Turris OS 5.1.5 is in the Testing branch

X-dark · December 17, 2020, 1:56pm

Actually, even with the setting I get those logs. Strange…

Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2a06:98c1:50::ac40:219a port 53
Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2400:cb00:2049:1::a29f:408 port 53
Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2803:f800:50::6ca2:c19a port 53
Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2803:f800:50::6ca2:c19a port 53
Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2606:4700:58::adf5:3b9a port 53
Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2400:cb00:2049:1::a29f:209 port 53
Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2400:cb00:2049:1::a29f:937 port 53
Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2400:cb00:2049:1::a29f:30b port 53
Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2400:cb00:2049:1::a29f:837 port 53
Dec 17 13:52:30 turris unbound: [10796:0] error: udp connect failed: Permission denied for 2a06:98c1:50::ac40:219a port 53

/var/etc/unbound.conf:

server:
        chroot: ""
        verbosity: 0
        interface: 0.0.0.0
        interface: ::0 
        port: 53
[...]
        do-ip4: yes 
        do-ip6: yes 
[...]
include: "/etc/unbound/extra-options.conf"
[...]

/etc/unbound/extra-options.conf:

server:
  hide-version: "yes"
  do-not-query-localhost: no
[...]
  udp-connect: "yes"

vcunat · December 17, 2020, 2:12pm

You need udp-connect: no to disable this change of upstream default. From the log it seems that Turris kernel doesn’t support connected UDP sockets.

EDIT: I posted a question on https://github.com/openwrt/packages/pull/14136#issuecomment-747469293

X-dark · December 17, 2020, 4:35pm

Indeed, seems much better with “no”.

snarfel · December 23, 2020, 10:46pm

Given the new base on 19.07.5, does this mean it’s possible to install Adguard Home via opkg now?

Pepe · December 23, 2020, 11:03pm

No, because package Adguard Home is just available in OpenWrt snapshots and it is going to be part of OpenWrt 21.xx (for developers, there is a branch hbd). If you want to use Adguard Home on OpenWrt 19.07, you will need to compile the package yourself.

snarfel · December 23, 2020, 11:11pm

Bummer, but thanks for the quick response! Here’s to a quick OpenWrt 21 release early next year!

czlada · December 27, 2020, 7:13pm

Syslog is full of drop packet entries

Dec 27 20:07:29 turris kernel: [406889.009249] REJECT wan in: IN=pppoe-wan OUT= MAC= SRC=5.39.66.199 DST=xxx.xxx.xxx.xxxLEN=435 TOS=0x18 PREC=0x00 TTL=51 ID=35624 DF PROTO=UDP SPT=5074 DPT=5060 LEN=415 
Dec 27 20:07:29 turris kernel: [406889.124824] DROP wan in: IN=pppoe-wan OUT= MAC= SRC=92.63.197.97 DST=xxx.xxx.xxx.xxxLEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=4748 PROTO=TCP SPT=55488 DPT=10772 WINDOW=1024 RES=0x00 SYN URGP=0 
Dec 27 20:07:31 turris kernel: [406891.676068] DROP wan in: IN=pppoe-wan OUT= MAC= SRC=92.63.197.97 DST=xxx.xxx.xxx.xxxLEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=7834 PROTO=TCP SPT=55488 DPT=5443 WINDOW=1024 RES=0x00 SYN URGP=0 
Dec 27 20:07:33 turris kernel: [406893.721309] DROP wan in: IN=pppoe-wan OUT= MAC= SRC=185.175.93.24 DST=xxx.xxx.xxx.xxxLEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=26453 PROTO=TCP SPT=55554 DPT=31477 WINDOW=1024 RES=0x00 SYN URGP=0 
Dec 27 20:07:34 turris kernel: [406894.335906] DROP wan in: IN=pppoe-wan OUT= MAC= SRC=80.82.78.82 DST=xxx.xxx.xxx.xxxLEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=49034 PROTO=TCP SPT=55770 DPT=7882 WINDOW=1024 RES=0x00 SYN URGP=0 
Dec 27 20:07:35 turris kernel: [406894.764858] DROP wan in: IN=pppoe-wan OUT= MAC= SRC=92.63.197.97 DST=xxx.xxx.xxx.xxxLEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=51242 PROTO=TCP SPT=55488 DPT=9371 WINDOW=1024 RES=0x00 SYN URGP=0

lucenera · January 5, 2021, 10:43pm

I guess it’s the firewall doing its job. My log is similar to yours with a lot of entries. They are packets rejected on the wan port by the pppoe-wan interface with origin “malicious IP address” to the destination “your IP address”. If you do a search, for example on ipinfo.io, you will see that the source addresses are rental servers or automatic port scanning service or similar.

