatever one may need) have to be aligned.
Solution for home/soho may target true all-in-one UTM. Administration easiness, hardware cost, performance requirements etc… are different from what SMB may need and even more with medium to large companies.

If this can be achieved using same platform “template” (i.e. NethServer), then this is perfect because it allows smooth upgrade path from all-in-one UTM to more complex but also more powerful/secure/redundant (you name it) design relying on same solution. Wow :astonished:

I need to play with this new toy before commenting further :mask:

One pint I’d like to add: IT skills are quite often (not always, I know) linked with company size. Which means that interface needs to “scale”. By default hidden complexity for Soho/SMB and capability to expose large (whole ?) set of parameters for advanced admins or larger deployment. If I understand well, NethServer can do this too…

1 Like

As a small business (1-5 users) running Nethserver on our Lan, I am actually in the process of setting up a dedicated perimeter firewall to protect my network. LAN and a DMZ with dedicated web server and separate database server. The choice so far for the perimeter firewall has come down to IP-fire and pfSense, no decision as yet, so the comments made by Robb to me make a lot of sense.

The most valuable asset any business large or small is the data, and this should be the number one priority where security is concerned. Almost every day now some large companies are being hacked and their data being sold or held to ransom. So firewalls and the protection of that data now becomes a priority. As good or as basic as the Nethserver firewall is I am still going to install a perimeter firewall as my first defence. So I don’t find the argument of being cost effective to have everything in one box a good one. Protection of Data is paramount, so by having the firewall on a separate machine makes a lot of sense (to me at least). Just my thoughts…

Sure the side effect of all-in-one UTM is that is this box is compromised, then potentially everything you host on it is compromised. I do share.
Once you understand this, depending on what you host and value you put on it, decision is your to go for UTM or to split services because you do understand that the extra cost (and when I say extra cost, I don’t mean hardware or licence, I rather mean extra complexity thus need to have this managed by someone skilled enough) is worth your assets value.

I’m not a big fan of all-in-one neither even at home with few users (but lot of data). It looks like soho but it’s more like datacenter :sweat_smile:
However, if I had to deploy something in SoHo with no real local IT skill, then easiness of all-in-one brings some obvious value compared to potential complexity of dedicated firewall.
There is nothing worst that thinking your safe because behind your firewall just because you don’t know this wall is not protecting you due to poor configuration.

That’s where the balance is, IMHO.

(of course, you may think about providing remote admin service but this is another story isn’t it?)

A scenario I implemented on a primary school is having 1 server and installed Ubuntu + Qemu-KVM. Then I created 2 VM’s: 1 for pfSense.
I used VT-d to assign eth0 dedicated to pfSense. eth1 is assigned to LAN.
This way the host OS is only accessible from the LAN side. If you need to do admin tasks, there is a VPN option on pfSense.
The 2nd VM is running Karoshi server (this is a school and they already used Moodle, Xerte etc, so Karoshi server was a logical choice here)
The 2nd VM is doing all the other tasks like DNS, DHCP, File & Printer sharing, hosting webapplications etc…
This way, you still have only 1 physical device, but also split your UTM/Firewall from your other device.

I can imagine that something similar can be done using NethServer.

@Christian: looks like we are taking off where we stopped 3 years ago… :slight_smile: good to have you here!

2 Likes

As we said, you can use NethServer as an all-in-one UTM but also just like a firewall (pfsense) without extra modules, installing another instance in your LAN with service like AD, nextcloud, etc…
From this point of view, I see NethServer more powerful not less.

Why? Did you try NethServer too? Just installing firewall module.

[quote=“alefattorini, post:19, topic:917, full:true”]
As we said, you can use NethServer as an all-in-one UTM but also just like a firewall (pfsense) without extra modules, installing another instance in your LAN with service like AD, nextcloud, etc…
From this point of view, I see NethServer more powerful not less. [/quote]

Sure. I see your point. It makes sense but then it’s a matter of comparison, apple to apple, between pfSense as a firewall and Nethserver as a firewall. And I’ve not idea about this for the time being. I’ll be able to compare once I will reinstall my NS7 platform, still locked for the time being.

1 Like

I need two firewall. The first is a perimeter firewall protecting both the Lan and DMZ, and the second protecting just the Lan. Both firewall should be from different stables, for security. The reason why Nethserver firewall cannot be used twice. Sort of defeats the object. If a hacker breaks through the first firewall and then confronted by the same firewall obstacle then access is easy. If the firewalls are different then the hacker is confronted by new obstacles to surmount…not wise to have both firewalls the same

1 Like

What would be the difference between IPtables firewall from NS vs IPtables firewall from another project?

It’s my understanding IPtables (or the newer NFT) used by Centos and Ubuntu is different to packet filtering as used by pfSense / OPNsense. Correct me if I’m wrong. NFT the latest incarnation of IPtables hooks direct into the Linux kernal. openBSD and freeBSD which pfSense forked from, uses packet inspection to allow traffic through firewalls. BSD is not Linux, therefore a different OS. pfSense cannot be installed (to my knowledge) on a Linux OS. So as I stated in my earlier post I want to use two separate firewalls, which should give me much more effective protection.

