Sentinel/HaaS firewall rules in UCI

Hey all!

I am trying to learn UCI / OpenWrt network management. There are some clear differences between vanilla OpenWrt and Turris OS, as one would expect.

However I can’t seem to find any documentation on these differences.
How does these changes affect creating custom zones?

Is there a risk I mess up HaaS and expose myself to real threats?

I am new to networking, so please bear with me.

I’ll copy what I find confusing, and what referred Turris directly

  1. Is this all the reForis interface does, or is there configuration elsewhere aswell?
config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option sentinel_fwlogs '1'
    option sentinel_minipot '1'
    option sentinel_dynfw '1'

Either way, this does as I understand:

sentinel_fwlogs ‘1’ → contribute to data gathering
sentinel_minipot ‘1’ → implement HaaS
option sentinel_dynfw ‘1’ → implement dynamic firewall

  1. These rules I didn’t see configured in the guide I was reading, however I’m not sure if they are from automatic gateway configuration
config rule 
    option name 'Allow-DHCP-Renew' 
# I assume this one is for getting IP from ISP gateway
# and not optional/Turris specific
	option src 'wan'
	option proto 'udp'
	option dest_port '68'

# WAN had many other rules aside from these, but mainly conserning ICMP and IPv6.
# These were somewhat similar to those below, so I didn't include them
  1. But aside from those, there seem to be multiple rules for Guest Zone, automatically generated. The tutorials I looked did not include this configuration, and it seems rather complex.
    Are these necessary for each and every Zone I create myself?
config zone 'guest_turris'
	option enabled '1'
	option name 'guest_turris'
	list network 'guest_turris'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
# input is rejected, so exceptions need to be made for WAN connection

config forwarding 'guest_turris_forward_wan'
	option enabled '1'
	option name 'guest to wan forward'
	option src 'guest_turris'
	option dest 'wan'

config rule 'guest_turris_dns_rule'
	option enabled '1'
	option name 'guest dns rule'
	option src 'guest_turris'
	option proto 'tcpudp'
	option dest_port '53'
	option target 'ACCEPT'

config rule 'guest_turris_dhcp_rule'
	option enabled '1'
	option name 'guest dhcp rule'
	option src 'guest_turris'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule 'guest_turris_Allow_DHCPv6'
	option src 'guest_turris'
	option proto 'udp'
	option src_ip 'range::/10'
	option src_port '546-547'
	option dest_ip 'range::/10'
	option dest_port '546-547'
	option family 'ipv6'
	option target 'ACCEPT'

# DNS and DHCP I understand, but these are less clear to me
# for WAN zone there are also rules conserning ICMP


config rule 'guest_turris_Allow_MLD'
	option src 'guest_turris'
	option proto 'icmp'
	option src_ip 'range::/10'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'

config rule 'guest_turris_Allow_ICMPv6_Input'
	option src 'guest_turris'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'

I tried to google around, but I really have no idea how to proceed

How do I treat these firewall rules when defining new Zones? Do I copy them?

I ultimately want to have following Zones:

  1. Maintance/admin
    for configuration and accessing router
  2. trusted
    normal LAN and wlan
  3. servers
    NAS for trusted
  4. IOT

So the firewall rules would look something like:

config forwarding
      option src 'trusted'
      option dest 'wan'
config forwarding
      option src 'trusted'
      option dest 'servers'
config forwarding
      option src 'trusted'
      option dest 'IOT'
config forwarding
      option src 'servers'
      option dest 'wan'

Do I need to specify the protocols and ports similar to turris-guest for the servers* -zone?*

/etc/config/network

Here I found another difference, but I couldn’t figure out what this option does:

config interface 'lan'
        option type 'bridge'
        ...
        option _turris_mode 'managed'
        ...

I assume it exists for automatic configuration. In what interfaces should I include it and what does omitting it do?
It is absent from guest_turris

Where can I find information like this in general?

There are probably more differences that I should at least be aware of. I have never done any network configuration, but I’m trying to study it on my own. This means I’m very lost and without intuition whenever I can’t find documentation on these things.

If there are some resources I should check out I’d gladly read them. But simple explanations and list of stuff to include/omit and when is enough to get started.

Thank you for your time

J.