Quantcast
Channel: NethServer Community - Latest posts
Viewing all 110598 articles
Browse latest View live

Firewall can not store 'any' inside rule

April 18, 2020, 6:00 am
$
0
0

This is how I understand it:

You are basically right. But it’s not only some changed opinion, it has a technical background. The “any” rules made problems and overloaded the firewall.

In general Nethserver aims to be simple and easy-to-use which means to not be filled up with features nobody uses.
This is basically a good idea but as there is always evolution in IT, things change.
I think the assumption was that VPN users are just trusted which seems not true anymore for more and more Neth users.
The problem is that the workaround to use the “reject any rule” as last rule to overrule the ACCEPT policy does overload the firewall and was not intended.

Some ideas:

If the custom template works and does not affect other apps in a negative way we could think about integrating it to cockpit firewall settings maybe by adding an option “VPN to firewall/local networks”.

image

Another option may be to enable deletion of VPN in the trusted networks…

Search

What about dolibarr

April 18, 2020, 6:16 am
$
0
0

if you have installed openldap or dc, use the password of users, else the login is admin/admin

go to https://domain/dolibarr

Zammad ticketing/helpdesk on Nethserver available

April 18, 2020, 6:19 am
$
0
0

Good point. No, they are not yet. I’d include them to config backup. Another way would be using a template.

The Trouble In Calendars

April 18, 2020, 6:34 am
$
0
0

The problem here is that we don’t have (at least as far as I know) software for a calendar server the way that we do for mail and (to an extent) contacts. We do have what seems to be a decent client/server protocol in CalDAV, but much of the software that implements it on the server side (Nextcloud, WebTop, sogo) also wants to be a client, none of it is willing to act as a client to a different server, and none of it is willing or able to connect to a shared calendar database. The best answer I know of (and it isn’t very good, IMO) is to only use one. Remove the Nextcloud calendar app. Don’t install more than one groupware application. Etc.

MeshCentral (web-based remote computer management)

April 18, 2020, 6:43 am
$
0
0

This looks interesting. Simple enough to install on a Ubuntu VM, but the “agents” don’t seem to work–I’ve installed it on three Linux servers and one FreeNAS box, and none of them are showing up in my dashboard. The guide says it may take up to a minute to appear; these aren’t showing up after an hour.

Cannot access cockpit Web UI (port 9090)

April 18, 2020, 6:46 am
$
0
0

Did you try

signal-event nethserver-cockpit-update

and check logs afterwards?

Which packages are installed?

rpm -qa --qf "%{NAME}-%{VERSION}\n" "nethserver-*" | sort

Maybe reinstall cockpit helps?

yum reinstall nethserver-cockpit cockpit cockpit-bridge cockpit-storaged cockpit-system cockpit-ws

Firewall can not store 'any' inside rule

April 18, 2020, 6:51 am
$
0
0

Sorry, @mrmarkuz, i don’t agree.
The simple question is: Nethserver wants to be a firewall distro or not? If the answer is yes, at least rules like IPCop were allowed too should be possible.

Again, i don’t agree. Right or not, the currently ruleset for Nethserver installation is “everything is allowed”, in and out.
If i need to allow something at certain condition, i have to put an allow rule for the conditions (better only one rule) than the “any rule” to deny the rest of the case for that rule. For a split setup (firewall and mailserver into different machines/setup) that’s the simplest and the most important:
mail server ip address is allowed to contact 25, 465, 587 ports on the internet, any other device is not
Two rules, the second one should start with a “any”. Not allowed by cockpit.
IMVHO this concept seems not firewall-distro oriented. Therefore… I think that a couple of other projects are going to be suggested as a viable option instead of NethServer.

Cannot access cockpit Web UI (port 9090)

April 18, 2020, 7:20 am
$
0
0

I was accessing new NethServer over VPN connection for setting it up.
I catch a colleague at office and he told me he can connect to Web UI just fine.
After he did complete some configuration.
Now I can access Web UI, too.
We did nothing particular. Maybe a few restarts.

If that is to happen again, I will also check your suggestions @mrmarkuz

We have just 3 applications installed.
-Firewall (that was not installed when I had broken Web UI)
-OpenVPN
-Web server (that is a standard installation I assume)

Thanks.

