DynFW monitoring

Hi,

I have a turris omnia version 5.x with data collection enabled etc as per Setup - Turris Documentation

I’m surprised to not see any iptables rules added by this dynamic firewall. If not via iptables can someone explain how are the connections dropped and how we can monitor this?

Thanks

Are you sure?

iptables --list | grep dynfw

Yes nothing returned from that command.

So I suppose dynfw is not working as it should. Any idea where to look what is the issue?

I have simply enabled the packages (except HaaS) and accepted the Data Collection agreement, should I have been doing anything else?

Thanks

1 Like

Blocking is done via ipset (would be a lot of rules in iptables):

ipset list turris-sn-dynfw-block|wc -l
3774

But you should see rules also in iptables related to this:

iptables --list | grep dynfw
zone_wan_src_DROP all – anywhere anywhere match-set turris-sn-dynfw-block src ctstate NEW /* !sentinel: dynamic firewall block /
zone_wan_src_DROP all – anywhere anywhere match-set turris-sn-dynfw-block src mark match ! 0x10/0x10 ctstate NEW /
!sentinel: dynamic firewall block */

I had couple of issues also when started, make sure the services are “enabled” and “started” try to restart them manually.

Specially:

haas-proxy
sentinel-dynfw-client
sentinel-proxy

root@turris:~# ipset list turris-sn-dynfw-block|wc -l
4257
root@turris:~# iptables --list | grep dynfw
root@turris:~# 

The ipset list is updated (and I see the number of entries changing) but there is no rules for it. I suppose I could create the rules manually but it will probably break at the next update so I’m a bit reluctant to go that way.
Do you know how/by which process the rules are normally created?

Thanks

I get the same output as @mazhead.
I just found that the system doesn’t really confirm dynFW is running after you follow the steps in the documentation and sign up. A nice to have would be a form of confirmation, maybe an email notification like the ones we get after a system update for example.

I disabled Dynamic Firewall in reForis, waited a minute for the package to be removed and re-enabled it and voila:
root@turris:~# iptables --list | grep dynfw
zone_wan_src_DROP all – anywhere anywhere match-set turris-sn-dynfw-block
src ctstate NEW /* !sentinel: dynamic firewall block /
zone_wan_src_DROP all – anywhere anywhere match-set turris-sn-dynfw-block
src mark match ! 0x10/0x10 ctstate NEW /
!sentinel: dynamic firewall block */

I don’t like this type of “turn it off and on again” solution but I suppose it will have to do.

i did enable it through luci, without need for removal/reinstall

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.