Hi,
I noticed the following message in Nethsecurity which i can not identify.
It doesn’t accept the Zone “Any”.
When i change this to LAN or WAN the message “Inactive” disappear
I can’t reproduce the issue. It’s possible to edit/create an input rule and change source to any without getting the “inactive” message.
Is the current release (NethSecurity 8-23.05.5-ns.1.4.1) with latest fixes installed?
Did you maybe create the zone “Any” manually? There may be issues if default zones are added manually IIRC.
I noticed that you’re opening SMTP(S) ports to the firewall. Do you run a mail server on the firewall?
Yes. Running latest version and did an update for the latest fixes yesterday.
Not sure if I had it before the fix updates.
I’ve not created any zones manually. All is standard
No this is on a differtent VM with a forwarded port.
So this rule can actually be disabled/deleted ?
Yes, I think so. You don’t need an extra input rule for a port forward.
Could it be that it change the LAN from bridge to lan ?
I have done this as mentioned in the post of Andy
https://community.nethserver.org/t/nethsecurity/25117/2
I can’t open the link, is it private?
I don’t think this change is necessary and I also can’t find a hint in the docs.
Usually all LAN interfaces should be attached to the br-lan bridge.
I was informed by @davidep that the bridge is not needed and have removed the bridge from both my Test-NethSec boxes, a VM and a real box.
For one:
Just the presence of a Bridge on a 2-NIC firewall presents risks (Lockout and more!), especially if it is not used…
And it is completely against any “best practices” having network objects active, even when there is no use for it!
AFAIK, it is working.
But: I am using other firewalls productively, this box is only for testing. And the Test-LAN hardly has any hosts, therefore also hardly (any!) rules…
My 2 cents
Andy
Also referred to here by Izuku:
Thanks for reporting, this is a cosmetic regression inside the UI: it does have no impact on nft rules.
@stephdl is already working on it: Firewall: Allow any zone as valid input for is_zone function by stephdl · Pull Request #85 · NethServer/python3-nethsec · GitHub
We will have a fix soon!
4 Likes
Thanks for replying.and I’ll wait for the fix
I’m glad all is working good and nothing to worry about
Fix released with package python3-nethsec-0.0.91
Issue: Firewall: any zone is displayed as inactive zone · Issue #1012 · NethServer/nethsecurity · GitHub
4 Likes
I can confirm the fix.
Many thanks for the swift fix
2 Likes