Hi,
on the documentation-page about the firewall it reads:
Firewall and gateway modes are enabled only if:
- the nethserver-firewall-base package is installed
at least there is one network interface configured with red role
Should I take that literally, meaning the firewall isn’t working on a single-interface NS ? (On which the single interface is assigned the green role)
(I will be using NS as a mail/file server, not as a gateway. But having a firewall on that server seems like a good idea…)
Indeed, it is a good idea!
Even on single interface systems firewall rules are enforced with good defaults.
BTW the documentation page refers to “firewall & gateway”… more than one network interfaces are required in that scenario.
See also
http://docs.nethserver.org/en/v7rc/base_system.html#network-services
OK, so firewall mode is only enabled if firewall module is installed (duh), and gateway mode is enabled only if there is at least one red interface.
Sounds logical… 
This is not true, as said firewall rules (for local services) are always enforced with good defaults.
The red interface does IP masq by default.
That sounds good for me! Do you have any suggestion to improve it?
no, since I don’t have experience with it (nor hardware or a need for it)…