Long story short.
NS8 will kill firewall. Or as called by @alefattorini “UTM”. Quite a bold claim, IMVHO.
But also, most of the feature server-connected and not easily “container friendly”, which will be their fate?
Shortlist from the NethServer 7 documentation.
Backup
Web server
Email
Webmail
Shared folders
Nextcloud
Team chat (Mattermost)
Chat
Antivirus
Fail2ban
Hotspot (Dedalo)
FreePBX
UPS
Statistics (collectd)
Report
(plain copy-paste, leaving empty spaces from removed firewall-related things)
Fail2Ban should be the backpack of every module designed to interact with public internet.
Mattermost, webmail, Nextcloud … I mean every public application server of any kind, if Fail2Ban is missing, it’s a call for troubles. I hope that someway the overhead for multiple instances will be somehow alleviated. I’d love to see also another kind of backpack: reliable and centralized 2FA addon.
Chat is heavily… useless. Unless can become a bigger thing with integrated video call support 1to1 and 1toMany. Jitry?
Backup. I’d love to see how it will become.
Shared folder. By my perspective, due to the development of the project, it’s a corpse with a date to the graveyard. As (unfortunately) CUPS. After PrintNightmare, currently Windows is… not that interesting as printserver, and sometimes… paper and digital documents are still needed.
I am not so afraid about the missing firewall. Yes the firewall could be used to implement fail2ban like you talked, hence I understand your fear, same if you put a ns8 like I use to do in a cloud proxmox.
Yes you will have to learn a new way to do… drop a vm in the proxmox to use it as a fw then protect your ns8 with it. Other way could be to use the integrated fw of proxmox
I am maybe too much enthousiast but I think it is a chance because we could use a product like crowdsec because the fw will be separated of the server.
I am enthousiast too because the fw from a commercial point of view is a best seller for nethesis so it won’t be forgotten.
I am enthousiast too because when you are a developer and you start a new project…limits are the sky.
Please start to think what you want, but do not be afraid of the future
Sometimes the questions are complicated, and the answers are simple.
Dr Seuss
Unfortunately the answer is “I’m not going to answer (now)”. And this is useful as spoon when you need a knife.
Currently a “IDK (yet)” sound a bit less meaningless…
Please this isn’t the right approach, if Davide didn’t give an answer probably he doesn’t know it yet
NethServer8 is still in progress and differently from other products on the market, we’re trying to keep the community updated about all the next steps and achievements.
I understand it like the goal is to port all modules including migration path but as it’s under development, it’s not possible to guarantee it for every single feature of a module now but if you like to discuss a specific module, open a new thread.
If you’re not satisfied with an answer please explain what you’re missing.
BTW, it seems device passthrough to podman is possible so UPS could work too.
Yes, on NS8 itself.
This allows both NS8 and FW to be more specialized on their purpose.
That’s not true. All of the features on your shortlist are already running in virtualized environment and most of them already provide a Docker container.
Fully agree, fail2ban is really a nice feature.
I can imagine it on the new firewall product in combination with reverse proxies to the NS8 services.
The firewall could make use of autopreconfigured port forwarding/reverse proxying to the NS8 services (just dreaming).
And, as already mentioned, there’s crowdsec too.
He didn’t wrote “I don’t know”, which seem to me a fair answer.
IMO this is not the right approach. Typing something “meaningless” it’s not answering, like was not about resource reservation on Webtop. For quite a long time (which is a fact, not an opinion).
If dev team is not feeling to answer questions (quite fair, Alessio, devs might want to be focused on development) typing something like that is going to create harm.
I’m sorry for my disappointing answer. My intent is not shutting down the discussion.
Giacomo, Steph, Matteo, Andrea, Edoardo and I are developing the core system, trying to verify our efforts with some alpha modules too, always checking the project goals are satisfied.
For this purpose we want to start testing it on the field as soon as possible. Only production environments have the last word on quality. We’ll start with a few controlled system.
So we are far from giving exact answers on individual modules and features. It’s true, “I don’t know” is a fair answer for most of them today. The development of software is a transition from a completely unknown and undetermined state to a partially determined and acceptable one. A fair state.
Still, I expect each feature/module is discussed in a separate topic. It helps me and others to follow and understand the arguments. And it helps to make decisions for the next development challenges.
By my perspective, it could be possible.
The “firewall” (as software) should be considering the NS8 installation as the master device who can submit the updates about firewall rules, port forwarding, reverse proxy. When the rules are changed on NS8, firewall in a timely (or scheduled, as option) manner should read the new settings, apply them and restar all the services. Then call back the master for communicating results.
But this will leave a lot of questions and "what if"s open to manage.
The first one is: in case of mistakes into NS8 configuration (bad system administration or software bug), how should be a not catastrophic way to manage that?
Still IMVHO the biggest weak point of NS8, which seems to act as container orchestrator but “refuses” (at least currently) to be a server.
The container approach fits a lot of web applications, but struggles when it’s time to act as server and integrate functions.
Also, the relation of dependance among containers (SSO with other services, conferencing server for pbx, “chat” with CRM, document management or collaboration platform) can be a key point for avoiding messes and simplify troubleshooting.
Ok. My bad. This is more related to “other aspects” of NS8.
Ns8 actually it is more of 1 year of development, involving a pool of 6 developers.
Yes probably we could not say yet what will be the future, but what i can state is how nethesis trusts opensource and the NethServer project.
Look how you were kept in touch about the ns7 project, how was the ns8 presentation conference. It is time to build a presentation, this time is not used to make development.
I am confident in the project, I am confident about ns8.
But it is true we do not have a cristal ball to guess the future so some answers could not be found