Hi,
maybe I am overlooking something, but how can one set the status of a port on NS8?
When looking at the node → firewall section one can see the various ports used by several core/module components. For example port 110 is ‘Open’ when mail module is installed. What f I would close this port for I don’t need POP access?
TIA
Normally, you’ld close off the port at your site-firewall, or whatever is in front of NS8.
In the cloud, usually your hoster has additional firewall options.
My 2 cents
Andy
I know, but there is nothing infirm of my ups 1 node cluster. These need to be some firewall capabilities as simple as open or close ports for red and/or green. More advances config, I agree, could be done by a box in front.
I don’t have - or need / want red or green on a server, green is enough.
But I don’t have SME clients in the cloud.
Maybe NS8 isn’t really suitable for a small cloud.
But no, I do not agree that port opening via GUI is needed.
My 2 cents
Andy
Untested. Probably through firewalld’s firewall-cmd with --remove-port option similarly to the ones here:
From TL;DR man examples:
firewall-cmd --get-active-zonesfirewall-cmd --list-allfirewall-cmd --permanent --zone=public --add-port=25565/tcp --add-port=19132/udpfirewall-cmd --reloadMaybe it’s high time to move away from very old, pre-millinium concepts like MS-SBS (Small Business Server). MS doesn’t include a firewall for a long time now.
They also don’t suggest using fake domains like .local or .lan for a long time either…
We have at the moment a few users active and very vocal about their single server, stuck in the cloud and still mentally stuck to the concept of Red / Green and Firewalls on a server.
They still want Firewall and VPN functionality on a linux server. We now have 2024, not 2010 or 1999 anymore!
On the other hand, we have a few hundred real SME / Home users, who run their server in a protected environment and are waiting for release…
Yet these handfull users demand precious developer time to solve the petty issues of their own creation / planning…
You’re a longtime user here, @LayLow , I think you understand my intention. I do understand your situation, but it’s in the less than 1% range here, sorry!
My 2 cents
Andy
Not the case here. I would like for NS8 to have SOME self contained basic capabilities to protect itself per node
It does - in CLI, but it’s not needed nor wanted in the GUI, at least and certainly not for NS8! Maybe 8.1…
Why? It was the essence of my question.
There are a zillion use cases for NS8, not only your personal installed base…
Your problem, if you want it in GUI,
it’s not needed, and if YOU can’t handle the specific conditions of a situation you planned, it’s not up to the devs to put something uncalled for in NS8, just because YOU need it, or cn’t be bothered to set a rule in CLI.
NS8 does not include a firewall, that is in NethSecurity, and runs on a different box. Both can run in a VM in the same cloud hosted environment.
NS8 is intended - no, not for cloud users wth special wishes - but for SME and Home users, just as NS7 was.
But only a few of those zillion is according to the projects targets.
Not my petty goals, nor yours.
I can use ANY Linux or BSD for my goals, I don’t need NS - but I chose NS because my clients run a typical SME environment.
But if you’re too lazy for a CLI command, maybe a dev will help.
I have no intention to do so.
My 2 cents
Andy
I am stunned by this response… Please take your 2 cents back.
A manual procedure is documented here: Firewall — NS8 documentation
I wouldn’t do it. I’d leave the default configuration: applications open their ports in Firewalld automatically. Changing the default configuration is a customization. Dealing with customizations is often difficult!
I think NS8 fits better than NS7 in a cloud environment because it does not change network interfaces configuration.
NS8 was developed in both cloud and home environments. SME and home users can decide where to install it. In Nethesis we are running a cluster with one node in the company and two nodes in the cloud.
That Is the input I was looking for. Thanks!
you mentioned this sentiment quite alot @Andy_Wismer, not any 2 setups are the same, and would be the same for good measure.
its a valid sentiment actually, but we wait after release to re-route this question.
this sure also answers this
it is valid to mentioned use cases, that were atleast support
I might agree abit with this, but then again i would not.
Sure @davidep mentioned on a video firewall would not be in NS8 because they intend for firewall to be isntalled before NS box. this is fine, because there are very many cloud hostable systems without these.
Cpanel as being one of them.
but understand, there is some capacity to protect the cloud exposed systems, NS8 has cloud exposed systems like wordpress. i dont think wordpress is designed to be hsoted inhouse…
I beleive Nethesis has visions to still contiunue servicng the SME market as well as Enterpirse market equally, and i attribute the removal and implementation of Nethsecurity in a separate system for such.
actually 80% most SME do not have a firewall, only enterprise and corporates.
Thank you David, this is exactly the sentiments i had in mind.
Almost all providers in Europe provide a firewall / modem.
Same in a lot of continents / countries.
There are some who do not provide an included firewall, but I’ld say, MOST SME and Home Users do have a firewall.
How capable remains to the exact model, but the network does have firewll protection.
My 2 cents
Andy
even tplink normal $10 router has some firewall functionalities, but i wouldnt really consider it firewall.
and most sme do not touch those firewall configs, if thats what you mean
I just mentionned that they have a firewall protecting their network. (= True)
I did not say they ever configured it beyond what the provider preset for them, but that’s another issue.
Some people do not consider say a Cisco Pix a firewall, they think “overpriced hardware”, also another issue.
The term firewall implies an IP filtering - but not if any are defined besides 1:1 passthru of all ports.
But theoretically it would be possible to configure such a function.
but firewall protecting the provider network does not protect the user equipment.
Also, if NS8 is on the cloud, if not firewall or Web Application firewall then, no firewall, unless the provider offers internal and external network, with configs through firewall, similar to the likes of oracle. and other.
But most VM proviers do not have firewall, default.
there are ways to acheive firewall with them.
buy 2 VMS, setup one with internal network.
setup the other one with external network, deploy nethsecurity or other firewall on vm with external, and route to vm with itnernal… WOuld still acheive firewall functions. still, niot all providers offer internal networking between vms
The Provider-Box firewall also protects the user equipment.
Internet is not passed thru, NAT is used.
If anyone wants to open Ports or whatever, they can.
Limits of the hardware applies, if anyone wants something better, there’s a free market out there for firewalls.
If any firewall rules makes sense or not, depends on what the user wants to achieve…
(And also f he can!).
My 2 cents
Andy