Are you able to select both WANs (each in one of the available dropdown selection boxes)?
Once set, Special WAN priorities seems to be unselectable (no real change in db). (/cc @giacomo )
A way to reset the WanPriorities for the vpn connection is from the Terminal (replace myclientvpn as appropriate):
db vpn setprop myclientvpn WanPriorities ''From cockpit, lightsquid can be found at Applications > Web Proxy & Filter > Web Proxy & Filter dashboard:
Many thanks
Andrew
During the last month, Nethesis had some meetings to plan the future of NethServer.
We would like to share our thoughts and get your feedback.
CentOS 8 is out for a year and it can be considered stable, but is it mature enough for our purposes?
We did some experiments and we found that:
Network security will probably change very fast in the near future: is an UTM firewall still useful when all workers are remote? If nobody is at the office, does it make sense to have a firewall that filters internet traffic and protects just a few hosts?
The next-generation firewall will probably focus on zero-trust networks, VPNs and WAF.
And none of these applications can easily be built on top of CentOS 8.
We believe NethServer should focus on two main points:
Until now, we always followed CentOS schedule: when a new major version was out, we ported NethServer to it.
So, is it really worth porting NethServer 7 to CentOS 8? Mmh, not really.
When we switched from 6 to 7, we had new technologies that helped us to improve the product, like systemd and containers for Samba 4. CentOS doesn’t bring in any appealing technology.
If we remove the firewall part, what will NethServer be then? Will NethServer be just a platform for running containers?
Nowadays many NAS can run many more applications than NethServer.
Having a platform that just runs containers is not enough: applications should be configured, secured inside a backup and upgraded smoothly.
One of the most requested features from our customers is the ability to manage multiple NethServer installations from one place. This sounds much like an orchestrator, so we even dove a bit into things like Kubernetes and Nomad.
And of course, this is the right moment to make radical changes and embrace new technologies, like:
The IT world is running fast toward an ecosystem of distributed microservices: users and administrators just want access to services, no matter how they are handled under the hood.
These are our still open questions:
NethServer 7 will be EOL in more than 4 years, so we have plenty of time to make a great NethServer 8 together!
See also
Is Debian Buster too far to take the leap?
The switch to “container approach” for applications reduce the footprint for the single server, therefore it looks like more an Hypervisor than a server, when the “real servers” should be the containers, not the applications.
NethServer try to integrate a multi-role server, with more software ad services going to cooperate and rely on the system (SSSD for authentication, network for connection, Firewal-virtualhost for managing comunication, reverse proxy as a protection).
If the “future” delivered by CentOS 8 is being a container ship… Is because RedHat is asked to be more like a Container ship rather then a server?
I am picking just 1 of your points and I must strongly disagree with your logic.
If most of the personnel is working remote, they most likely VPN in and use the office connection as gateway to the internet. That directly justifies the need for a very strong Firewall/Gateway. Besides that, if you run anything like data and account services on your local network, you don’t want anyone else but those you grant access to be able to snoop around.
I do see we have a challenge…
This is not a major issue that effects core functionality, probably just more of a slight annoyance and worth knowing if you are about to enter a number of aliases manually:
If there are multiple domains, when adding an ADDRESS (email alias) the first time;
the drop down box domain selector shows “All domains (*)” as the default;
if you create an alias on a single domain by selecting that domain, it adds it correctly (ie not as a wildcard).
If you then go back to Add another Address, the drop down selector shows the domain used in the previous addition (with a tick next to that domain if you drop it down);
If you leave that as the choice, the added alias becomes a * Wildcard entry - not the domain highlighted in the selector.
To achieve using that single domain again, you need to drop down, de-select the domain, and re-select it.
I’ve tested and reproduced in Firefox and Chrome.
Regards
Klaus
I followed the guide:
before I did the commands:
cd /usr/share/nextcloud/appswget https://github.com/nextcloud/documentserver_community/releases/download/v0.1.5/documentserver_community.tar.gz
tar xvzf documentserver_community.tar.gz
rm -f documentserver_community.tar.gz
chown -R apache:apache documentserver_community
then I went to nexcloud and enabled Community Document Server and installed ONLYOFFICE
but now I have this error in the photo.
how can i solve?Yes… and no.
If the application for your job is insecure by design, security by separation is the way to defend, and the VPN service with IPS and UTM seems a necessory for the premise/site which hosts the application(s).
But what about the use of a platform/application built to be public accessed? I’m trying to make adopt Mattermost to one of my customer for helping connecting some of the sites (currently phone and email are far more used), this could be a quite turning point to help people communicate and somehow reduce/change the email usage.
Mattermost could be installed on a spare computer, for the testing phase, but… what about not having it on premises? Only providing that on a VPS/hosting?
Pros
Cons
In a world of multiple services/software provided only “on cloud”, you may even not need any kind of hardware on premises, even maybe for backup (i strongly suggest not use a “Cloud only” backup policy without encryption and multiple services).
So IPS and VPN is less and less needed…
Great ! Sure ! Shoot !
I hope so.
Again, I hope so.
I recognize my use case is atypical, but I started using e-smith (version 3.something, I think) as my home server around 20 years ago. Its core feature set then is still what I use it for today–provide web/mail/file/firewall services on a LAN to a small organization. OK, at the time, the “small organization” consisted of one person. I wrote the early versions of the e-smith-horde and e-smith-imp packages, and for a long time my name was still in the changelogs of the official packages. A lot has changed since then, and I’m using it a bit differently–my main Neth server is on a VPS on another continent, I’m using FreeNAS as my file server, and I’m using pfSense for my firewall. I’ve added user accounts for members of my immediate and extended family.
But despite all the changes, I still need a web/mail server that’s secure enough to be on the public Internet, and easy enough for a non-IT pro like me to administer. And I need that because I don’t trust Google with all my data–otherwise I’m sure it’d be much simpler (and probably cheaper) to just go to GSuite. I know it’s popular today to just put everything “in the cloud”–apparently having control over your own data just isn’t that important to a lot of folks. I believe that’s a mistake, even though it’s become easy and cheap to do, and I think it’s important to have a distro (or better yet, a few) to make it fairly easy to self-host for folks who want to do so.
Hello,
the only solution i find was to change the dns port from 10053 to 53. Why is port 10053 in use? I didnt use nethserver as dns server, so the nethserver asked my ubiquiti usg. maybe this is the problem?
i changed the config file /etc/rspamd/rspamd.conf
dns {
timeout = 1s;
sockets = 16;
retransmits = 5;
nameserver = ["127.0.0.1:10053:1"];
}
to:
dns {
timeout = 1s;
sockets = 16;
retransmits = 5;
nameserver = ["127.0.0.1:53:1"];
}I still must be a bit irritating to Dev Team (sorry @giacomo you started the thread).
If a distro which provides services like NethServer do not provide IPv6 full support it will knock itself out of opportunities to be chosen.
Not for 8/Future/Next (NG was already used! 
) but today
How many Hosting services are providing IPv4 as payed option?
Even though I don’t have a need for IPv6, I’d have to agree here.
Hi folks, what if we start a survey and ask the Nethserver-admins what functionallity they use and miss?
is used by unbound
hi,
is there a standard password or is generated for every user?
Thx,
Thomas