If you read all my posts you’ll find that I understand myself as a part-time-admin in my own companies. We do not make money with IT. I never claimed to be a professional IT guy. All I do and recommend is based on my own experiances with my own IT. Always on hardware, never anything in a cloud. One and only exception is a company homepage.
Firewall (at least two nics) and server always (since SME 4.x) on separated hardware. I don’t want to start a flame war about the question if a firewall is necessary or not. I simple ever used a hardware firewall (today with opnsense as OS).
my NS8 questions and reservations
my NS8 reservations
Obviously you don’t like and don’t accept my point of view. That’s o.k. for me.
FYI to my use cases/IT:
On a dedicated hardware firewall box, with > two nics, in front of my LAN there are only a few ports opend: 25 (email), 53 (DNS) and 123 (NTP). All DNS and NTP queries in the LAN (even hardcoded) are redirected to the firewall. Every needed port in LAN is configured - any other port is denied.
Access to LAN is granted with wireguard or OpenVPN (several countries or hotels block traffic except on port 80 or 443, there are ways to configure a layer4 proxy to OpenVPN 1194). Traffic from WAN to port 80 or 443 is directed to a reverse proxy with “access denied”. No wlan active. Smartphone sync only via wireguard.
On the FW is running zenarmor, intrusion detection, crowdsec, (in unbound) DNSBL are configured. Certs (let’s encrypt, challenge DNS-01) are handled from the opnsense and distributed to all machines (also correctly with a bash-script translated/modified to NS7) where they are nedded. The box has enough power to handle all this flawlessly. For me it has always been making sense to have this traffic separated from LAN (a server). Additionally we are running two piholes to restrict access to unwanted connections.
With the eol of NS7 we separated email to mailcow. NS7 is still running with AD. Only services we need, are enabled. A database for our ERP is running as a service on the server.
In the LAN we need SMB shares (very and most typical for SME) for very different OS partially very old ones. In the company we are running DOS, WINXP, WIN7, WIN10, WIN11, different APPLE OS, and a few other ones.
We have customers all over the world. Nearly 100% of the communication is data exchange with email. A lot, probably not only german, companies had and have problems with ransome viruses or any other nasty trojans. Since today we’ve never been compromised.
Fair enough - I can’t tell whether this could have been also accomplished without a hardware firewall.
As NS8 was released I explicit asked in this forum about the protection by design from ransome ware for SAMBA shares.
For me ransome ware still is the biggest thread I can imagine for business. The result was in freezing NS7 and splitting email. Besides some other considerations not to walk the NS8 path. Still today with a hardware firewall in front of a server I always used all the years.
OP was telling:
then:
later:
I agree:
I was talking from my point of view while not knowing what Marko IT design and purpose of use is. Sorry for not asking Marko before posting.
At the time I migrated from SME to NS7 we had several contact. He took a close look at my case of use and confirmed, that I don’t need his help. I appreciated his honesty very much.
No comment.