I personally think it’s great that IPS and firewall are finally removed from NethServer.
Besides the fact that “buggy” lists simply blocked the whole server - can anyone explain to me why a IPS not being able to get a “list” blocks users needing to eg use a file server?
I am really looking forward for this to happen, and have less DNS errors in my networks and reporting…
And finally have correct CNAMES for any host and also correct working PTR (Reverse Lookups)…
After all, what use are nicely graphed statistics, if an Intrusion Prevention System can’t even correctly identify internal hosts?
I’m for a firewall and server, not an all-in-one yet not doing anything properly…
I’m OK with an OpenWRT “Module / Container” as firewall.
What a strange argument. The same argument applies to all firewalls, because it is always possible to lock yourself out. There is no force to use th nethserver firewall, but it is an optional package. If you install it like all other firewall software also, you have to have a basic knowledge how to use it.
So it doesn’t make any sense to say, that removal of the firewall option is good, because there are people misconfiguring it. Otherwise you could say, that firewalls make no sense at all, because there are people misconfigure them.
I’m NOT talking about locking oneselfs out, that can always happen, even to pros (distracted, or whatever…). But a simple update or reboot (For whatever reasons) without the user / sysadmin changing anything!
If it’s a seperate box, no matter what happens with that box (a badly replicated or faulty suricata list is NOT any users or admins fault!) doesn’t block users from using the server as it is, eg mail server, local Nextcloud or simple samba file server…
At the moment, NethServer won’t boot or work correctly if that happens, meaning access to any important, in house services aren’t possible, even though these services have nothing to do with IPS or firewalling…
But on NethServer, the server won’t correctly boot…
See how many posts refer to “Threat Shield”…
What makes matters worse is the fact that you have no internet to ask the forum or whoever for help / directions…
Justify that!
It’s the same as why does an OS need to reboot after installing an editor?
Linux never asked me to reboot if installing Nano (Editor) or LibreOffice.
But Windows still prefers a reboot if installing Office…
Using a firewall only makes sense if it sits between you and other services. It the firewall is reboot and misconfigured or has wrong rules, you will get into problem with any firewall. It is totally independent whether it is running on the same server or not.
I also looked through the problem with Thread shield and could not find any problems which woudn’t have occured on a separate server.
I also do not understand your rebooting problem. Most NS updates do not neet rebooting and complaining about windows has nothing todo with NS. If you have a separate firewall there will be also update which require rebooting and could lead to the same problems. I cannot see, why problems should be increased in any why by having it integrated.
I quite agree on the fact that a misconfiguration can have disruptive issues.
I’m talking about cases where the server does NOT boot up correctly, and it turns out the server was rebooted because it was not accessible. which made matters worse.
Not possible if the file server is a different box. Even if the firewall is DNS and DHCP server, clients will retain the valuse for some time, allowing work!
I do see massive problems having Firewall and Server in the same box, and experience of the years have shown it as correct.
However: I NEVER have a firewall between local users and local servers. The users must be able to work, if no internet, than at least locally.
If the firewall barfs (spews code), than the users still have complete access to NethServer…
It’s also a well known fact that for years I’m a strong advocate for a separate box and look down at users putting everything on one box… I’m swiss, and most, if not all my clients insist on a seperate box!
All your eggs in the same basket is part of an old proverb, in english but also in German!
And what does the old proverb say?
My 2 cents
Andy
PS: NethServer updates hardly require reboots, true, but not necessary firewall updates. But a reboot for any reason should not block if the user changed nothing! Hardware failure is, of course, exceptional and not what we’re talking about!
It still is not an argument to having the feature removed from NS. If you think that boxes should be separated between firewall and application, you already were possible to use NS eactly in this way. Having one box with only firewall installed and the other only with applications. I also used this separate setup at one place.
But there are also applications where the extra efford doesn’t buy you anything so having all in one box is easier.
I.e. you are free to have everything on one box but also have it separated, always with the same software and UI.
I do exactly that, and also say my personal opinion.
I’ve been doing long enough support in the forum to teach me not to use all-in-one…
If you’re prepared to deal with the risks, fine, go for it.
I also have a NethServer hosted in the cloud - without Proxmox underneath, where I do use the nethserver built-in firewall.
But no clients local users are involved in that project!
But I do not have to advocate it!
And I’m not for All-In-One for stated reasons, but the main both of us use open source is the fact that we’re free to do and choose as we want, open source allows that. And, as said, I also maintain one such instance in the cloud…
Then again, I know the risk and can make a knowledgeable judgement on if and when to use it.
But from my same opinion: It doesn’t need to be built in!
Yes, we still lack some feature but we are going to close the gap. Major releases are also the right time to drop some old features: this is always a dev dream!
The firewall/gateway has been detached for 3 main reasons:
in the last 3 years, most users where already installing separate machines for firewall and server
containers and firewall-for-gateways do not play well together
having both features on the same machine prevented the implementation of many features
Also remember that NS8 still has a built-in firewall to protect running applications.
What to you mean? Are you talking about the same look and feel for both the firewall and NS8?
I’d love that one of the dev team could uninstall your Apple/Microsoft plugin that enable these answers.
Cannot be hype if you do something that’s not suggested to all users!
Relabel mistake for “hype generator” does not work at all.
