Cockpit where are the firewall rules for services and policies?

No, it’s not possible. But you are not the first that require this. Maybe we can think to implement that. For now you can use config setprop <service> access <zones> (e.g. config setprop httpd access green) and then a signal-event for that service like signal-event nethserver-httpd-update

This is under System > Services. By clicking on View you can see details for that service.

Policy routing are under Firewall > WAN in the second half of the page.

This is a significant step backward with Cockpit vs. the old GUI.

1 Like

It is really a big step bigwards. If you have a firewall with IDS, it is ESSENTIAL to be able to see which parts are open to the internet, to be able to close all ports to the internet and open only those you need for you services (i.e. usually port forwarding), otherwise this firewall would be almost useless.

Cockpit should be a better replacement admin interface, but to fit this rule, the user must be able to set the essential and security relevant settings.

1 Like

You can set also a firewall rule to block from internet to firewall for a service…


In my view it only displays a “Details” link, which I have to click for every service. The sold list with an overview which services are open on which ports and which networks was MUCH better. Could this be improved?

Yep, here are related questions:

1 Like

The function is still there but is now explicit: to open a port of a network service, you need to create a rule inside the firewall page.
With the old UI, you had 2 different ways to do the same thing and many users created conflicting rules.

So what is the best approach? I do not have an answer, but since more and more people are asking for something like the old view maybe we can improve it.
Do you still prefer to have 2 different and conflicting ways to do the same thing? Or we can just put a pointer to firewall application on the service page?

For sure, this is the simple part: expose the network properties inline into the table.
What do you think @edoardo_spadoni?

IF the rules would have been integrated into the normal rules page und were visible as normal rules, which let red traffig into the nethserver, it would be ok. Currrently there are open ports even though nothing points to this fact. It means that there are two possibilities to configure rules, but these create different rules types which are hidden from the general rule page.

A solution would be to convert the service rules into normal rules and display them as normal rules. The rules could be created by default, and the admin can view, enable or disable them like other rules.

Yes and no.
This solution could generate more support cases than needed, if the admin enable, change o destroy a rule, so this and previous arrangement are/were quite useful to avoid that.
As seen in several support topics, sometimes more than admins there are wanna-be admins. Maybe i am the first of this list.

We are willing to improve the situation but still we do not have a clear design in mind for the UI.
This gonna take time, please be patient :slight_smile:

We will try to share a preview to gather feedback before the full implementation.

1 Like

Generally speaking, I’d think the firewall rules page should be similar to what I think the virtual hosts page should be (and also isn’t)–all the active rules should be listed there, and ideally should be able to be adjusted there. But for services managed by Neth, we shouldn’t require admins to know port numbers, tcp/udp, etc., nor to manually enter network addresses–the admin should be able to say that, e.g., ejabberd should be available on red/orange/blue/green, and Neth figure out the rest.

I’d think the ideal arrangement would be that this could be specified, in this way, from the firewall rules page (perhaps with an “advanced” option to make more detailed changes to the rules). But, as we’d previously discussed with respect to the virtual hosts issue, that means that one page needs to know about everything that might be installed, what ports it needs, on which protocols, etc. So if it isn’t practical to do it this way, it could link to the relevant settings for whatever modules are installed. But at a minimum, all the applicable rules should at least be visible there.


@giacomo Do you think it’s better to expand Services page or add a new Service Access page under Firewall section? And in this new page show ports and access rules.
If you want to expand actual Services page I can have an idea. If you want to create a new page I can think… :slight_smile:

I do not have in mind a working solution, neither I can’t give some hints for a good direction for the implementation.

I just need to postpone this task and rethink the page with the design team.

1 Like

@giacomo I don’t mean to intrude, but… what do you think of something like this?

  • description into tooltip on info icon
  • ports on two lines (TCP and UDP)
  • access showed and exchange button to change it (it opens a modal - not implemented for now - only where access is specified?)

We can also move this two column after running one if you think is better.
It’s only a purpose… I hope it can be helpful :slight_smile:

Would you please tell us which difference is between enabled and running?

For sure it’s a good start! But we probably also need to improve the firewall part at the same time.

It has the same meaning as reported by systemctl status:

  • enabled: it should be started
  • running: it’s actually running

Do you want to have same rules into two pages as NethGUI?

I like this approach. It’s clear and all in one. :+1:
Only thing to consider is, that it’s maybe only for lager displays suitable.
In NethGUI we have “Services” and “Network Services” page. To merge them simplifies the GUI at all IMO.

1 Like

@giacomo If you want I’ll start doing something on this page just tell me :slight_smile:

1 Like

@giacomo thanks for explaining :slight_smile: