Dynamic firewall operation

Software SW help
1

I am running 5.1.1 and enabled Data Collection, Dynamic Firewall, Firewall Logs and Minipots.
I am curious to see these in action, but the docs do not really tell you that.
I can see two processes running:

root@turris:~# ps -A | grep sentinel
27518 ?        00:00:00 sentinel-proxy
27549 ?        00:00:00 sentinel-minipo

I can also see the periodic firewall log analysis (perhaps?):

Sep 24 06:45:01 turris crond[12679]: (root) CMD (/bin/sh -c "source /lib/functions/sentinel.sh; allowed_to_run "nikola" && exec sentinel-nikola --random-sleep")
Sep 24 09:45:53 turris sentinel_nikola: Logrotate took 0.092178 seconds
Sep 24 09:45:53 turris sentinel_nikola: Syslog parsing took 0.092342 seconds
Sep 24 09:45:53 turris sentinel_nikola: Records parsed: 138
Sep 24 09:45:53 turris sentinel_nikola: Sending records took 0.002362 seconds

Sometimes there is also certificate renewal:

Sep 23 23:40:43 turris sentinel: INFO [certgen.action_spec_init:63] Private key file not found. Generating new one.
Sep 23 23:40:43 turris sentinel: INFO [certgen.action_spec_init:100] Certificate file does not exist or is to be renewed. Re-certifying.
Sep 23 23:40:44 turris sentinel: INFO [certgen.start:321] Sleeping for 10 seconds
Sep 23 23:40:55 turris sentinel: INFO [certgen.process_get_response:136] New certificate successfully downloaded.
Sep 23 23:40:55 turris sentinel: INFO [certgen.action_spec_init:89] Valid certificate found
Sep 23 20:45:01 turris crond[28101]: (root) CMD (/bin/sh -c "source /lib/functions/sentinel.sh; allowed_to_run "nikola" && exec sentinel-nikola --random-sleep")

The above are part of the collection subsystem. I am curious to see the dynamic firewall subsystem too. What are the rules that downloaded and applied, how often etc.
I do not see the client process running and luci shows sentinel-dynfw-client disabled. How is this supposed to get started?

1 Like
2

The dynamic firewall has its own process which is presented like this:

python3 /usr/bin/sentinel-dynfw-client --ipset turris-sn-dynfw-block --cert /var/run/dynfw_server.pub --renew

By default, it logs only errors. If you want to see more you can add the following line into /etc/init.d/sentinel-dynfw-client after other procd_append_param commands:

procd_append_param command --verbose

Then it can be restarted by /etc/init.d/sentinel-dynfw-client restart.

But remember that later updates may overwrite this change.

3

Indeed, I now have debug messages in the log too:

Sep 30 16:10:37 turris sentinel-dynfw-client[26043]: 2020-09-30 19:10:37,885 - INFO - Renewing server certificate
Sep 30 16:10:38 turris sentinel-dynfw-client[26043]: 2020-09-30 19:10:38,220 - DEBUG - waiting for connection
Sep 30 16:10:38 turris sentinel-dynfw-client[26043]: 2020-09-30 19:10:38,306 - DEBUG - connected
Sep 30 16:10:51 turris sentinel-dynfw-client[26085]: 2020-09-30 19:10:51,906 - INFO - Renewing server certificate
Sep 30 16:10:52 turris sentinel-dynfw-client[26085]: 2020-09-30 19:10:52,080 - DEBUG - waiting for connection
Sep 30 16:10:52 turris sentinel-dynfw-client[26085]: 2020-09-30 19:10:52,117 - DEBUG - connected

I will keep an eye out for other messages.
I just noticed that the kernel message buffer is filled with

[280034.898142] REJECT wan in: IN=lan4 OUT= MAC=d8:58:d7:00:47:bc:00:20:00:00:00:01:08:00 SRC=45.129.33.122 DST=92.82.198.91 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=13324 PROTO=TCP SPT=40254 DPT=5694 WINDOW=1200 RES=0x00 RST URGP=0

ever since I installed the package. The verbose param has no effect on this.

4

Maybe it would be nice to have some sort of graphical thing in or Luci or ReForis to see whats going on with this whole concept?
I’m aware of https://view.sentinel.turris.cz/ , but on a local level it would be nice to see if some IDS or IPS is actually doing something :slight_smile:
Basically like Pakon already does or something?

thxs

5

I would welcome this too as it is not very obvious whether dynamic firewall runs at all and what changes/actions ocurres in process.
Is there any way to print out current dynamic firewall status and settings please?

6

There are plans for such data presentation. But unfortunately it can’t be expected to be done this year.

7

Good, since i do think there is something ‘less optimal’ working atm. ( TurrisOS 5.1.2 omnia )
Already mentioned it in the update topic, but even if i make a rule to block in and outgoing WAN traffic from a local IP, it does not do anything…

image
image1450×253 26.9 KB

Pakon even shows the I/O traffic

image
image1519×238 43.4 KB

8

For blocking TV to access internet you may want following rule instead. No need to individually block incoming packets from WAN to LAN, it is blocked by default.
image

1 Like
9

interesting, and i tried to make this rule, but a bit of a nOOb here…so how do i make this? :slight_smile:

thxs

10

on http://192.168.1.1/cgi-bin/luci/admin/network/firewall/rules click “ADD”

first tab

image
image477×507 15.4 KB

second tab - put MAC address of your TV here

image
image650×592 20 KB

thats all

If you dont know the MAC you will find it on http://192.168.1.1/cgi-bin/luci/ under Active DHCP Leases

1 Like
11

aha… So, this is how you make a block rule… yes, this one does Work! Thxs!

image
image1387×154 18.9 KB

hmmm, edit…pakon does not agree? interesting, since if i test the tv internet connection with the update function, it says 'bad connection" and network check on TV says yes to lan, but not outside.

image
image1579×568 78.8 KB

12

hmm, ok, now pakon stopped working. Re installed it, but the last line in the syslog is this one

CMDOUT (mv: can’t rename ‘/srv/pakon/pakon.db.xz.tmp’: No such file or directory)

image
image781×217 16.9 KB