I need two firewall. The first is a perimeter firewall protecting both the Lan and DMZ, and the second protecting just the Lan. Both firewall should be from different stables, for security. The reason why Nethserver firewall cannot be used twice. Sort of defeats the object. If a hacker breaks through the first firewall and then confronted by the same firewall obstacle then access is easy. If the firewalls are different then the hacker is confronted by new obstacles to surmount…not wise to have both firewalls the same
What would be the difference between IPtables firewall from NS vs IPtables firewall from another project?
It’s my understanding IPtables (or the newer NFT) used by Centos and Ubuntu is different to packet filtering as used by pfSense / OPNsense. Correct me if I’m wrong. NFT the latest incarnation of IPtables hooks direct into the Linux kernal. openBSD and freeBSD which pfSense forked from, uses packet inspection to allow traffic through firewalls. BSD is not Linux, therefore a different OS. pfSense cannot be installed (to my knowledge) on a Linux OS. So as I stated in my earlier post I want to use two separate firewalls, which should give me much more effective protection.
NFT / IPtables are good and I use them a lot to protect individual servers running Ubuntu in my DMZ. My intention is to have possibly OPNsense as a perimeter gardian. protecting both the DMZ and the Lan server running the Nethserver firewall / (smoothwall I think) and hence IPtables.
[quote=“Bluelake, post:21, topic:917, full:true”]
I need two firewall. …/… If the firewalls are different then the hacker is confronted by new obstacles to surmount…not wise to have both firewalls the same[/quote]
OK but this is a design choice. Which may make sense BTW.
I would not say the opposite as I do operate at least one Zentyal server behind pfSense FW
Then does it mean this is a requirement everywhere or mean that NS FW is not safe of efficient enough because this is iptable? I don’t think so.
Hi Christian
Yes, this is a design choice and my design choice. The biggest rise in crime is now from the Internet (U.K), and not from the guy breaking a window and grabbing the telly to sell for a few bucks. There is more cash to be made from hacking networks / computers for data to sell…
Did I say that the NS FW was inefficient, No. Nethserver FW has protected my Lan for more than a year and IP-tables do make a great firewall, and I use IP-tables on more than one server. I am against the “All in one box” scenario but that does not lessen the fact that NS is a great product. Having a web server and email server in the same box as a database server, to me is a dangerous practise, and one I have never indulged in.
Network security is an individual choice, and one normally based around economics and expertise, not everyone, business or individual trader has the time or money to invest in security. Which is why Nethserver is great tool for a lot of SMEs, and the firewall does it’s job.
I have always operated my network with two firewalls, one protecting the perimeter and a second protecting the Lan. The cost involved is negligible compared to the cost of customer information being sold to the highest bidder, believe me, I have been there.
Does this mean we all need to rush out and install a second firewall, No, but it does mean we should all be aware of the threats associated with the Internet where a business is concerned. Ignorance is not Bliss.
Great points here, thanks for explaining your approach to security Keith
I love seeing people sharing such experience!
Nethserver the best one.
I’m just a home user now but I was the IT support for a small business for a while, in addition to my real job there :). At that time I used Smoothwall for both because I believe strongly in a separate perimeter device dedicated to that task for minimal attack surface. I also had spare older PC’s around in both environments that were capable of running Smoothwall and keeping up with the connection speeds involved then fine so the implementation cost was just a bit of my time. Work involved training of people and ability to easily monitor sites accessed and block some was rather useful too at times.
At home because of slow DSL I eventually went multi-wan to move to pfsense, as Smoothwall did not support that, which initially was a little harder to get my head around and not quite as polished to look at but plainly also a very solid product. Recently I bought a little Qotom box as it was cheap, used far less electricity, much smaller and much more powerful than the ancient Compaq Deskpro SFF pc I was using at the time. It’s performed perfectly.
Personally I would never put my perimeter firewall on any shared resource. Especially now when the likes of the qotom box are around. Mine is really over kill in power but was only £200, it’s well built and silent and actually barely bigger than the two modems connected to it. Should last many years and uses very little power so excellent value from my point of view at least.
I appreciate that there are probably some cases were an all in one approach is okay and if I was just a plain home user with minimal IT knowledge and a very tight budget I might very well do that. The reality is I know enough to prefer a separate firewall and an old PC or £200 bought unit is a price I’m happy and able to pay. Apart from anything else the two modems and two switches sitting with the router box, though pretty bargain basement units, cost more than it did.
I absolutely agree.
Even if I don’t think about security…in home use cases today it’s better to be able to restart a server, without loosing internet connection for the rest of the family because router and server are the same…there are home scenarios where internet is needed 24/7…crazy people, but I unterstand them
In my opinion a firewall should
- be a physical device - virtualization may be seen as security hole
- have just firewall services installed - the less services, the less attack possibilities
- maybe have much more, but that’s not the point now
Now to NethServer Firewall vs pfSense(to reply to the topic):
The Nethserver firewall has much of the functions of pfSense, maybe not everything in web UI. Optically you can see that pfSense is a firewall distro and for Nethserver firewalling is just a small part of the whole thing, but managing the firewall is easy with both systems.
When it ever comes to compare the fully installed systems, pfSense has no chance, even if I take Nethserver without community modules.
I use LEDE(https://lede-project.org/), a openwrt fork on a cheap wlan router as router/firewall and Nethserver as VMWare VM as All-In-One-Server at home.
Some screenshots of my test systems, pfSense Dashboard:
pfSense port forwarding:
psSense package manager:
Nethserver port forwarding
Nethserver firewall rules/services:
You can set up this anyway with two NethServers
- 1 as PDC or mailserver
- 1 as Firewall that joins the PDC
I have this atm on my home network. Only thing I was running into was a problem joining the Samba4 domain correctly with the Gateway instance. See AccountProvider_Error_82 on member NS7 after join
I’m in the process of re-evaluating pfSense as well. I’m a home user / enthusiast. I’m considering NethServer for my home setup. I’m also the type to setup parameter seperate from my data storage. I’m considering signing up for the basic $48 subscription. Does that subscription support two servers or is it limited to one server per $48 subscription?