fantomas · January 6, 2021, 2:40pm

This is a standard function of firewall - all unrecognized packets from the internet are either dropped or rejected.
Limited (to avoid flooding system log with attempts) number of packets are logged so you may know something happened

Routers usually either drop packets or reject them.
Rejections gives sender an information about packet being rejected, which is useful for example for connections that have been closed.
TOS uses DROP for packets from IPs blacklisted by sentinel, reject otherwise.

Pepe · January 11, 2021, 4:49pm

We are releasing another RC version of Turris OS 5.1.5.

Changelog:
OpenWrt repository

updated OpenSSL, which fixes CVE-2020-1971
updated kernel, mac80211

Packages repository:

updated haveged, syslog-ng, netdata, htop, samba4
fixes for adblock
removed noddos

Turris build:

fixed nslookup in LuCI

Turris packages:

fixed luci-app-rainbow
updated OpenVPN client module (forces firewall reload after adding a new OpenVPN client)

If you are interested in more details, here go commit hashes for each repository, we are using in this release:

 * turris-build: 84641a99be701169b825b38dfe4658b46a40058f
 * openwrt: e29002471734dbba927d43f0b23818ddc5f551a7
 * feeds/cesnet: 4dd5de7130d112bd928e41c9dab8b550af876677
 * feeds/luci: bf4fbd98b76fab0c1968426bd723ab2db0572c1b
 * feeds/node: 52681893e6d1f2d604317c44243124b1ecc0f971
 * feeds/openwisp: 59a69935f1c08d14c1f8aeef0b0ed6ba4f8cdbce
 * feeds/packages: 67a324b5efbc68fe5476c71f80ed6b34cb6b74b5
Turris MOX has newer one - updated nextdns: 7ee0a565beb29c27664e0405151ca568818fe7c2
 * feeds/routing: 02b4dbfcb7b8f8b566940847d22d5a6f229d2e66
 * feeds/sidn: 5a0a6edd625b8666243621c6087c515f86e0f24f
 * feeds/telephony: 6e019c94d0fa7162548d528bf4ba060a61f8cb59
 * feeds/turrispackages: cca135dc09357eba0ba3f12bd96e7e81b05761d4

jada4p · January 11, 2021, 7:17pm

MOX classic, WiFi, ,5 GB, simple config, more than 5 reboots hanging, last reboot OK all working.

Pepe · January 11, 2021, 7:22pm

Right now, I don’t remember if you are using this experimental firmware to workaround hangs after reboot?

jada4p · January 11, 2021, 9:41pm

No. I didn’t know it. I’ll have a look and test it later…

OK, I read all documents and I’m sorry i’ll don’t follow it… even though I’m willing to experiment little bit, it seems too risky to me… there is too much risk of bricking my MOX I don’t have UPS, I don’t know where I could obtain needed USB TTL serial adapter in case I’d brick my MOX… it’s too complicated (even if I’m not, hopefuly, no noob or BFU), but my knovledge of UNIX/Linux is not sufficient for such a task…

Thus I’ll have to withstand “smaller” problems with unsuccesful reboots than to risk bricking my MOX and being not able to repair it…

Pepe · January 12, 2021, 11:50am

Here goes another RC version of Turris OS 5.1.5 and hopefully the last one!

The difference is that we have the latest commit (for now) from packages feed and its branch openwrt-19.07. Commit hash: 7707d2d78c30fafbdf3723fd49557a145d41e8ea

So, Turris 1.x and Turris Omnia has available to install newer versions of these two packages: nextdns and haproxy. Turris MOX has just haproxy.

jada4p · January 12, 2021, 12:25pm

MOX classic, WiFi, ,5 GB, simple config, 5.1.5 HBK, seems there was no update for me.

maurer · January 14, 2021, 7:07am

packages from openwrt master currently work on “as-it-is” on Omnia
cc @snarfel