Firewall

NethServer 8 comes with a simple built-in firewall.

The cluster VPN network interface wg0 is part of a trusted zone where all traffic is permitted. All other network interfaces are part of a public zone where only specific ports are open. By default, NS8 will have the following open ports:

• cluster VPN endpoint, default is 55820 UDP. It can be changed during post-installation steps and node promotion

• HTTP and HTTPS, 80 and 443 TCP

• SSH, 22 TCP

• Cockpit (not installed by default), 9090 TCP

Modules which requires publicly open ports, like the mail server, will automatically configure the firewall.

Browse open ports

You can review the network interfaces and a table presenting open ports, categorized by services/modules for each node, on the Nodes page. Access it by clicking the three dots menu on the node card you are interested in, then select Firewall.

Manage ports manually

To allow connections to the listening port of a third-party service, use firewall-cmd. For instance, the following command opens TCP port 9000:

firewall-cmd --add-port=9000/tcp

To close the same port:

firewall-cmd --remove-port=9000/tcp

Changes to the firewall configuration are lost after a firewall restart or system reboot, unless the same command is invoked a second time, adding also the --permanent flag. Refer to the firewall-cmd manual page for more information.

To see the list of allowed services and ports, run

firewall-cmd --list-all