Search

Formatting bullet point list

April 18, 2020, 7:25 am
$
0
0

Hi,
when I start to write an email I use the arial 12px font, but when I insert and after remove the bullet point the font changes to Times 16px.
This makes me waste some time to put everything back OK
It’s not a big mistake but if it could be corrected :grinning:

Firewall can not store 'any' inside rule

April 18, 2020, 7:29 am
$
0
0

First I want to say, I fully agree with you in the point that there is a missing feature in Neth firewall.

Yes, I think so.

It is basically possible with shorewall, it only depends on policy which is quite static as regards VPN at the moment so we have to improve it.

Sorry, that’s not fully correct. Default policy is that everything out is allowed, everything in is rejected.

http://docs.nethserver.org/en/v7/firewall.html#policy

You can change the “everything is allowed out” policy in firewall settings page, I posted a screenshot above, the option is “Traffic to Internet (red interface)”. So in this case (local to firewall) the thing you want is already there. It’s only missing for VPN.

This is the last policy in /etc/shorewall/policy:

# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

So it works as you like it but you have to disallow “Traffic to Internet (red interface)”.
Then the policy at the beginning of /etc/shorewall/policy is changed from

loc net ACCEPT

to

loc net REJECT

This change forces one to need to explicitly allow by rules, the rest is rejected.

See above cockpit firewall option. It makes it possible without needing the last rule.

I think it is, you just missed the policy concept that in the end does what you want and you even don’t need the last rule as it’s already there (in form of the policy).
I think that there are firewall distros with more (complex) functions or firewall-specific addons but they’re not so easy-to-use anymore.
IMO the Neth firewall is an easy-to-use, rock solid, shorewall based firewall with a nice cockpit interface that has it’s place in the firewall/gateway world.
I am a little biased as regards shorewall, for me it was a huge improvement when I discovered it some time ago.

MeshCentral (web-based remote computer management)

April 18, 2020, 7:30 am
$
0
0

guacamole can be used as a central gateway to access any number of machines running different remote desktop servers (RDP, VNC, SSH…) while MeshCentral can use either an agent on the remote computer (Intel/AMD…) or agentless using Intel AMT (with more options specific to Intel AMT). It can be extended using/developing plugins.

Some users where asking for DASH support for AMD but as the developer works for Intel that won’t happen unless done by the community of users.

I’ve tried a minimal part of it over Ubuntu/Debian. By default it is started for only LAN but using the --cert parameter can be started with WAN support (forwarding necessary ports on the gateway). After switching from one mode to the other I found it easier for the machines to show up to restart the client service on remote computer.

Cannot access cockpit Web UI (port 9090)

April 18, 2020, 7:34 am
$
0
0

I assume it was the VPN of the old Nethserver. I think you needed to add the “old” VPN network to the trusted networks of the new Nethserver to be able to access the server manager over VPN.

Adding an element to the proxy whitelist at cockpit

April 18, 2020, 7:40 am
$
0
0

Thanks for your answer. I’ll have a look on it at Monday.

It’s Shalla.

Adding an element to the proxy whitelist at cockpit

April 18, 2020, 7:49 am
$
0
0

Then remove sex category.

Collaborative tools for schools

April 18, 2020, 9:10 am
Search

Collaborative tools for schools

April 18, 2020, 9:37 am
$
0
0

Great! BBB would really be an improvement.

Why multi-tenancy? Nethserver doesn’t support multi-tenancy. To reach it you can always have more instances.
Wouldn’t it be better for a school to be independant? What advantages/synergies do you see when having more schools in one BBB or moodle?

Collaborative tools for schools

April 18, 2020, 9:43 am
$
0
0

There is no need for NethServer to support multi tenancy if the application (IE BBB and/or Moodle) supports it.

What about dolibarr

April 18, 2020, 10:10 am

What about dolibarr

April 18, 2020, 10:40 am

Proxmox HA chat

April 18, 2020, 11:06 am
$
0
0

@Andy_Wismer It does thank you, but unfortunately i do not have the ability for shared storage or a nas, unless I setup one of the hosts as freenas instead of proxmox, so I would have 2 proxmox hosts and a freenas box for storage.

I was thinking of not only doing vm redundancy but some kind of data redundancy as well, I have been doing tons of research and was going to do that route, but then decided on ceph.

The more I dig on ceph the more I’m not comfortable, because the documentation is a little bit involved and I did try posting in the proxmox forum but didn’t seem to get much help there.

I run proxmox at home with a nethserver vm and have been using it for a few years.

You guys here by far seem the most helpful.

Viewing all 110598 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>