Being curious about sentinel but not wanting to mess with the router I decided to give it a shot in a container instead, providing an isolated environment. unprivileged container would be icing on the cake…
eth0
-> vlan eth0.2
-> br-sen
-> guest fw zone
-> privileged container
with ip subnet different from guest network
Stripped TOS down to bare essentials
`
Summary
Uninstall(“hd-idle”, “knot-resolver”, “dnsmasq”, “resolver”, “collectd”, “vpnc”, “wol”, “tinyproxy”, “samba36-server”, “samba36-client”, “openssh-sftp-client”, “openssh-sftp-client”, “openssh-sftp-server”, “openvpn-openssl”, “mjpg-streamer”, “miniupnpd”, “minidlna”, “transmission”, “ahcpd”, “ddns-scripts”, “luci-app-wol”, “luci-app-transmission”, “etherwake”, “odhcpd”, “kmod-rxrpc”)
`
Installed the sentinel stuff
Install("sentinel-minipot")
but skipped sentinel-dynfw-client
since it makes only sense to run on the host.
From a remote node ran telnet
against the router’s ip and the telnet
login at the router is popping up and thus confirmed working.
Questions (remaining after discovery):
-
sentinel-nikola
can be configured in the container to access the nf entries in the host’s kernel log? If so what are the requirements or how to? -
node data collected/submitted by
sentinel-nikola
to the TO project can be viewed per node (similar likehaas
)where?
Notable issues
- sentinel-dynfw-client fails to start at boot
- sentinel-nikola not automatically enabling nf/ipt logging in the wan zone
- firewall restart fails to load the wan_input_rule for ipset turris-sn-wan-input-block
- sentinel-dynfw-client fails to detect wan ip rollover
- nf/ipt records reportedly not being parsed - see below