Cockpit basic firewall

testing

#1

to @quality_team and as always to anyone interested to test new UI or just curious, I wanted to highlight this issue:

of course, they are testing packages… please avoid to use on production servers :vulcan_salute:


(Giacomo Sanchietti) #2

@dz00te reported on the issue tracker:

minor UI doubt: on a VM with only one eth, and no wan defined, selecting Traffing Shaping, leave a spinning wheel upward, i suppose is related to netdata and the absence of wan and seems to have no real impact, but maybe could be misleading, it seems there is something to wait for…

We never didn’t think about someone installing the firewall configuration on a machine without red interface :frowning:

If netadata is not running, you should not see any problem. I guess the issue is somewhere else.
Open the browser console and try copy&paste the commands to test calls on the API.
A blind shot, try this:

echo '{"action": "classes"}' | /usr/libexec/nethserver/api/nethserver-firewall-base/traffic-shaping/read

In the meanwhile, I will try to reproduce.


#3

yes I know, it’s a strange world :wink:
I always install it, even if I do not actually use it, I do not know why :sweat_smile:
from memory I remember a couple of installations with only one eth where I use it:
vm proxy with wccp
vm openvpn
and I also believe on my vps

test:

# echo '{"action": "classes"}' | /usr/libexec/nethserver/api/nethserver-firewall-base/traffic-shaping/read                                                              
{"status":null,"configuration":{"classes":[{"MinOutputRate":"10","BindTo":[],"name":"high","MaxOutputRate":"","MaxInputRate":"","MinInputRate":"10","Description":"","Unit":"%"},{"MinO
utputRate":"","BindTo":[],"name":"low","MaxOutputRate":"90","MaxInputRate":"90","MinInputRate":"","Description":"","Unit":"%"}]}}

thanks, as you say probably will not be so many installations of this type so it’s not so important


#4

there also two other things on the issue that probably should be discussed on community:

as soon as i enter from Application in Nethserver Firewall, the Info bar on top with click on restore button > come back.

This is the expected behavior: the user can restore a previous firewall configuration.

ok, just know it, I admit that at first I was a bit disoriented… it seemed that NS proposed me to do a resume and I did not understand why it did not disappear.

still i can’t find the corresponding menu to the old Firewall Rules > Network Services

It’s under the “Local rules” section. But it doesn’t report the list from Network Services by design.
Maybe we can discuss it on community.

here we are :slight_smile:

I personally would prefer to see them all the time, but with a view to making common administration tasks simple, i think at least in the settings of Firewall, maybe would be useful something like “Enable advanced view” or " show Firewall Rules of Network Services" …
i promis i will read
https://ometer.com/preferences.html
and

but I’m pretty sure I’d rather have this option :innocent:


(Ralf Jeckel) #5

Played a little with it:

Traffic shaping works only from cockpit after changing in cockpit.
Failure: Mark integer number in neth-gui, can’t change rule in neth-gui anymore

Some time the spinning ring keep running. After pressing F5 all is done and working. No more spinning ring.

Validation message is not very clear. When trying to create a host with upper case i.e.

Create host is o.k. vice versa
Create host group is o.k. vice versa
Create rage is o.k. vice versa
Create zone is o.k. vice versa
Create time condition is o.k. vice versa
Create service is NOT o.k. When created in cockpit port is not saved. Edited in neth-gui port is saved.

Create a rule is o.k. vice versa.

Displayed GW in WAN section is wrong: 169.254.0.0/16 seems to be the standard private IP not the real one.

Testmachine: VM with red and green. netdata not installed so far. Will be the next step. :slight_smile:
Will keep on playing and reporting.

That’s what I found so far.


(HF) #6

Is it correct that nethserver-firewall-base depends on nethserver-cockpit-lib?

For nethserver-cockpit is not installed on this machine.

[root@pbx ~]# rpm -q nethserver-cockpit
package nethserver-cockpit is not installed
[root@pbx ~]# yum install nethserver-firewall-base --enablerepo=nethserver-testing
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile

  • ce-base: www.mirrorservice.org
  • ce-extras: www.mirrorservice.org
  • ce-sclo-rh: www.mirrorservice.org
  • ce-sclo-sclo: www.mirrorservice.org
  • ce-updates: www.mirrorservice.org
  • epel: mirror.imt-systems.com
  • nethforge: mirror.alpix.eu
  • nethserver-base: mirror.alpix.eu
  • nethserver-updates: mirror.alpix.eu
    Resolving Dependencies
    –> Running transaction check
    —> Package nethserver-firewall-base.noarch 0:3.5.0-1.ns7 will be updated
    —> Package nethserver-firewall-base.noarch 0:3.5.0-1.163.g84e02ba.ns7 will be an update
    –> Processing Dependency: /usr/libexec/nethserver/api/lib/helper_functions.pl for package: nethserver-firewall-base-3.5.0-1.163.g84e02ba.ns7.noarch
    –> Running transaction check
    —> Package nethserver-cockpit-lib.noarch 0:0.4.1-1.6.ge3c2f8e.ns7 will be installed
    –> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size

Updating:
nethserver-firewall-base
noarch 3.5.0-1.163.g84e02ba.ns7 nethserver-testing 1.9 M
Installing for dependencies:
nethserver-cockpit-lib
noarch 0.4.1-1.6.ge3c2f8e.ns7 nethserver-testing 27 k

Transaction Summary

Install ( 1 Dependent package)
Upgrade 1 Package

Total download size: 1.9 M
Is this ok [y/d/N]: n
Exiting on user command


(Ralf Jeckel) #7

nethserver-netdata installed. Chart in connections is working.
Somewhere else needed?

Speedtest in WAN-section is working.

EDIT: just found the “add shortcut” feature. Great to customize cockpit! Love it :heart_eyes:


(Giacomo Sanchietti) #8

We just added a button to dismiss it and reworked all labels.

We tried to do a paradigm shift with the new UI, but it doesn’t mean it’s correct one :slight_smile:
What about instead of a button/link to open the other network services page?
The problem is also a semantic one: rules for network services are always expanded before the ones reported in the rule page so the drag&drop will have no meaning.

I will look into it, but it seems strange. :thinking:

It should be fixed now.

@filippo_carletti already reviewed all labels, but PRs are welcome!

How can I reproduce it?

Yes, it will not start cockpit, just bringing some common libraries for the APIs.

Great work since now! Just report any bug you find! :wink:


(Ralf Jeckel) #9

Here it’s shown correctly:


But here not:


(Giacomo Sanchietti) #10

How the red interface is configured? Is it in DHCP or static?


(Ralf Jeckel) #11

It’s configured static.
93.8x.xxx.xxx/29