At the moment the solution that is implemented for NethServer for filtering online content is SquidGuard. With squidguard you can add several blocklists so your users are ensured of a safe(er) internet experience.
Another option would be to use NxFilter instead of squidguard. @KdBuses this option on a seperate server in his educational environment.
I would like to explore the option to get NxFilter integrated in NethServer.
A few things to investigate:
differences between NxFilter and SquidGuard
Can SquidGuard be replaced by NxFilter on NethServer? (or better: can you choose to use NxFilter instead of SquidGuard)
Who wants to try and install NxFilter on NethServer and document this in a Howto topic?
I found an install howto for centos7, but that howto uses an old repository to download the NxFilter RPM’s. The latest packages can be found here: https://nxfilter.org/p3/download/ RPM’s are available from a 3rd party repository: http://www.deepwoods.net/repo/deepwoods/
Also that howto mentions opening ports in the firewall. We need to adapt those commands to the ‘NethServer way’ of adding services and opening ports.
Also, NxFilter is a java application. we already have a few java based modules. Maybe we can re-use parts of those modules (for instance installing openjdk)
Thanks for setting up this feature discussion @robb.
I have used squid and web proxies in the past but moved to DNS filtering as I found it a more reliable way to categorise and block sites.
I did actually install it on a clean NethServer today. It is fairly trivial using the RPMs IF you install (eg) webtop first - thanks to the webtop_team who have covered the installation of java etc dependencies. I disabled NethServer dnsmasq, changed the nxfilter GUI ports and adjusted the firewall etc. Worked perfectly.
The next step was to re-instate DHCP services, yet, by then, I realised a better solution would be to install in a container: https://github.com/packetworks/docker-nxfilter That, again, was reasonably trivial to install with nethserver-docker (portainer).
This way, NethServer is intact and its DNS is simply pointed at the filter. This project can then likely wait for Portainer to be more production ready.
Having done all that, I did find another DNS filter that, I think, would be more suitable for native integration into NethServer, Pi-Hole: https://pi-hole.net/
As time permits, I’ll set that up and compare the options.
With that discussion and my experiences, it is suggested that containers - in one iteration or another - are the way to go. They have the ability to add features without adding complexity to the out of the box simplicity of NethServer’s core functionality. The real advantage in any ‘add-ons’ is having a single point/location for management.
follow up edit: I’ve just installed and toyed with pi-hole. While it is ‘prettier’, I prefer Nxfilter. Simple GUI IP address filter bypass is (IMHO) a necessity which pi-hole is missing.
I’m the RPM package developer for NxFilter. I’d be more than happy to help with NxFilter on NethServer if there is an interest. Just a couple of things I’ve read in this thread I’d like to add to, the NxFilter RPM has a java-headless dependency requirement that will install the latest openJDK java-headless package if it’s missing. For SSL block page redirection, we use SSLSplit which I’ve also bundled together with NxFilter into a RPM. https://www.reddit.com/r/nxfilter/comments/ayh81c/nxfilter_sslsplit_rpm/ . Most of the scripts to make all this work are based on a minimal CentOS 7 install and probably require some changes to do things the “NethServer way”. If docker images are preferred, I believe I may still have the containers I used when I was working on the SSLSplit integration.
@DeepWoods What will happen if another version of OpenJDK java-headless already is installed? Will you end up with 2 installed versions?
NethServer already has several java based applciations like Webtop and SavaPage… and probably several more…
The dependency check by the package manager should see that the java requirement is met already and not install a second version. That said, in my spec file I’m only calling “Requires: java-headless” and not a specific minimum version. In my testing on CentOS 7 with “yum provides java-headless”, this is version 1.7 and 1.8 of openJDK. NxFilter recommends Java version 7 or 8 so the java-headless check seemed adequate. If other NethServer apps require different versions, then there could potentially be a conflict. I remember there being some issues with the webserver portion of NxFilter with Java 9. Is there a table with app requirements or dependencies for things like Webtop to look over? If not, I can see what happens after installing NethServer with Webtop and adding my repo and NxFilter.
I had a few minutes to toy around with installing and running NxFilter on a new CentOS 7 VM running NethServer this afternoon. Installation was simple enough and no duplicate java packages were installed. About the only thing I did was disable dnsmasq’s DNS configuration(port=0) and change the listening ports of NxFilter in cfg.properties to not conflict with WebTop. This worked fine as strictly a DNS filter but the end user block page redirection is broken with NxFilter listening on a port other than 80. I didn’t do more than look at the WebTop apache config to realize it’s not trivial to change the default alias. I didn’t notice a conflict for NxFilter listening on port 80 other than the alias for /webtop but I might have overlooked something?
It disables dnsmasq from handling DNS queries as far as I know. I haven’t tested DHCP but by the changes I made, NxFilter handles DNS for the system. It looks as though dnsmasq is still handling DHCP from the output of netstat but again, I’ve not tested it:
@robb I tested DHCP services from dnsmasq after disabling the DNS portion of it for NxFilter and it worked as expected. Wildcard DNS entries are the only things I’ve found so far that it breaks as those are address entries in /etc/dnsmasq.conf . The same action can be accomplished by adding it to NxFilter under DNS redirection though.
I tested with nethserver-docker and portainer and it finally worked. I had to put the nxfilter docker container to the aqua network so it gets an IP address there and don’t use published ports. Nethserver uses the nxfilter IP as DNS server. The nxfilter admin site is reachable over virtualhost reverse proxy.
This way we do not need a DNS port redirection.
I just have to check which steps really did the trick and then I am going to write a step by step howto.