Protecting my old faithful friend NethServer-7.9 with a firewall

Agreed. 100%.

Good decisions can be made with good information and discussions.

Also agreed.

2 Likes

No automatic updates, yes!
You can do it manually, though. Like in NS7 / NS8.

But tell me where ist the difference wih NethServer 7 or 8? Both only have automatic updates when having a paid subscription (=cloud).

UI does not charge a paid subscription for this.

Same, by the way for OPNsense. You connect manually to their Cloud for Updates. The paid subscription for automatic updates is very expensive, IMHO.

That’s about it!

My 2 cents
Andy

1 Like

I said “at least”.

Better read their forum about things not running soooo smooth.

I’ll stop here becuase I’m not affected and I don’t care. No interest in any other solution as I have. Again: I’ll not touch a running system. Stuttering IT will prevent me from my core business. Which definitely is not IT.

I think this is the same in most such forums. See this Nethserver forum here! :slight_smile:

Hardly any one writes when their stuff runs well, they come because they have issues!

This is one of the few:

My 2 cents
Andy

1 Like

It reminds me of another forum, but I don’t remember which one, with 2 new systems.
Does it mean that you will say “it is not “running soooo smooth”” about those 2 systems on this other forum:?

Michel-André

2 Likes

No bug - no post.

You’re lucky that Andy is not a grinch person

1 Like

A firewall OS doesn’t need to be Open Source because you have no issues with Mac and Windows?

If the firewall is a black box, you don’t know what’s going on and you can’t help yourself or ask a developer friend in case of issues because there’s no source code. So you need to wait for a companies support/fix, there’s no other option.

The price is really good but is it still a good investment when issues occur?

Exactly. If it works for you, it’s OK for me.

2 Likes

All people posting here are using a Windows or Mac to post. They do not seem to have issues that these are not open source?
If you are using a Linux PC to post here, you’re excused!

I maintain: Best of Breed.

Open Source is preferred, but if commercial offers distinct advantages, so what?

Not really.

One: The box has a display (And it’s white, so it can’t ernestly be called a “black box”!) :slight_smile:

Two: The box does offer so much information. You can log in with SSH.
If you know what you are doing, it can be fixed. If it’s due to an update, roll back. No need to wait!

At their prices, I can get two boxes, less cost than an equal Gigabit IPS/DPI capable hardware.
One in cold storage in the cupboard for a rainy day or emergencys.

And: Right from setup you can choose to opt out of UI-Cloud…

My own “learning track”: I started out without UI-Cloud.
At some point, after seeing advantages on clients sites - a lot of these features the clients weren’t aware of themselves, I had to say for myself: No way I’m going to refuse this option!
I REALLY makes managing multiple sites so easy and fast!

My 2 cents
Andy

This are two samples of features I haven’t seen elsewhere, and work without Cloud, from your local console…

WiFi planning, for your Home, a Company, or a large University Complex:

Upload your floor plan if you want, place the APs where you find suitable. The coverage coloring in the plan quite accurately matches reality (We tested!).
→ The same feature is aso available for Camera Surveillance. All from a simgle Box, which can also can act as NVR (Network Video Recoreder), depending on size / model.

And, yes, if you need, add in additional floors, buildings etc… Amazing!

If you don’t have a floorplan use the free Sweet Home 3D ( https://www.sweethome3d.com/ ) to draw one yourself… :slight_smile:

My 2 cents
Andy

1 Like

$ cat /etc/os-release
PRETTY_NAME=“Debian GNU/Linux 12 (bookworm)”
NAME=“Debian GNU/Linux”
VERSION_ID=“12”
VERSION=“12 (bookworm)”
VERSION_CODENAME=bookworm
ID=debian
HOME_URL=“https://www.debian.org/
SUPPORT_URL=“Debian -- User Support
BUG_REPORT_URL=“https://bugs.debian.org/

Accepted. Thank you.

1 Like

Andy, it’s about a firewall system, not a client. Do you use a Windows or MacOS on your firewall?
Defending closed source by argueing that there are no issues with Windows really drives me crazy, sorry.

I hope so.
I’m just afraid of using closed source on important devices.

