Netheserver just configurate as a firewall for another server

NethServer ver:
7.7.1908
Module:
NethServer firewall, Webserver

Hi there

I’m new to nethserver, I really like It. It is installed on a Netgate SG-2440 and runs very smooth.

Scenario:
I have a few open ports in a friends company which has a public IP address. At this site I’d like to install nethserver as a firewall and connect to a seperate server (e.g. 192.168.2.100) with unraid and nextcloud installation. There are now clients in a internal LAN (green) needed.

Friends firewall:
IP 192.168.1.1 --> Port forwarding 8000-8800 to 192.168.1.2

my goals

  1. basicly close all ports and ignore requests
  2. making nethserver web interface accessible from the outside
  3. simply forward ports to a service on the unraid server
  4. nothing else

What is the easiest way to configure nethserver to achieve these goals? I know there is a easy way to do that and I hope someone can help me.

Are there other informations do you need about? Just ask me please… :wink:

Please excuse my English, it’s not my mother tongue.

best regards from Switzerland
greg

Default config

Should be also default config, check documentation.

http://docs.nethserver.org/en/v7/firewall2.html#firewall-new-section

Thank you pike

And what color should have the interfaces?

WAN 192.168.1.2 = red
SERVER 192.168.2.1 = green or orange?

Where can I change the standard port of the Web-GUI from 9090 to another port?

greg

Hi again.

Is there a howto for changing the listening port 9090 to another port?

Thx

At least there should be a Green one. Orange is optional.

Not so long ago, when @Wellington_Rodrigues asked the same, there was a CLI option on e-smith db prop…

…but was recently removed:

I’ve tried with the following commands and it worked, but just in case try it before on a test machine:

#
# Change cockpit port
#
#   replace 9000 with the desired port number
#   (make sure to choose an unused port)
#

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/stoppedrules/
cp /etc/e-smith/templates{,-custom}/etc/shorewall/stoppedrules/30cockpit

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/rules/
cp /etc/e-smith/templates{,-custom}/etc/shorewall/rules/60cockpit

sed -i s/9090/9000/g /etc/e-smith/templates-custom/etc/shorewall/stoppedrules/30cockpit /etc/e-smith/templates-custom/etc/shorewall/rules/60cockpit
expand-template /etc/shorewall/stoppedrules /etc/shorewall/rules

# here it is done manually, but the systemd unit override could have been created using `systemctl edit cockpit.socket`
mkdir -p /etc/systemd/system/cockpit.socket.d/
cat > /etc/systemd/system/cockpit.socket.d/listen.conf <<EOF
[Socket]
ListenStream=
ListenStream=9000
EOF

systemctl daemon-reload
signal-event firewall-adjust
systemctl restart cockpit.socket

Don’t think it will change frequently, but do note that if a new update changes the default templates we shall remember to reflect the changes on the templates-custom.

First of all, thanks to everyone for the info. But this is not the way I want to go. Sooner or later there will be problems and work…

I will let the admin extend the portrange to 10000. with that the problem would have been solved and i will definitely have less problems in the future…

greg

Hi again

Just a thought how to change port from webinterface.

Would it work with portforwarding at the red interface from port xxxx to 9090? This would be resist in case of a nethserver update. or I am thinking in the wrong direction?

Greg

Hi again

it works fine with port forwarding from 8070 to 9090. my firewall is online.

is there an overview of the open ports somewhere?

greg

From cockpit, on Firewall application > Connections (output similar to netstat). On System > Services (details view) and Applications > Firewall > Objects Services, you can view the assigned port for each service, but not as an easy/full list or an overview.

thank you.

Can I assume that basically all ports on LAN red are closed unless I have made a port forwarding?

greg

Substantially yes, technically no, you can’t.
Few ports of the installation are reachable from RED zone as default, like Server managers and few others that i don’t remember right now. Into Server Manager/NethGUI you can find most of them into “Network Services”, column “Access” when red is reported.
Into “New Server Manager” the access from RED zone has a specific warning for suggesting to limitate ip addresses allowed to.