I’m using a turris mox (hbl branch) in an AP only configuration, e.g. with disabled resolver, kresd, firewall etc. Anyway in reForis I see this …
What means “Dynamic Firewall” activated? And what are the right steps to disable this one …
Thanks!
I’m using a turris mox (hbl branch) in an AP only configuration, e.g. with disabled resolver, kresd, firewall etc. Anyway in reForis I see this …
What means “Dynamic Firewall” activated? And what are the right steps to disable this one …
Thanks!
Thanks, but data collection is already disabled and I don’t see any “dynFW” processes on my mox.
data collection provides data from your firewall to the turris system.
dynamic firewall blocks connections from turris system.
maybe you have to explicitly disable it, or have to reboot router to apply changes.
you can try either one or contact turris support.
I think it’s only a false positive display - there are no fw related processes running (at least I can’t recognize them as such), e.g.:
root@blackhole2:/$ ps ax -www | grep 'f[w]\|fo[r]is\|sen[t]inel'
4199 ? Sl 1:36 /usr/bin/python3 /usr/bin/foris -s flup -a config -b mqtt --mqtt-host localhost --mqtt-port 11883 --mqtt-passwd-file /etc/fosquitto/credentials.plain --mqtt-controller-id 0000000D300040D1
4200 ? Sl 2:00 /usr/bin/python3 /usr/bin/reforis
19196 ? Sl 9:42 /usr/bin/python3 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock mqtt --host localhost --port 11883 --passwd-file /etc/fosquitto/credentials.plain --controller-id 0000000D300040D1
19204 ? Sl 0:05 /usr/bin/python3 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock mqtt --host localhost --port 11883 --passwd-file /etc/fosquitto/credentials.plain --controller-id 0000000D300040D1
19206 ? Sl 0:05 /usr/bin/python3 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock mqtt --host localhost --port 11883 --passwd-file /etc/fosquitto/credentials.plain --controller-id 0000000D300040D1
19242 ? Sl 0:37 /usr/bin/python3 /usr/bin/foris-controller -b openwrt -C /var/run/foris-controller-client.sock mqtt --host localhost --port 11883 --passwd-file /etc/fosquitto/credentials.plain --controller-id 0000000D300040D1
20613 ? Sl 0:24 /usr/bin/python3 /usr/bin/foris-ws -a ubus filesystem --host 127.0.0.1 --port 9080 mqtt --mqtt-host localhost --mqtt-port 11883 --mqtt-passwd-file /etc/fosquitto/credentials.plain
I think those processes run from cron.
check if you have following rule in iptables, chain zone_wan_input:
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
13 989 zone_wan_src_DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set turris-sn-dynfw-block src mark match ! 0x10/0x10 ctstate NEW /* !sentinel: dynamic firewall block */
Thanks for testing new version of reForis and reporting this bug! We will take a look.
CC: @Aleksan4eg
Nope, the firewall/fw3 has been disabled.
Hi @dibdot, I can confirm this bug, thanks for reporting.
It will be fixed soon.
Sincerely,
Aleksandr
Cool, many thanks!
Hi @dibdot,
Would you mind to share the configuration of your MOX and particularly, which services you disabled to create an AP from MOX?
I am currently using my MOX in a ‘netbooted’ configuration but I would like to give it a try also in a setup similar to yours. Thanks
Robert
No problem, I’ve disabled the following services:
To be sure that the above services are always disabled (even after a firmware update), I’ve added all these services to my rc.local, e.g.:
root@blackhole2:/etc$ cat rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
services="firewall resolver dnsmasq kresd odhcpd umdns socat"
for service in ${services}
do
/etc/init.d/${service} disable >/dev/null 2>&1
/etc/init.d/${service} stop >/dev/null 2>&1
done
exit 0
Hope this helps!
Edit: made the rc.local a little bit more elegant
Thanks a lot, Robert