The fate of old modules

Long story short.
NS8 will kill firewall. Or as called by @alefattorini “UTM”. Quite a bold claim, IMVHO.

But also, most of the feature server-connected and not easily “container friendly”, which will be their fate?
Shortlist from the NethServer 7 documentation.

    Web server
    Shared folders
    Team chat (Mattermost)


    Hotspot (Dedalo)
    Statistics (collectd)

(plain copy-paste, leaving empty spaces from removed firewall-related things)

Fail2Ban should be the backpack of every module designed to interact with public internet.
Mattermost, webmail, Nextcloud … I mean every public application server of any kind, if Fail2Ban is missing, it’s a call for troubles. I hope that someway the overhead for multiple instances will be somehow alleviated. I’d love to see also another kind of backpack: reliable and centralized 2FA addon.

Chat is heavily… useless. Unless can become a bigger thing with integrated video call support 1to1 and 1toMany. Jitry?

Backup. I’d love to see how it will become.
Shared folder. By my perspective, due to the development of the project, it’s a corpse with a date to the graveyard. As (unfortunately) CUPS. After PrintNightmare, currently Windows is… not that interesting as printserver, and sometimes… paper and digital documents are still needed.

I am not so afraid about the missing firewall. Yes the firewall could be used to implement fail2ban like you talked, hence I understand your fear, same if you put a ns8 like I use to do in a cloud proxmox.

Yes you will have to learn a new way to do… drop a vm in the proxmox to use it as a fw then protect your ns8 with it. Other way could be to use the integrated fw of proxmox

I am maybe too much enthousiast but I think it is a chance because we could use a product like crowdsec because the fw will be separated of the server.

I am enthousiast too because the fw from a commercial point of view is a best seller for nethesis so it won’t be forgotten.

I am enthousiast too because when you are a developer and you start a new project…limits are the sky.

Please start to think what you want, but do not be afraid of the future


Apart from UPS (I guess…), ns7 modules will be ported to ns8 and there will be a migration path for each of them.

Some features might be dropped, some new features can be added… Each module deserves a separate topic.


Nice “no answer”.

La route est longue mais la voie est libre

From framasoft

The road is long but the way is free

Sometimes the questions are complicated, and the answers are simple.
Dr Seuss

Unfortunately the answer is “I’m not going to answer (now)”. And this is useful as spoon when you need a knife.
Currently a “IDK (yet)” sound a bit less meaningless…

Please this isn’t the right approach, if Davide didn’t give an answer probably he doesn’t know it yet
NethServer8 is still in progress and differently from other products on the market, we’re trying to keep the community updated about all the next steps and achievements.


I understand it like the goal is to port all modules including migration path but as it’s under development, it’s not possible to guarantee it for every single feature of a module now but if you like to discuss a specific module, open a new thread.
If you’re not satisfied with an answer please explain what you’re missing.
BTW, it seems device passthrough to podman is possible so UPS could work too.

Yes, on NS8 itself.
This allows both NS8 and FW to be more specialized on their purpose.

That’s not true. All of the features on your shortlist are already running in virtualized environment and most of them already provide a Docker container.

Fully agree, fail2ban is really a nice feature.
I can imagine it on the new firewall product in combination with reverse proxies to the NS8 services.
The firewall could make use of autopreconfigured port forwarding/reverse proxying to the NS8 services (just dreaming).
And, as already mentioned, there’s crowdsec too.

Lemonldap-ng supports 2FA next to SSO. Would be an option.

You are right but which way to go here? AFAIK ejabberd could be configured to provide video too.

Why? I think it’s possible with a samba podman container using volumes for the shares.

If passthrough isn’t possible maybe we could run CUPS directly within the OS where NS8 is installed? Or on the hypervisor like proxmox.


He didn’t wrote “I don’t know”, which seem to me a fair answer.

IMO this is not the right approach. Typing something “meaningless” it’s not answering, like was not about resource reservation on Webtop. For quite a long time (which is a fact, not an opinion).

If dev team is not feeling to answer questions (quite fair, Alessio, devs might want to be focused on development) typing something like that is going to create harm.

I’m sorry for my disappointing answer. My intent is not shutting down the discussion.

Giacomo, Steph, Matteo, Andrea, Edoardo and I are developing the core system, trying to verify our efforts with some alpha modules too, always checking the project goals are satisfied.

For this purpose we want to start testing it on the field as soon as possible. Only production environments have the last word on quality. We’ll start with a few controlled system.

So we are far from giving exact answers on individual modules and features. It’s true, “I don’t know” is a fair answer for most of them today. The development of software is a transition from a completely unknown and undetermined state to a partially determined and acceptable one. A fair state.

Still, I expect each feature/module is discussed in a separate topic. It helps me and others to follow and understand the arguments. And it helps to make decisions for the next development challenges.

Please keep up with constructive discussions!


By my perspective, it could be possible.
The “firewall” (as software) should be considering the NS8 installation as the master device who can submit the updates about firewall rules, port forwarding, reverse proxy. When the rules are changed on NS8, firewall in a timely (or scheduled, as option) manner should read the new settings, apply them and restar all the services. Then call back the master for communicating results.

But this will leave a lot of questions and "what if"s open to manage.
The first one is: in case of mistakes into NS8 configuration (bad system administration or software bug), how should be a not catastrophic way to manage that?

Still IMVHO the biggest weak point of NS8, which seems to act as container orchestrator but “refuses” (at least currently) to be a server.
The container approach fits a lot of web applications, but struggles when it’s time to act as server and integrate functions.
Also, the relation of dependance among containers (SSO with other services, conferencing server for pbx, “chat” with CRM, document management or collaboration platform) can be a key point for avoiding messes and simplify troubleshooting.

Ok. My bad. This is more related to “other aspects” of NS8.

1 Like

I am so very curious on the Migration path and approach to be taken to migrate an existing running system to the new server.

I remeber we built a Migration tool for a new version of software that we had develoepd with the old having legacy code and dabase.

Developing the new evrsion software took 4 Months of continuous Development. Day and Night.

the Migration script Alone, took an entire 2 and half months to get right.


First the server needs to be built and working.
Then the devs can implement migration.

For now, the plan is for Backup / Restore…

Some people build the roof first, then start digging for the cellar / foundations.


1 Like

Ns8 actually it is more of 1 year of development, involving a pool of 6 developers.

Yes probably we could not say yet what will be the future, but what i can state is how nethesis trusts opensource and the NethServer project.

Look how you were kept in touch about the ns7 project, how was the ns8 presentation conference. It is time to build a presentation, this time is not used to make development.

I am confident in the project, I am confident about ns8.

But it is true we do not have a cristal ball to guess the future so some answers could not be found