NFT / IPtables are good and I use them a lot to protect individual servers running Ubuntu in my DMZ. My intention is to have possibly OPNsense as a perimeter gardian. protecting both the DMZ and the Lan server running the Nethserver firewall / (smoothwall I think) and hence IPtables.

[quote=“Bluelake, post:21, topic:917, full:true”]
I need two firewall. …/… If the firewalls are different then the hacker is confronted by new obstacles to surmount…not wise to have both firewalls the same[/quote]

OK but this is a design choice. Which may make sense BTW.
I would not say the opposite as I do operate at least one Zentyal server behind pfSense FW :grin:

Then does it mean this is a requirement everywhere or mean that NS FW is not safe of efficient enough because this is iptable? I don’t think so.

Hi Christian

Yes, this is a design choice and my design choice. The biggest rise in crime is now from the Internet (U.K), and not from the guy breaking a window and grabbing the telly to sell for a few bucks. There is more cash to be made from hacking networks / computers for data to sell…

Did I say that the NS FW was inefficient, No. Nethserver FW has protected my Lan for more than a year and IP-tables do make a great firewall, and I use IP-tables on more than one server. I am against the “All in one box” scenario but that does not lessen the fact that NS is a great product. Having a web server and email server in the same box as a database server, to me is a dangerous practise, and one I have never indulged in.

Network security is an individual choice, and one normally based around economics and expertise, not everyone, business or individual trader has the time or money to invest in security. Which is why Nethserver is great tool for a lot of SMEs, and the firewall does it’s job.

I have always operated my network with two firewalls, one protecting the perimeter and a second protecting the Lan. The cost involved is negligible compared to the cost of customer information being sold to the highest bidder, believe me, I have been there.

Does this mean we all need to rush out and install a second firewall, No, but it does mean we should all be aware of the threats associated with the Internet where a business is concerned. Ignorance is not Bliss.

6 Likes

Great points here, thanks for explaining your approach to security Keith
I love seeing people sharing such experience! :v:

Nethserver the best one.

1 Like

I’m just a home user now but I was the IT support for a small business for a while, in addition to my real job there :). At that time I used Smoothwall for both because I believe strongly in a separate perimeter device dedicated to that task for minimal attack surface. I also had spare older PC’s around in both environments that were capable of running Smoothwall and keeping up with the connection speeds involved then fine so the implementation cost was just a bit of my time. Work involved training of people and ability to easily monitor sites accessed and block some was rather useful too at times.

At home because of slow DSL I eventually went multi-wan to move to pfsense, as Smoothwall did not support that, which initially was a little harder to get my head around and not quite as polished to look at but plainly also a very solid product. Recently I bought a little Qotom box as it was cheap, used far less electricity, much smaller and much more powerful than the ancient Compaq Deskpro SFF pc I was using at the time. It’s performed perfectly.

Personally I would never put my perimeter firewall on any shared resource. Especially now when the likes of the qotom box are around. Mine is really over kill in power but was only £200, it’s well built and silent and actually barely bigger than the two modems connected to it. Should last many years and uses very little power so excellent value from my point of view at least.

I appreciate that there are probably some cases were an all in one approach is okay and if I was just a plain home user with minimal IT knowledge and a very tight budget I might very well do that. The reality is I know enough to prefer a separate firewall and an old PC or £200 bought unit is a price I’m happy and able to pay. Apart from anything else the two modems and two switches sitting with the router box, though pretty bargain basement units, cost more than it did.

1 Like

I absolutely agree.

Even if I don’t think about security…in home use cases today it’s better to be able to restart a server, without loosing internet connection for the rest of the family because router and server are the same…there are home scenarios where internet is needed 24/7…crazy people, but I unterstand them :slight_smile:

In my opinion a firewall should

  • be a physical device - virtualization may be seen as security hole
  • have just firewall services installed - the less services, the less attack possibilities
  • maybe have much more, but that’s not the point now

Now to NethServer Firewall vs pfSense(to reply to the topic):
The Nethserver firewall has much of the functions of pfSense, maybe not everything in web UI. Optically you can see that pfSense is a firewall distro and for Nethserver firewalling is just a small part of the whole thing, but managing the firewall is easy with both systems.
When it ever comes to compare the fully installed systems, pfSense has no chance, even if I take Nethserver without community modules.
I use LEDE(https://lede-project.org/), a openwrt fork on a cheap wlan router as router/firewall and Nethserver as VMWare VM as All-In-One-Server at home.

Some screenshots of my test systems, pfSense Dashboard:

pfSense port forwarding:

psSense package manager:

Nethserver port forwarding

Nethserver firewall rules/services:

1 Like

You can set up this anyway with two NethServers

  • 1 as PDC or mailserver
  • 1 as Firewall that joins the PDC
1 Like

I have this atm on my home network. Only thing I was running into was a problem joining the Samba4 domain correctly with the Gateway instance. See AccountProvider_Error_82 on member NS7 after join

I’m in the process of re-evaluating pfSense as well. I’m a home user / enthusiast. I’m considering NethServer for my home setup. I’m also the type to setup parameter seperate from my data storage. I’m considering signing up for the basic $48 subscription. Does that subscription support two servers or is it limited to one server per $48 subscription?

We have already answered here.