NxFilter for NethServer

At the moment the solution that is implemented for NethServer for filtering online content is SquidGuard. With squidguard you can add several blocklists so your users are ensured of a safe(er) internet experience.

Another option would be to use NxFilter instead of squidguard. @KdB uses this option on a seperate server in his educational environment.

I would like to explore the option to get NxFilter integrated in NethServer.
A few things to investigate:

  • differences between NxFilter and SquidGuard
  • Can SquidGuard be replaced by NxFilter on NethServer? (or better: can you choose to use NxFilter instead of SquidGuard)
  • Who wants to try and install NxFilter on NethServer and document this in a Howto topic?

I found an install howto for centos7, but that howto uses an old repository to download the NxFilter RPMā€™s. The latest packages can be found here: https://nxfilter.org/p3/download/ RPMā€™s are available from a 3rd party repository: http://www.deepwoods.net/repo/deepwoods/
Also that howto mentions opening ports in the firewall. We need to adapt those commands to the ā€˜NethServer wayā€™ of adding services and opening ports.
Also, NxFilter is a java application. we already have a few java based modules. Maybe we can re-use parts of those modules (for instance installing openjdk)

4 Likes

Thanks for setting up this feature discussion @robb.

I have used squid and web proxies in the past but moved to DNS filtering as I found it a more reliable way to categorise and block sites.

I did actually install it on a clean NethServer today. It is fairly trivial using the RPMs IF you install (eg) webtop first - thanks to the webtop_team who have covered the installation of java etc dependencies. I disabled NethServer dnsmasq, changed the nxfilter GUI ports and adjusted the firewall etc. Worked perfectly.

The next step was to re-instate DHCP services, yet, by then, I realised a better solution would be to install in a container: https://github.com/packetworks/docker-nxfilter That, again, was reasonably trivial to install with nethserver-docker (portainer).

This way, NethServer is intact and its DNS is simply pointed at the filter. This project can then likely wait for Portainer to be more production ready.

Having done all that, I did find another DNS filter that, I think, would be more suitable for native integration into NethServer, Pi-Hole: https://pi-hole.net/

As time permits, Iā€™ll set that up and compare the options.

Klaus

FYI, hereā€™s a bit of information about pi-hole on nethserver:

Thanks @dnutan I had missed that topic.

With that discussion and my experiences, it is suggested that containers - in one iteration or another - are the way to go. They have the ability to add features without adding complexity to the out of the box simplicity of NethServerā€™s core functionality. The real advantage in any ā€˜add-onsā€™ is having a single point/location for management.

follow up edit: Iā€™ve just installed and toyed with pi-hole. While it is ā€˜prettierā€™, I prefer Nxfilter. Simple GUI IP address filter bypass is (IMHO) a necessity which pi-hole is missing.

1 Like

Are there any plans to move ahead with this? NxFilter seems like an elegant solution and Iā€™m hoping would handle the SSL site redirection issue more elegantly than the current Squid setup does.

If you need testers for any of this Iā€™d be more than happy to assist in any way I can.

Thanks

Duke

Iā€™m the RPM package developer for NxFilter. Iā€™d be more than happy to help with NxFilter on NethServer if there is an interest. Just a couple of things Iā€™ve read in this thread Iā€™d like to add to, the NxFilter RPM has a java-headless dependency requirement that will install the latest openJDK java-headless package if itā€™s missing. For SSL block page redirection, we use SSLSplit which Iā€™ve also bundled together with NxFilter into a RPM. https://www.reddit.com/r/nxfilter/comments/ayh81c/nxfilter_sslsplit_rpm/ . Most of the scripts to make all this work are based on a minimal CentOS 7 install and probably require some changes to do things the ā€œNethServer wayā€. If docker images are preferred, I believe I may still have the containers I used when I was working on the SSLSplit integration.

5 Likes

@DeepWoods What will happen if another version of OpenJDK java-headless already is installed? Will you end up with 2 installed versions?
NethServer already has several java based applciations like Webtop and SavaPageā€¦ and probably several moreā€¦

The dependency check by the package manager should see that the java requirement is met already and not install a second version. That said, in my spec file Iā€™m only calling ā€œRequires: java-headlessā€ and not a specific minimum version. In my testing on CentOS 7 with ā€œyum provides java-headlessā€, this is version 1.7 and 1.8 of openJDK. NxFilter recommends Java version 7 or 8 so the java-headless check seemed adequate. If other NethServer apps require different versions, then there could potentially be a conflict. I remember there being some issues with the webserver portion of NxFilter with Java 9. Is there a table with app requirements or dependencies for things like Webtop to look over? If not, I can see what happens after installing NethServer with Webtop and adding my repo and NxFilter.

