Dumb dynamic firewall question

I’m using a turris mox (hbl branch) in an AP only configuration, e.g. with disabled resolver, kresd, firewall etc. Anyway in reForis I see this …

What means “Dynamic Firewall” activated? And what are the right steps to disable this one … :wink:



Thanks, but data collection is already disabled and I don’t see any “dynFW” processes on my mox.

data collection provides data from your firewall to the turris system.
dynamic firewall blocks connections from turris system.
maybe you have to explicitly disable it, or have to reboot router to apply changes.
you can try either one or contact turris support.

I think it’s only a false positive display - there are no fw related processes running (at least I can’t recognize them as such), e.g.:

root@blackhole2:/$ ps ax -www | grep 'f[w]\|fo[r]is\|sen[t]inel'
 4199 ?        Sl     1:36 /usr/bin/python3 /usr/bin/foris -s flup -a config -b mqtt --mqtt-host localhost --mqtt-port 11883 --mqtt-passwd-file /etc/fosquitto/credentials.plain --mqtt-controller-id 0000000D300040D1
 4200 ?        Sl     2:00 /usr/bin/python3 /usr/bin/reforis
19196 ?        Sl     9:42 /usr/bin/python3 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock mqtt --host localhost --port 11883 --passwd-file /etc/fosquitto/credentials.plain --controller-id 0000000D300040D1
19204 ?        Sl     0:05 /usr/bin/python3 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock mqtt --host localhost --port 11883 --passwd-file /etc/fosquitto/credentials.plain --controller-id 0000000D300040D1
19206 ?        Sl     0:05 /usr/bin/python3 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock mqtt --host localhost --port 11883 --passwd-file /etc/fosquitto/credentials.plain --controller-id 0000000D300040D1
19242 ?        Sl     0:37 /usr/bin/python3 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock mqtt --host localhost --port 11883 --passwd-file /etc/fosquitto/credentials.plain --controller-id 0000000D300040D1
20613 ?        Sl     0:24 /usr/bin/python3 /usr/bin/foris-ws -a ubus filesystem --host --port 9080 mqtt --mqtt-host localhost --mqtt-port 11883 --mqtt-passwd-file /etc/fosquitto/credentials.plain

I think those processes run from cron.
check if you have following rule in iptables, chain zone_wan_input:

 Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   13   989 zone_wan_src_DROP  all  --  *      *              match-set turris-sn-dynfw-block src mark match ! 0x10/0x10 ctstate NEW /* !sentinel: dynamic firewall block */

Thanks for testing new version of reForis and reporting this bug! We will take a look. :slight_smile:

CC: @Aleksan4eg

1 Like

Nope, the firewall/fw3 has been disabled.

Hi @dibdot, I can confirm this bug, thanks for reporting.
It will be fixed soon.

Cool, many thanks! :wink:

Hi @dibdot,
Would you mind to share the configuration of your MOX and particularly, which services you disabled to create an AP from MOX?
I am currently using my MOX in a ‘netbooted’ configuration but I would like to give it a try also in a setup similar to yours. Thanks

No problem, I’ve disabled the following services:

  • dnsmasq
  • firewall
  • odhcpd
  • kresd
  • resolver
  • umdns
  • socat

To be sure that the above services are always disabled (even after a firmware update), I’ve added all these services to my rc.local, e.g.:

root@blackhole2:/etc$ cat rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

services="firewall resolver dnsmasq kresd odhcpd umdns socat"
for service in ${services}
    /etc/init.d/${service} disable >/dev/null 2>&1
    /etc/init.d/${service} stop >/dev/null 2>&1

exit 0

Hope this helps! :wink:

Edit: made the rc.local a little bit more elegant

Thanks a lot, Robert