Release Notes of milestone 8.1 (#101)

* firewall. New Settings page and review
* Add Release Notes for milestone 8.1
* Added NethSecurity Controller note
* Fix NSec controller links

firewall.rst

@@ -1,25 +1,42 @@
+.. _node-firewall-section:
+
 ========
 Firewall
 ========
 
 NethServer 8 comes with a simple built-in firewall.
 
-The cluster VPN network interface ``wg0`` is part of a trusted zone where all traffic
-is permitted.
-All other network interfaces are part of a public zone where only specific ports are open.
-By default, NS8 will have the following open ports:
+* The cluster VPN network interface ``wg0`` is part of a trusted zone
+  where all traffic is permitted.
+
+* All other network interfaces are part of a public zone where only
+  specific ports are open.
+
+By default, an NS8 node has the following open ports:
 
 - Wireguard VPN, 55820 UDP
 - HTTP and HTTPS, 80 and 443 TCP
 - SSH, 22 TCP
 - Cockpit (not installed by default), 9090 TCP
 
-Modules which requires publicly open ports, like the mail server, will automatically configure the firewall.
+Applications that require publicly open ports, such as the Mail server, will
+automatically configure the firewall.
+
+Review firewall settings
+------------------------
+
+Under the Settings page, click on the :guilabel:`Firewall` card and select
+a node of the cluster.
+
+- For the selected node, a table summarizes the services running on the
+  node and their open TCP and UDP ports. If a port is not listed here, it
+  is closed for connections from the public zone.
 
-Browse open ports
------------------
+- Below the table of services and open ports, there is a list of the
+  network interfaces of the node.
 
-You can review the network interfaces and a table presenting open ports, categorized by services/modules for each node, on the  ``Nodes`` page. Access it by clicking the three dots menu on the node card you are interested in, then select :guilabel:`Firewall`.
+The same page is accessible from the Nodes page by selecting the
+``Firewall`` action from the three-dots menu of each node card.
 
 Manage ports manually
 ---------------------
@@ -29,15 +46,15 @@ To allow connections to the listening port of a third-party service, use
 
     firewall-cmd --add-port=9000/tcp
 
-To close the same port: ::
+To close the same port, use: ::
 
     firewall-cmd --remove-port=9000/tcp
 
 Changes to the firewall configuration are lost after a firewall restart or
-system reboot, unless the same command is invoked a second time, adding
-also the ``--permanent`` flag. Refer to the ``firewall-cmd`` manual page
+system reboot unless the same command is invoked a second time with the
+``--permanent`` flag. Refer to the ``firewall-cmd`` manual page
 for more information.
 
-To see the list of allowed services and ports, run ::
+To see the list of allowed services and ports, run: ::
 
     firewall-cmd --list-all

nethsecurity_controller.rst

@@ -1,3 +1,5 @@
+.. _nethsecurity-controller-section:
+
 =======================
 NethSecurity Controller
 =======================
@@ -17,5 +19,7 @@ Key features of the NethSecurity controller include:
 - **Metrics Visualization**: Visualize metrics from the firewalls using the built-in Grafana dashboard. Metrics are collected using Prometheus.
 - **Web-based SSH**: Access the firewalls' command-line interface using a web-based SSH client.
 
-See the `NethSecurity controller documentation <https://docs.nethsecurity.org/en/latest/controller.html>`_ to learn more about the controller's features
+See the `NethSecurity controller documentation`_ to learn more about the controller's features
 and how to set it up.
+
+.. _NethSecurity controller documentation: https://docs.nethsecurity.org/en/latest/controller.html

release_notes.rst

@@ -9,6 +9,77 @@ NethServer 8 releases
 - List of `known bugs <https://github.com/NethServer/dev/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+label%3Abug>`_
 - Discussions around `possible bugs <http://community.nethserver.org/c/bug>`_
 
+
+Major changes on 2024-05-31
+===========================
+
+- **Mail improvements** -- Added the :ref:`Relay rules
+  <relay-rules-section>` feature, which allows configuration and use of a
+  default smarthost for outgoing email messages, and more. A Mail instance
+  can now be selected directly from the :ref:`Email notifications
+  <email-notifications>` page to serve as the cluster's default mail
+  gateway for other applications. Since release 1.4 Mail provides also
+  Sender/login correspondence, configurable Queue lifetime, and IP-based
+  relay policy, as described by :ref:`Mail settings
+  <mail_settings-section>`.
+
+- **Piler application** -- The new Piler application enhances Mail
+  features with an email archiving solution. See :ref:`piler-section` for
+  more information.
+
+- **Netdata application** -- A new monitoring stack is available alongside
+  Prometheus and Grafana. A Netdata instance can be installed with a click
+  on a cluster node and immediately starts to collect metrics. See
+  :ref:`netdata-section` for details.
+
+- **Dnsmasq application** -- This new application provides a simple DNS
+  and DHCP service for the local area network. See :ref:`dnsmasq-section`
+  for details.
+
+- **Display firewall open ports** -- The node firewall configuration is
+  accessible from a new card under the Settings page. The same information
+  is still available from the Nodes page. See the
+  :ref:`node-firewall-section` for more information.
+
+- **NethSecurity controller** -- This new application allows the remote
+  control of multiple NethSecurity installations, called units. It
+  provides enhanced management and monitoring capabilities for firewall
+  units. Refer to the section :ref:`nethsecurity-controller-section` for
+  more information.
+
+- **System logs** -- Log records generated by any cluster node are
+  collected and stored in the leader node for a configurable number of
+  days. Since Core release 2.7.0, the component responsible for this is
+  automatically started and configured when a new leader node is promoted.
+  Refer to the section :ref:`system-logs-section` for more information.
+
+- **Crowdsec bouncer container** -- Since Crowdsec release 1.0.7, the
+  bouncer component runs inside a container and uses Netfilter tables to
+  block IPs. Execute the following commands to clean up some files and
+  resources left by previous versions.
+
+  Run this command to remove the Firewalld ipset: ::
+
+    firewall-cmd --permanent --delete-ipset=crowdsec-blacklists
+    firewall-cmd --permanent --delete-ipset=crowdsec6-blacklists
+
+  Additional packages and the software repository installed in the host
+  system can also be removed.
+
+  For Rocky Linux, run: ::
+
+    dnf remove -y crowdsec-firewall-bouncer-iptables
+    rm -rvf /etc/yum.repos.d/crowdsec_crowdsec.repo /etc/crowdsec /usr/local/sbin/cscli
+
+  For Debian, run: ::
+
+    apt-get -y remove crowdsec-firewall-bouncer-iptables
+    rm -rvf /etc/apt/sources.list.d/crowdsec_crowdsec.list /etc/crowdsec /usr/local/sbin/cscli
+
+- **Rocky Linux 9.4** -- Since Core release 2.8.1, the pre-built images
+  are based on the official Rocky Linux 9.4 cloud image.
+
+
 Major changes on 2024-02-13
 ===========================