we just released Turris OS 7.1.3 into RC/hbt. There are some small changes to reForis interface, but mainly it is about fixes in dynamic firewall integration into nftables. There were some conditions where it wouldn’t start properly. And we also extended the integration so you can now add ip addresses to a whitelist to never get blocked by Dynamic firewall. You can do so by adding the following section into /etc/config/sentinel:
config dynfw 'dynfw'
option enabled '1'
list whitelist '217.31.192.84'
list whitelist '2001:1488:ac15:ff80::/64'
As always, if you encounter any issues, please let us know.
Extend that to make use of ipsets not single IPs only. So for example I may make ipset with some particular ISP AS number or company network etc. Or at least to subnets. But ipsets may be populated externally when they change and static list could be pain to maintain fresh
7.1.2→ 7.1.3 RC1 update okay. No noticeable cable/wifi/internet interruption. Restart was not needed.
Turris Omnia 2017, 1 GB RAM, dead eMMC, system running from mSATA SSD, original wifi cards, UBoot 2022.10. Storage plugin enabled, LXC containers, tor relay, USB HDD shared over samba4 and minidlna, Syncthing, SQM, Hardwario gateway + MQTT IoT bridge, OpenVPN, PPtP VPN, Strongswan IKEv2 VPN, morce.
Actually I made a mistake in the example above and for IPv6 it is subnets. Internally it is obviously implemented as a set. But it is in our own nftables table that we know we can flush as we wish. The idea is that those whitelisted IPs are an exception so they will be rare.
Alternatively you can disable Dynamic firewall in the configuration altogether and run dynfw-client manually. That way it will just maintain two sets on your router with banned IP addresses and you can integrate those two sets into your firewall any way you want.