NethSecurity 8 Test Environment - Zone DMZ (Typo) can NOT be removed?

NethSecurity
,
1

Hi

In a Test environment on a hardware based NethSecurity 8 box, I have 3 NICs. LAN and WAN are used.

I wanted to create a second LAN Zone (LAN2) but typed DMZ as a typo.
Now I can’t remove the DMZ - and it’s now a "Yellow / Orange network.
It seems certain “Zone Names” are hardcoded, and can not be modified, even if no NICs are allocated or any rules ever created.

Is this the case?
(Confirmed, but incorrect docu, as “case sensitive” is not valid.).

I can add other Zones, these all become automatically “blue” networks.
Is the color coding also hardcoded and can not be changed?

I find this VERY confusing, and I’m NOT a firewall beginner!!!

I have reported on my experience with NethSecurity 8 in a Testimonial, this is to confirm certain findings with this “strange” behaviour…

Additionally, if I need a second DMZ (eg DMZ2) this becomes a blue network?
And there’s no visible option to change the color allocations.
The same goes if I need a second LAN, eg LAN2. This does NOT become a GREEN LAN, but also a BLUE network.

It’s probably possible to change parts or all of the above via CLI - but please - where is ANY of this documentated?

The latest documentation here:
https://docs.nethsecurity.org/en/latest/zones_and_policies.html

is not really correct, see the information about “case sensitive”.

Bildschirmfoto 2024-12-08 um 05.58.02
Bildschirmfoto 2024-12-08 um 05.58.021772×850 85 KB

Bildschirmfoto 2024-12-08 um 05.58.12
Bildschirmfoto 2024-12-08 um 05.58.121666×992 98.7 KB

I used Capitals, yet my DMZ can not be modified, nor removed.

It seems that only one zone “DMZ” is allowed - and is no more removeable, even when created in error without ANY use…

Is this considered “Easy to use” ???

And here’s another post with a user confused by the network “bridging” NethSecurity does at setup - something that did NOT happen in NethSecurity7 (NS7)…

→ The idea that an “easy to use firewall”, “suitable for beginners” needs CLI to remove an unused Zone as a result of a simple typo is a bit REALLY far fetched in my opinion! :frowning:

@davidep , @alefattorini

My 2 cents
Andy

2

There’s a similar issue:

3

Yes confirmed: it’s case insensitive.
Once it was case sensitive, but we received many support tickets where users struggled to understand that LAN and lan were two different zones :person_shrugging:
I’ve fixed also the doc, thanks for pointing it out.

Yes it his.
Many existing users are coming from IPCop and NethServer 7: even there colors are hard-coded.
They should simplify reading the zone table:

  • lan: green
  • wan: red
  • guest: blue
  • dmz: orange
  • any thing else: violet

This sounds like a bug, but I can’t reproduce.

image
image1612×604 44.2 KB

Can u tell me how to reproduce the issue?

Not perfect at all, but I’d say yes. We have already more than 1K installations.
I can tell that most of the support tickets are about issue raised during migration or missing features.
Very very few people complained about the UI.
We also have in-person courses: feedback on the UI are always very good, even for new comers.

This is the OpenWrt default. I really do not like either, but in the end it’s just a matter of taste: having a bridge over a single networks does not have any real drawbacks.

You have to think it the way around: many users create a zone and then a rule attached to it. They than remove the zone and do not get that the rule will not work anymore.
Current implement is not the best one, but it’s the safest. We are going to improve it.

I understand your point of view Andy: sometimes I fell very limited from UIs, including this one!
Current UI is tailored for non-expert users, but it’s for sure limited for power users. I think this is something we have to take into account.
What do you think @Lucia_A @andre8244 ?

2 Likes
4

@giacomo

Thanks for yoiur feedback.

I don’t really have a problem with the color-coding, I don’t like it, and do not need it, but it’s OK.

If there is already a DMZ, any other link with DMZ in the name will get a blue network, see your screenshot above. And no way to make a second DMZ (even the color…).

My 2 cents
Andy

5

This is how it looks like, I’ve added the “Guest”:

image
image1594×650 48.6 KB

But I think i got your point: you’d expect that all zones named “DMZx” have the same icon and color. This probably can be achieved!

1 Like
6

@giacomo

To be honest:

I’ld expect first of all the functionality (Color and Icon are cosmetics IMHO), but also the cosmetics, of course. Same color & symbol, but different functionality is bad for security and maintenence. :slight_smile:

7

From a UX perspective, actions should be reversible whenever possible, ensuring users feel free to explore and change their minds if necessary.

I believe we should allow users to delete any created zone. To help them avoid mistakes, we might display a warning: “Deleting this zone will cause any associated firewall rules to stop functioning”

3 Likes
8

@andre8244

I would also suggest an additional, emphasized (In Red?) warning for the “special” zones like WAN, DMZ (And LAN!).

Maybe for those rare cases (NIC replacement, temp. placeholder for rules, whatever).

My 2 cents
Andy

2 Likes