1 Like

From their spec file webtop5 and SavaPage require java-1.8.0-openjdk.

I had a few minutes to toy around with installing and running NxFilter on a new CentOS 7 VM running NethServer this afternoon. Installation was simple enough and no duplicate java packages were installed. About the only thing I did was disable dnsmasqā€™s DNS configuration(port=0) and change the listening ports of NxFilter in cfg.properties to not conflict with WebTop. This worked fine as strictly a DNS filter but the end user block page redirection is broken with NxFilter listening on a port other than 80. I didnā€™t do more than look at the WebTop apache config to realize itā€™s not trivial to change the default alias. I didnā€™t notice a conflict for NxFilter listening on port 80 other than the alias for /webtop but I might have overlooked something?

1 Like

Wil this not cripple NethServer DNS and DHCP services?

1 Like

It disables dnsmasq from handling DNS queries as far as I know. I havenā€™t tested DHCP but by the changes I made, NxFilter handles DNS for the system. It looks as though dnsmasq is still handling DHCP from the output of netstat but again, Iā€™ve not tested it:

Edited for completeness:
[root@cent7 httpd]# netstat -tunap | grep ā€˜dnsmasq|javaā€™
tcp 0 0 127.0.0.1:19001 0.0.0.0:* LISTEN 1488/java
tcp 0 0 0.0.0.0:19002 0.0.0.0:* LISTEN 1488/java
tcp 0 0 0.0.0.0:19003 0.0.0.0:* LISTEN 1488/java
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1488/java
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 1488/java
tcp6 0 0 127.0.0.1:58009 :::* LISTEN 1166/java
tcp6 0 0 127.0.0.1:58080 :::* LISTEN 1166/java
tcp6 0 0 127.0.0.1:58005 :::* LISTEN 1166/java
tcp6 0 0 127.0.0.1:53736 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53754 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53746 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53740 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53742 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53738 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53748 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53752 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53744 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53750 127.0.0.1:5432 ESTABLISHED 1166/java
udp 0 0 0.0.0.0:33774 0.0.0.0:* 1488/java
udp 0 0 0.0.0.0:34693 0.0.0.0:* 1488/java
udp 0 0 0.0.0.0:53 0.0.0.0:* 1488/java
udp 0 0 0.0.0.0:69 0.0.0.0:* 1168/dnsmasq
udp6 0 0 :::69 :::* 1168/dnsmasq

1 Like

I really hope this come to fruition because Iā€™ve played with NxFilter previously and it would be a vast improvement on the current content filter.

Are the Nethserver team on board and moving ahead with this?

Thanksā€¦
Duke

@robb I tested DHCP services from dnsmasq after disabling the DNS portion of it for NxFilter and it worked as expected. Wildcard DNS entries are the only things Iā€™ve found so far that it breaks as those are address entries in /etc/dnsmasq.conf . The same action can be accomplished by adding it to NxFilter under DNS redirection though.

Some basic Nethserver modules (dns, mail, dc, proxy, jabber) add configuration to dnsmasq so I think disabling it is not a good idea.

I didnā€™t find a way to change the nxfilter dns port to not collide with dnsmasq.

As @KdB pointed out here, we may run nxfilter in a docker container.

Another way could be using a virtual network interface for nxfilter to listen to.

Source:

https://groups.google.com/forum/#!topic/nxfilter200/HtDA9bFsJrY

Are there any plans to move ahead with this?

Thanks

Duke

1 Like

I tested with nethserver-docker and portainer and it finally worked. I had to put the nxfilter docker container to the aqua network so it gets an IP address there and donā€™t use published ports. Nethserver uses the nxfilter IP as DNS server. The nxfilter admin site is reachable over virtualhost reverse proxy.
This way we do not need a DNS port redirection.
I just have to check which steps really did the trick and then I am going to write a step by step howto.

3 Likes

Youā€™re an absolute God! Awesome!

1 Like

Please test the howto:

2 Likes

Just wondering if the idea of running NxFilter on NethServer was progressed any further?