Nethsecurity as a NS8 module?

I wish Nethsecurity could be installed as a NS8 module, even in a ‘light’ version.

1 Like

there is, would be a bridge app, howerver that would only work to connect to an existing nethsecurity instance.

YEah i know it would be amazing to achieve this

It’ unlikely to happen: we split the firewall from NS8 just because the two things can’t run well together.

But as Martin said, you will be able to install a NS8 module to control multiple NethSecurity units.

Sneak peak (it’s coming with NethSecurity RC1):


My whole point is that I do not want to run a separate box ‘just’ for basic firewall capabilities like NS7 has. I do not want a full blown firewall like Nethsecurity, let alone manage it or them.

The NS7 firewall capabilities were just fine for small users. Now I am forced to:

  1. Buy another box and pay occurring monthly fees
  2. Set up a local network VLAN or some sort of private network between the boxes and maintain that
  3. Learn the Virtual network and adjust all other network setup of connected boxes
  4. Learn a firewall
  5. Maintain the firewall
  6. Monitor the extra box
  7. Monitor an extra network
  8. Track all changes on the network / firewall to have effect on all connect network boxes
  9. I am sure I am forgettig a lot more.

I simply want to rus a Small business server, not become a full blown network administrator with high monthly costs on maintenance, monthly fees and maintain knowledge and invest a LOT MORE time and effort for things I already had on NS7.

Exactly what I do not want, a small company or home user (just as advertised by Nethesis for Nethserver usage) does not need to manage multiple firewall instances.

Right now, I believe Nethesis is pushing their new (commercial) products/vision/product/strategey at the cost of leave behind a large group of loyal Open Source/community members for many many years if not decades. The only thing missing is the split into Open Source version and commercial Enterprise version.

The Community was never consulted on the new NS8 path, it was only informed AFTER design and arch decisions had been made already.

/rant off


@LayLow atleast its easier to get NUCs in your countries, its impossible over here, sometime we just settle to buying a mikrotik or ubiquity router and call it a day

if nethsecurity can be installed in those hardware, now thats another different story alltogether

I asked (OpenWRT compatible hardware), response was ‘highly unlikely’

main reason, ARM is not supported.

The community was NEVER consulted by Red Hat for their lying and breaking trust!

What about run NS8 on a vm under proxmox and nsec on another vm?

Hi @alefattorini

That won’t work, this user has only a VPS…

1 Like

I got your point.

I’m sorry you’re wrong, there weren’t commercial issues but technical ones.

Putting a UTM firewall on a container (assuming it’s possible) imposes a lot of limitations.

In redesigning the NethSecurity project, we followed the path of other existing projects that conceive the UTM firewall in a canonical, separate manner. This limitation, imposed by the new technological stack of NethServer 8, has opened up many advantages for us in terms of speed, robustness, simplicity, and resource usage.

Probably we’re going to leave behind someone as you said but we couldn’t have done things differently, for the technical reasons I mentioned above.

On the contrary, I believe we will change the minds of all those NethServer users who were not using the firewall component precisely because it was not separate, or because NethServer wasn’t a typical firewall that only performed that function.

NS8 comes with firewalld but nothing to manage it. Custom changes can be done from CLI and also Cockpit can manage it but have not tested if changes will remain (for instances saving app settings could reconfigure the firewall to what the app defaults wants).

@LayLow can you please specify what you are trying to achieve with the firewall? Is it just to close ports that no service is using?

If so, can’t one just install a firewall on the underlying host OS? Like e.g. firewalld and cockpit, then you even get some sort of UI to configure it…? I have not tried this, but as far as I understand NS8 principles, it should work.

Exactually I am trying to achieve nothing. I would like to run NS8 as I have been running NS7 and SME Server many years before. The choice for a technical firewall that would not run on NS8 is not my choice. I simply would like to have basic protection and some adjustments if needed for services behind NS8 and the wonderfull VPN site-to-site or Road Warrior. That has always worked.

I really don’t care what type of firewall. but if I had my saying, a firewall that has basic capabilities and can be activated/installed on NS8.

True, But I am not a CLI monkey and every bit I change I have to document and remember.

So basically I would vote for a basic manageable firewall with some capabilities to allow pinholes, VPN (S2S/RoadWarrior) and port redirects. Obviously with an easy GUI.

The fact that I run a VPS, real hardware, dedicated hardware, shared hardware, VPN, Vlan’s, 1 NIC, many NIC’s, Behinde an existing firewall, completely exposed etc etc should not matter. NS8 should be a self contained complete solution.

I firewall module, NethSecurity lite. I’m in!

Thanks for sharing your all thought’s !

not included in NS8. Available on NethSecurity.
I recall someone mention the VPN part is planned on NS8. (I remember @oneitonitram mentioning it and I think he was refering to @stephdl working on it, if memory serves well).

No offense but dont ask something that the developers stated it won’t happen

A router for your need will cost 50e and I suppose that your isp box can do it also

Everything I do with NS is virtual on a box, just not at my physical location, that is life today. Has been working for me for many years. So I had high hopes when Nethesis announced they would also go virtual with NS8, just not that I had to adopt to more boxes and hosting a virtualisation platform like Proxmox, forcing me to costs, time, knowledge, maintenance, security etc etc.

I am just a one man show, just like many of us here i guess.

1 Like

@LayLow if your nethserver isntance is installe dvirtually, then i dont think a full fledged firewall is what you require.

you probably require a web application firewall and similer components to protect your box exposed on the intenret.

projects like cpanel, hestiacp, etc, make use of WAF and WAF rules to achieve these, other like CWP go a step furthr and implement more robust security components, maybe this is what you should be asking for. unless i am wrong in my assunption

My setup(s) is/are simple, a NS7 box with 1 ethernet and 1 virtual. I manage the build in NS7 firewall and have installed many contribs, including VPN (S2S and RW) and Fail2ban. No issues whatsoever.

What I do not understand is why every advise is about the need for additional boxes, resources, training, management, maintenance, costs and decline of ease of use (no easy way to edit/adjust config files of modules due to container nature) to achieve exactly the same, let alone get more out of it.

1 Like

you do not need an extra box for you to make effective use of nethserverver8

instead of fail2ban, youll make use of crowdsec
i dont think you need a virtual dummy0 interface, as we used that to acheive samba working in cloud, now its automagically handled in nethserver 8.
As for VPN, @stephdl has promised to implement an interface, basically wireguardeasy usi for nethsrver 8.

I am also looking forward to that wireguard vpn interface. meanwhile, i think someone, managed to get it working before the interface module is implemented, you can wait, or use that route if its urgent for you.

so is there anything that i might have missed out, which you have running in your ns7 box.