Firewall UI for policy rules


(Davide Principi) #1

Thanks to my mates @giacomo and @davide_marini we have a new package nethserver-firewall-base ON_QA

The Firewall rules page now allows creating a new type of rule: Route to <multi WAN provider>.

This is how the things could be arranged: what do you think?

See also http://dev.nethserver.org/issues/2809


(Filippo Carletti) #2

I like it.
I’d change the word “Divert” to “Route”, but I hope in a native English speaker suggesting a better wording.


(Davide Principi) #3

“Divert SMTP traffic…” is just the rule description. It’s a free text label entered by the admin.

See the screenshot below:


(Filippo Carletti) #4

Facepalm. :relieved:
I should have gotten it from the first rule about YUM.


(Alessio Fattorini) #5

I like very much the New UI: bigger font, the description below the rule, drag’n drop icon and a single panel for rules and routes.


(Alessio Fattorini) #6

I’d like to know a few thoughts from our firewall experts: @deft @alexcsilva @lswart @AZChas @Adam @malvank @hgeorge123 @josue17 @Matteo_Contoli @Nas @mabeleira @warren_midgley @medworthy @vhinzsanchez and @JOduMonT


(Adam) #7

Well this should be fun to test with. Looks like a wonderful addition!


(Vhinz Sanchez) #8

Thanks @alefattorini, not exactly an expert but knowledgeable. I’d like to check but it may have to wait a week or 2. What version of NS are we talking about here?


(Alessio Fattorini) #9

Currently :wink:
NethServer-testing
And you’re fine :smile:


(Giacomo Sanchietti) #10

The new firewall is already released and you can find it inside the updates repository :smile:


#11

Hi.

I have just got this running and I have to say it works as intended so far. In my setup, NethServer is configured as the gateway and LAN hosts traffic goes through the correct WAN defined by this policy. I tested via ‘traceroute’.

I have an observation though. It seems that on NethServer itself the policy does not get applied. Doing a ‘traceroute’ on the NethServer machine shows that the traffic goes to the default WAN and not the one mentioned in the policy.

Is this normal behaviour?

Thanks!


(Alessio Fattorini) #12

Hi Ov1 and welcome on community,
Could you show your firewall and multiwan configuration?


(Filippo Carletti) #13

Yes.
The technical reason is that the routing decision is taken in the pre-routing chain.
The rationale behind this behaviour is that you rarely need to do policy routing for the firewall and, if needed, it’s usually done with software specific options (i.e. tcp_outgoing_address for squid).
Finally, if you really need a route for traffic originating from the firewall, you could use a custom template for /etc/shorewall/tcrules to add a rule like:
0x20000 $FW 0.0.0.0/0 tcp 80

man shorewall-tcrules for the details.


#14

Did you know that OpenMediaVault have a firewall configuration interface?
I just discover it:

The design is not really different, but have one advantage, we can see all rules.

Can we imagine the Nethserver GUI with all rules displayed, even the “zones” rules ( green, blue, oreange, red)?


(Gabriel GHEORGHIU) #15

What about Endian Firewall GUI?
All the settings are made only from GUI. Nothing from CLI.


(Giacomo Sanchietti) #16

I would like to di it.
Do you prefer these rules to be editable or not?


#17

Good question…

We have two paths here:

  • The fisrt path: As Nethserver is a system for everybody, even for somebody who are not sysadmin, the rules can be only displayed, without possibility to edit.
    These rules are displayed only to make things more transparent, and the apprentice sysadmin learn at the same time.
    The sysadmin can only deal with these rules with the first setup script choosing how Nethserver will do ( firewall or server only ).

The second path: As Nethserver is very modular, and by consequence, versatile, all the rules are editable… This state let the sysadmin more responsable about these rules…
To prevent any accident, a possibility to cancel the last action ( when things gone bad :smile:) or the ability to run the fisrt script to make these preset rules back.
And to make a wiki page with the preset rules to inform, learn and eventually create back there rules…

In my point of view, I have a preference for the second path, with the sysadmin more responsable :wink:


A setting to adjust the max attachment size allowed in webmail
(Gabriel GHEORGHIU) #18

Why somebody who is not sysadmin can reach the NS settings?
The users have their own GUI, without interfere with NS settings.
The sysadmin, by definition, must do everything ( https://en.wikipedia.org/wiki/System_administrator ).

"A system administrator, or sysadmin, is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems; especially multi-user computers, such as servers.

The system administrator seeks to ensure that the uptime, performance, resources, and security of the computers he or she manages meet the needs of the users, without exceeding the budget.

To meet these needs, a system administrator may acquire, install, or upgrade computer components and software; provide routine automation; maintain security policies; troubleshoot; train and/or supervise staff; or offer technical support for projects."

The apprentice sysadmin can learn on VM.

Why are we tempted to complicate everything?


#19

Because Nethserver is for everybody, from non-expert user to real skilled sysadmin.
I like to think that non-expert learn when using Nethserver and become more and more skilled :smile:

I totally agree, for this reason I like the “second path”, make all firewall rules editables :smile:


(Gabriel GHEORGHIU) #20

Perfect! For all this guys there is VM. They must learn on fully functional NS, not on fake NS!