NxFilter for NethServer

(Rob Bosch) #1

At the moment the solution that is implemented for NethServer for filtering online content is SquidGuard. With squidguard you can add several blocklists so your users are ensured of a safe(er) internet experience.

Another option would be to use NxFilter instead of squidguard. @KdB uses this option on a seperate server in his educational environment.

I would like to explore the option to get NxFilter integrated in NethServer.
A few things to investigate:

  • differences between NxFilter and SquidGuard
  • Can SquidGuard be replaced by NxFilter on NethServer? (or better: can you choose to use NxFilter instead of SquidGuard)
  • Who wants to try and install NxFilter on NethServer and document this in a Howto topic?

I found an install howto for centos7, but that howto uses an old repository to download the NxFilter RPM’s. The latest packages can be found here: https://nxfilter.org/p3/download/ RPM’s are available from a 3rd party repository: http://www.deepwoods.net/repo/deepwoods/
Also that howto mentions opening ports in the firewall. We need to adapt those commands to the ‘NethServer way’ of adding services and opening ports.
Also, NxFilter is a java application. we already have a few java based modules. Maybe we can re-use parts of those modules (for instance installing openjdk)

(Klaus Boehme) #2

Thanks for setting up this feature discussion @robb.

I have used squid and web proxies in the past but moved to DNS filtering as I found it a more reliable way to categorise and block sites.

I did actually install it on a clean NethServer today. It is fairly trivial using the RPMs IF you install (eg) webtop first - thanks to the webtop_team who have covered the installation of java etc dependencies. I disabled NethServer dnsmasq, changed the nxfilter GUI ports and adjusted the firewall etc. Worked perfectly.

The next step was to re-instate DHCP services, yet, by then, I realised a better solution would be to install in a container: https://github.com/packetworks/docker-nxfilter That, again, was reasonably trivial to install with nethserver-docker (portainer).

This way, NethServer is intact and its DNS is simply pointed at the filter. This project can then likely wait for Portainer to be more production ready.

Having done all that, I did find another DNS filter that, I think, would be more suitable for native integration into NethServer, Pi-Hole: https://pi-hole.net/

As time permits, I’ll set that up and compare the options.


(Marc) #3

FYI, here’s a bit of information about pi-hole on nethserver:

(Klaus Boehme) #4

Thanks @dnutan I had missed that topic.

With that discussion and my experiences, it is suggested that containers - in one iteration or another - are the way to go. They have the ability to add features without adding complexity to the out of the box simplicity of NethServer’s core functionality. The real advantage in any ‘add-ons’ is having a single point/location for management.

follow up edit: I’ve just installed and toyed with pi-hole. While it is ‘prettier’, I prefer Nxfilter. Simple GUI IP address filter bypass is (IMHO) a necessity which pi-hole is missing.