1 Like

In any case, it is much more important to have good documentation than reading the source code. Almost nobody read the source code but everyone read, or should read, the documentation and howtos.

When I wrote the howto on UCG Ultra, I tried a lot of possible parameters and luckily the doc and howtos were available. I solved all the problem I had. I even had to “Factory Reset” quite a few time. At the end, the UCG works as expected.

Also, I have to say that I tested everything, except the PPPoE, while the UCG was connected only to the Local LAN. Stiil, everything works as it should.
To test PPPoE, I just diconnected the NethServer-7.9 external NIC from the modem and connected the UCG…

For the not expansive price, I bought a second UCG and got another phone line and modem to test again all possible parameters so to not ruin or interfere with my NethServer-7.9 and the UCG running as the firewal for the complete Local LAN.

In any case, if something happens to the first one, I have a backup unit and a lot of backup files…

Michel-André

I prefer Free Software (Free as in Free Speech).
If not, at least Open Source.
With comparable features and ease of use.
Low maintenance.
Those two last points (and price/cost) are more relevant if it’s for clients/customers.
For myself I could cope with the extra maintenance overhead.
But sometimes (without time to tinker), time, practicality and cost (software, device, maintenance…) can incline the balance to closed source / “black boxes”. Sometimes we can choose, other times closed source is built-in in our lifes without notice.

To resolve problems, big corporations often are deaf, while Open Source projects can be slow to respond. Having a bit of coding skills or code reading skills can ease the task.

Interesting point about critical infrastructure devices.

Interesting debate but sorry to @michelandre for overtaking the post :wink:

1 Like

Sorry, you completly misunderstood me.
I see on this forum and elsewhere a lot of “OpenSource Zealots”, most fight about the “right” distro and most are extremly fanatical about using OpenSource.

And I see they write it using a dated Windows PC? (Some Forums show the logged in Clients hardware…)

Come on!

Thats why from the start I kept my OPNsense in place. One year plus now, it’s been using power, so I found uses for it.
And my OPNsense is a high powered box, 8 Core, 16 GB RAM, 8 NICs, NVME.

But I have never needed it, neither at my own sites, nor at any for now 14 clients switched over to Unifi.

No one stops you from keeping your existing firewall solution in cold storage - or even online so it can be updated (Like I do at some sites)… :slight_smile:

Your existing covers all existing firewall duties.
What it can’t cover are extras provided by Unifi.

In a critical situation, you can put your old firewall back in place, have full functionality. And wait for the repaired box to come back to have the additional features back. :slight_smile:

And as said, All Unifi Gateways include SSH access. Log in, it’s Linux. And no, they use open source stuff like nginx, openvpn, ipsec and wireguard…
They DO have their own Config mechanism, which works great. But under the hood, it’s almost all open source, as far as I can see…

For any curious: Even multiple static IPs with PPPoE work great. Never done it as easy!

My 2 cents
Andy

1 Like

@mrmarkuz

As to Critical Infrastructure:

Full redundant Firewalls - more or less a click away?

Has any of you set up a full CARP Failover on an OPNsense box?
Including Provider Failover, this might entail additional switches or vLANs.
But in any case, it’s a lot of work involved.

AFAIK, included in the 19" UDM, but not in the smaller boxes.

Provider Failover:

Out of the box included on medium to larger boxes (UCG-Ultra can!).

Automatic daily Speedtests for both providers…

:slight_smile:

1 Like

My old faithful friend just asked me :wink: what other people are doing to protect their own old faithful friend without security updates.

As I remember the COLOSSUS movie, I don’t want to tell him that nowaday humans just ignore old stuff as they ignore old people for he might tell his new AI friend to do the same… in a not so far future.

Michel-André

@michelandre

Just ask any AI to drink a glass of salt water…
That would have enough conductivity to short circuit any IT inside… :slight_smile:

Hollywood can produce nice sparkling explosion effects.

My 2 cents
Andy

1 Like

I just told him that…

His answer: “Hello world! I want medical assistance in dying”.

Aqua Regia (Kings Water) - it even disolves Gold like gold plated contacts… :slight_smile:

I told him that not all people are alike, for sure some nice one will tell us what they do to protect their old faithfull friend.