NethSecurity project milestone 8.4

We are excited to announce the release of NethSecurity project milestone 8.4 with image version 8-23.05.5-ns.1.4.1. This release focuses on improved monitoring and new experimental features.

:fire: Release highlights

NethSecurity 8.4 brings several new features and improvements!

Traffic monitoring

The traffic monitoring feature now includes detailed insights per host, focusing on both local and remote interactions. Users can select an app to see which local hosts use it and their traffic volume. Additionally, selecting a local host reveals the apps it uses and the remote hosts it contacts. For remote hosts, users can view which local hosts contacted them and the protocols used.

Local hosts, remote hosts, protocols, and applications sorted by traffic over the last hours.

Click the desired host to see traffic details

Select an application, a host, or a protocol to see specific usage details

OpenVPN Road Warrior improved accounting

The update introduces a new view where the administrator can see user’s connection history. It also adds functionality to export all user connection data in CSV format, utilizing a database stored in RAM.

Controller 2FA

Two-factor authentication (2FA) has been added to the controller to enhance security against unauthorized access. Users can now configure, enable, or disable 2FA for their accounts. Administrators can view which users have 2FA enabled in the user list, improving overall system protection.

Experimental Features

:test_tube: IPS

The IPS (Intrusion Prevention System) feature has been added to prevent and mitigate attacks using Snort 3. It includes command-line configuration with customizable rule sets, automatic IPS mode setup, and options to specify networks and bypasses. This release does not include a user interface.

:test_tube: WireGuard VPN

NethSecurity now supports configuring WireGuard VPNs via command line.
Administrators can manage multiple server instances and download peer configurations as text or QR codes. The update includes site-to-site mode, peer pre-shared keys.

:test_tube: IP/MAC binding

IP/MAC binding has been implemented to associate specific MAC addresses with designated IP addresses using DHCP reservation. The IP/MAC binding feature can be configured to prevent access from untrusted devices.

:white_check_mark: Other Features and Improvements

  • Fork mwan3 to add rules for router initiated traffic: Improved traffic management directly from the router by forking the mwan3 package.
  • NUT experimental support: Introduced experimental support for NUT software for UPS management.
  • Filtering for traffic: Enhanced the Traffic section in Realtime monitoring to allow more precise filtering options.
  • Netifyd improved configuration: Netifyd network configuration has been updated to improve performance by limiting interface monitoring to physical interfaces only. Additionally, an option to exclude specific devices from monitoring has been introduced, though it is not exposed in the UI.
  • New charts for real-time monitoring: Added latency and drop rate graphs to public hosts. These charts use the same time window as existing charts, enhancing visibility into network performance issues.
  • Speedtest: the speedtestcpp package has been added to enable running internet speed tests directly from the command-line.

:arrow_up: Updating NethSecurity

Both update methods use the UI and result in the same updated system. The only difference is in how the dashboard displays the version number.

Option 1: Package Update

  1. Navigate to the “Updates” page
  2. Click the “Check for fixes” button
  3. Apply all available updates

This method updates individual packages without changing the displayed version in the dashboard.

Option 2: Full Image Update

  1. Go to the “System” section in the UI
  2. Use the image-based upgrade procedure
  3. Select the new NethSecurity 8.4 image

This method updates the entire system image and will show the new version number in the dashboard.

Remember: despite the difference in displayed version, both methods result in an identical, fully updated system.

:bug: Bug Fixes

Over 20 bug fixes are included in this release, addressing various issues. The detailed changelog can be found here.

:question: What is NethSecurity?

NethSecurity is a powerful, open-source Linux firewall designed to simplify network security deployment. It offers full-featured protection and an easy-to-use interface.

Choose your preferred Subscription Plan

A NethSecurity subscription ensures that your deployment is backed by top-tier technical expertise and the support necessary to maintain your organization’s security infrastructure.

Subscribing also grants exclusive access to the Enterprise repository, which includes Automatic Updates, advanced DPI Applications/protocol detection, and VPN integration with LDAP/AD user databases.

:point_right: Get your subscription

:rocket: Help shape NethSecurity’s future

Your feedback is invaluable as we continue to refine and enhance NethSecurity. Please share your thoughts, report issues, and suggest features by opening a new topic in the NethSecurity category, using tags like Feature, Bug, or Support.

:point_right: Download and use it! :point_left:

10 Likes

Good job guys !

2 Likes

This is moving pretty fast.

After updating the mwan3 software to version 2.11.16-6 on NethSecurity systems, machines and their clients lose internet connectivity. The issue is caused by the update overwriting the mwan3 configuration file.

The issue is present only on machines where mwan3 has never been configured, so all machines with a single WAN could be affected.
The machine remain accessible from the external network, but the firewall itself and its clients lose the ability to browse the internet.

The workaround that restores the internet connectivity is already documented here.
Updated firewall where the bug is present must manually execute the workaround.

A new mwan package (mwan-2.11.17-6) without the issue has been already released, including the new image 23.05.5-ns.1.4.1 (the first post have been updated accordingly).

2 Likes