I am discovering Turris OS (5.1.10 as of today) on a MOX as a router on my recently installed home fibre broadband. I haven’t modified Firewall configuration or added any NAT rules yet, but I have activated/accepted data collection and HaaS via Foris/ReForis.
I have subscribed to VoIP service from my ISP. They provide instructions for firewalls but to my surprise, actually my VoIP phone is not blocked… This is confusing as I was expecting incoming calls to be rejected by firewall (UDP port 5060 for SIP).
The default rules, as seen by uci/Luci are relatively straightforward:
firewall.@zone.name='lan' firewall.@zone.name='wan' firewall.@rule.name='Allow-DHCP-Renew' firewall.@rule.name='Allow-Ping' firewall.@rule.name='Allow-IGMP' firewall.@rule.name='Allow-DHCPv6' firewall.@rule.name='Allow-MLD' firewall.@rule.name='Allow-ICMPv6-Input' firewall.@rule.name='Allow-ICMPv6-Forward' firewall.@rule.name='Allow-IPSec-ESP' firewall.@rule.name='Allow-ISAKMP' firewall.wan_ssh_turris_rule.name='wan_ssh_turris_rule' firewall.wan_http_turris_rule.name='wan_http_turris_rule' firewall.wan_https_turris_rule.name='wan_https_turris_rule'
But I have the impression that sentinel modifies IPtables directly and does bypass uci. Does that mean I need to go through the IPtables configuration to find out why my VoIP is not blocked?
Any other good way to investigate?
Testing my public IP via services like shieldsUP! shows open ports (telnet, HTTP, FTP, SMTP) but I suppose these are the honeypots. Well I hope…
Also, any reason why Turris firewall does generally REJECT instead of DROP?