NxFilter for NethServer

Thanks for setting up this feature discussion @robb.

I have used squid and web proxies in the past but moved to DNS filtering as I found it a more reliable way to categorise and block sites.

I did actually install it on a clean NethServer today. It is fairly trivial using the RPMs IF you install (eg) webtop first - thanks to the webtop_team who have covered the installation of java etc dependencies. I disabled NethServer dnsmasq, changed the nxfilter GUI ports and adjusted the firewall etc. Worked perfectly.

The next step was to re-instate DHCP services, yet, by then, I realised a better solution would be to install in a container: https://github.com/packetworks/docker-nxfilter That, again, was reasonably trivial to install with nethserver-docker (portainer).

This way, NethServer is intact and its DNS is simply pointed at the filter. This project can then likely wait for Portainer to be more production ready.

Having done all that, I did find another DNS filter that, I think, would be more suitable for native integration into NethServer, Pi-Hole: https://pi-hole.net/

As time permits, I’ll set that up and compare the options.

Klaus

FYI, here’s a bit of information about pi-hole on nethserver:

Thanks @dnutan I had missed that topic.

With that discussion and my experiences, it is suggested that containers - in one iteration or another - are the way to go. They have the ability to add features without adding complexity to the out of the box simplicity of NethServer’s core functionality. The real advantage in any ‘add-ons’ is having a single point/location for management.

follow up edit: I’ve just installed and toyed with pi-hole. While it is ‘prettier’, I prefer Nxfilter. Simple GUI IP address filter bypass is (IMHO) a necessity which pi-hole is missing.

1 Like

Are there any plans to move ahead with this? NxFilter seems like an elegant solution and I’m hoping would handle the SSL site redirection issue more elegantly than the current Squid setup does.

If you need testers for any of this I’d be more than happy to assist in any way I can.

Thanks

Duke

I’m the RPM package developer for NxFilter. I’d be more than happy to help with NxFilter on NethServer if there is an interest. Just a couple of things I’ve read in this thread I’d like to add to, the NxFilter RPM has a java-headless dependency requirement that will install the latest openJDK java-headless package if it’s missing. For SSL block page redirection, we use SSLSplit which I’ve also bundled together with NxFilter into a RPM. https://www.reddit.com/r/nxfilter/comments/ayh81c/nxfilter_sslsplit_rpm/ . Most of the scripts to make all this work are based on a minimal CentOS 7 install and probably require some changes to do things the “NethServer way”. If docker images are preferred, I believe I may still have the containers I used when I was working on the SSLSplit integration.

5 Likes

@DeepWoods What will happen if another version of OpenJDK java-headless already is installed? Will you end up with 2 installed versions?
NethServer already has several java based applciations like Webtop and SavaPage… and probably several more…

The dependency check by the package manager should see that the java requirement is met already and not install a second version. That said, in my spec file I’m only calling “Requires: java-headless” and not a specific minimum version. In my testing on CentOS 7 with “yum provides java-headless”, this is version 1.7 and 1.8 of openJDK. NxFilter recommends Java version 7 or 8 so the java-headless check seemed adequate. If other NethServer apps require different versions, then there could potentially be a conflict. I remember there being some issues with the webserver portion of NxFilter with Java 9. Is there a table with app requirements or dependencies for things like Webtop to look over? If not, I can see what happens after installing NethServer with Webtop and adding my repo and NxFilter.

1 Like

From their spec file webtop5 and SavaPage require java-1.8.0-openjdk.

I had a few minutes to toy around with installing and running NxFilter on a new CentOS 7 VM running NethServer this afternoon. Installation was simple enough and no duplicate java packages were installed. About the only thing I did was disable dnsmasq’s DNS configuration(port=0) and change the listening ports of NxFilter in cfg.properties to not conflict with WebTop. This worked fine as strictly a DNS filter but the end user block page redirection is broken with NxFilter listening on a port other than 80. I didn’t do more than look at the WebTop apache config to realize it’s not trivial to change the default alias. I didn’t notice a conflict for NxFilter listening on port 80 other than the alias for /webtop but I might have overlooked something?

1 Like

Wil this not cripple NethServer DNS and DHCP services?

1 Like

It disables dnsmasq from handling DNS queries as far as I know. I haven’t tested DHCP but by the changes I made, NxFilter handles DNS for the system. It looks as though dnsmasq is still handling DHCP from the output of netstat but again, I’ve not tested it:

Edited for completeness:
[root@cent7 httpd]# netstat -tunap | grep ‘dnsmasq|java’
tcp 0 0 127.0.0.1:19001 0.0.0.0:* LISTEN 1488/java
tcp 0 0 0.0.0.0:19002 0.0.0.0:* LISTEN 1488/java
tcp 0 0 0.0.0.0:19003 0.0.0.0:* LISTEN 1488/java
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1488/java
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 1488/java
tcp6 0 0 127.0.0.1:58009 :::* LISTEN 1166/java
tcp6 0 0 127.0.0.1:58080 :::* LISTEN 1166/java
tcp6 0 0 127.0.0.1:58005 :::* LISTEN 1166/java
tcp6 0 0 127.0.0.1:53736 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53754 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53746 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53740 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53742 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53738 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53748 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53752 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53744 127.0.0.1:5432 ESTABLISHED 1166/java
tcp6 0 0 127.0.0.1:53750 127.0.0.1:5432 ESTABLISHED 1166/java
udp 0 0 0.0.0.0:33774 0.0.0.0:* 1488/java
udp 0 0 0.0.0.0:34693 0.0.0.0:* 1488/java
udp 0 0 0.0.0.0:53 0.0.0.0:* 1488/java
udp 0 0 0.0.0.0:69 0.0.0.0:* 1168/dnsmasq
udp6 0 0 :::69 :::* 1168/dnsmasq

1 Like

I really hope this come to fruition because I’ve played with NxFilter previously and it would be a vast improvement on the current content filter.

Are the Nethserver team on board and moving ahead with this?

Thanks…
Duke

@robb I tested DHCP services from dnsmasq after disabling the DNS portion of it for NxFilter and it worked as expected. Wildcard DNS entries are the only things I’ve found so far that it breaks as those are address entries in /etc/dnsmasq.conf . The same action can be accomplished by adding it to NxFilter under DNS redirection though.

Some basic Nethserver modules (dns, mail, dc, proxy, jabber) add configuration to dnsmasq so I think disabling it is not a good idea.

I didn’t find a way to change the nxfilter dns port to not collide with dnsmasq.

As @KdB pointed out here, we may run nxfilter in a docker container.

Another way could be using a virtual network interface for nxfilter to listen to.

Source:

https://groups.google.com/forum/#!topic/nxfilter200/HtDA9bFsJrY

Are there any plans to move ahead with this?

Thanks

Duke

1 Like

I tested with nethserver-docker and portainer and it finally worked. I had to put the nxfilter docker container to the aqua network so it gets an IP address there and don’t use published ports. Nethserver uses the nxfilter IP as DNS server. The nxfilter admin site is reachable over virtualhost reverse proxy.
This way we do not need a DNS port redirection.
I just have to check which steps really did the trick and then I am going to write a step by step howto.

3 Likes

You’re an absolute God! Awesome!

1 Like

Please test the howto:

2 Likes

Just wondering if the idea of running NxFilter on NethServer was progressed any further?

Hi and welcome to NethServer Community!

In the post above you’ll find a howto about using nxfilter with docker. Last time when I tried it, the nxfilter image wasn’t working.

You may just install nethserver-docker and then run your nxfilter container.

You may check out Nethserver-pihole too.