Firewall#

NethServer 8 comes with a simple built-in firewall.

  • The cluster VPN network interface wg0 is part of a trusted zone where all traffic is permitted.

  • All other network interfaces are part of a public zone where only specific ports are open.

By default, an NS8 node has the following open ports:

  • Wireguard VPN, 55820 UDP

  • HTTP and HTTPS, 80 and 443 TCP

  • SSH, 22 TCP

  • Cockpit (not installed by default), 9090 TCP

Applications that require publicly open ports, such as the Mail server, will automatically configure the firewall.

Review firewall settings#

Under the Settings page, click on the Firewall card and select a node of the cluster.

  • For the selected node, a table summarizes the services running on the node and their open TCP and UDP ports. If a port is not listed here, it is closed for connections from the public zone.

  • Below the table of services and open ports, there is a list of the network interfaces of the node.

The same page is accessible from the Nodes page by selecting the Firewall action from the three-dots menu of each node card.

Manage ports manually#

To allow connections to the listening port of a third-party service, use firewall-cmd. For instance, the following command opens TCP port 9000:

firewall-cmd --add-port=9000/tcp

To close the same port, use:

firewall-cmd --remove-port=9000/tcp

Changes to the firewall configuration are lost after a firewall restart or system reboot unless the same command is invoked a second time with the --permanent flag. Refer to the firewall-cmd manual page for more information.

To see the list of allowed services and ports, run:

firewall-cmd --list-all