NS8 has a basic built-in firewall based on firewalld.

The firewall has 2 zones:

  • trusted: it includes containers and wireguard interface
  • public: everything else

Default policies:

  • SSH port is always open
  • all blocked packets are logged

Please note that rootfull containers with port mapping (DNAT) or private networking are not supported.


To permit direct connections from the public zone to a service provided by a module, the module itself must modify the node firewall configuration.

The node firewall is configured with a simple fwadm API. A module must be authorized to use it, by adding node:fwadm to the module image label org.nethserver.authorizations. For instance, set


Then the create-module and destroy-module actions must use the agent Python package to add/remove the node firewall configuration needed by the module.

In create-module:

import os
import agent
agent.assert_exp(agent.add_public_service(os.environ['MODULE_ID'], ["80/tcp", "443/tcp"]))

In destroy-module:

import os
import agent