forgive the newbie question, but I’m afraid that I have a security hole.
I have a basic config as a firewall on a single WAN.
The eth WAN get the public IP from my modem in bridge.
The public IP is retrieved in DHCP from my ISP (IPoE).
Now if i open in the browser my public IP 2.XX.XX.XX:9090 the Nethserver console web is opened ad i can access on it.
it is a behavior that I did not expect.
As a basic rule, shouldn’t all incoming ports be closed by the firewall?
My expectation was to “enable Port Forward” also for the applications installed on the host nethserver (also for nethserver web UI).
For the moment i have configured the modem “as a router” and not as a bridge to avoid this behavior.
I never had enable this option…
i am pretty sure because if i try to turn on, it request me from which IP it’s enabled -> “Allowed ips (one per line)”.
I assume it only works from internal LAN to access the server manager via public IP.
Please try a web port scan or try to access from outside LAN (i.e. mobile phone).
The curious think is that at port 80 i am able to access to the welcome nethserver page from outside nethwork.
Same thing if i connect my modem in bridge at WAN port of my nethserver gateway.
Do you know how i can hide it? There are other port opened to outside?
For other noobs like me… to avoid this kind of unexpected access you need to go at SERVICE section and remove RED zone from the service that you would not expose.
In this case httpd (and httpd-admin) is the related service of webserver that show this page at port 80 or 443.
Not all service are blocked from outside connection in a clean installation (as per my expectation)… please review SERVICE and in case remove all RED zone to avoid public/external access for specific port/service.
I am pretty sure that whit little adjustment on nethserver docs this system can be used whit success also from user whit low networks knowledge.
I thinks that for small company and nethserver can be great businesses case.
Correct, though it could be configured in such a way that it only responds to queries under /.well-known/acme-challenge. Or you could use DNS validation, which is now semi-implemented, and doesn’t require any ports to be open. But I suspect what’s going on is just an assumption that if you want a web server, you probably want it to be public, so that’s the default–and it can be easily changed if desired.