search

NethServer / nethsecurity

NethSecurity image and build environment
https://www.nethsecurity.org/
Other
82 stars 6 forks source link

config: add nat helpers #543

Closed filippocarletti closed 1 month ago

filippocarletti commented 1 month ago

Needed to allow active ftp sessions Note: windows FTP client only uses active FTP

https://github.com/NethServer/nethsecurity/issues/544

filippocarletti commented 1 month ago

I'd agree, but the previous version loaded the FTP helper by default for a reason. Upgrade's users will need to read the docs and enable this single helper.

filippocarletti commented 1 month ago

You can tell that ftp is special because it has a package only for itself.

gsanchietti commented 1 month ago

I'd agree, but the previous version loaded the FTP helper by default for a reason. Upgrade's users will need to read the docs and enable this single helper.

The previous release was loading all available helpers, including the ones that now are not loaded like sip-alg. This change is already documented: https://docs.nethsecurity.org/en/latest/migration.html#migrated-configurations So, in case of migration, users will already need to fix NAT helpers configuration.

I propose to change the behavior of all NAT helpers:

You can tell that ftp is special because it has a package only for itself.

I know that having the ftp module loaded by default should not harm, but I still prefer to have the same configuration for all NAT helpers.

gsanchietti commented 1 month ago

@filippocarletti could u take a look?

cotosso commented 1 month ago

I'm afraid that not having the ftp helper enabled by default will cause a lot of support requests and give the wrong impression of a product that doesn't work properly. Since it is still a widely used protocol I would prefer to make an exception for ftp.

gsanchietti commented 1 month ago

I'm afraid that not having the ftp helper enabled by default will cause a lot of support requests and give the wrong impression of a product that doesn't work properly. Since it is still a widely used protocol I would prefer to make an exception for ftp.

In NethServer 7, having NAT helpers enabled by default caused many headache in the past.

Having the same behavior for all helpers is easier to maintain, explain and support. When the NAT helpers will have their own page inside the UI, the behavior will be straightforward.

cotosso commented 1 month ago

When the NAT helpers will have their own page inside the UI, the behavior will be straightforward.

In this case I agree with you @gsanchietti