Turris OS - firewall logs

Turris Omnia
1

According to this video: Turris Omnia https://www.youtube.com/watch?v=UHCfVC01HR0 (presentation of CZ.NIC) if I understand it good, Omnia will have same Turris OS (or it’s successor) as Turris 1.0/1.1.
I know this is based on OpenWRT, but I have same questions which are related to privacy and open source spirit in this project:

  1. Will You provide makefile and sources for power users to build firmware by themself?
  2. Will firewall have option to NOT send stats data to NIC.CZ?
    In video it was said that users were obligated to participate in project by sending (automatically) firewall data to Your organization but as Turris Omnia is not for 1czk It would be nice to have on option to switch off sending data to You.
    I know that gathering this kind of data is important to develop security tool but some users may not want to be forced to send anything especially such sensitive data such firewall log from WAN (I know that LAN will not going be affected).
    I think You should keep in mind that part of participants is geek or pro and this is privacy essentials for them.
  3. According to diagram in presentation will WAN port work in the same time with SFP slot? There was “OR” does this means that only one port is going to be available simultaneously?
  4. Last question is only related to firewall subject, but I would like to make sure that Omnia will not repeat ClearFog Pro board issue: this is known that ClearFog Pro board has a major security bug, at boot time for few seconds switch operates in mode which allows full access between WAN and LAN zone. You probably know this issue, can You please confirm that Omnia will not have such issue and LAN will not be accessible from WAN (during boot time) as long as there will not be firewall rule (defined by user) loaded by OS? In short way, will Omnia by default (before OS load) block access from WAN to LAN?
    Thanks!
2
  1. I think the sources will be available on gitlab.
  2. if there is no option to disable this you can still replace the OS with plain OpenWRT.
  3. It is WAN exclusive or SFP. So one of them but never both. Think of a switch with a lever.
  4. The WAN/SFP port has its own dedicated network interface. So this problem will only appear on the 5 LAN ports if they are used to separate networks.
    This hole exists in tons of routers. Modifying the switch setup in u-boot may help with the time but still leave a second or so.
3
  1. They said, there will be github with all source files. And they will provide patches to run other systems on omnia.
  2. On turris it is normally enabled and you can turn it off after contract expires :slight_smile: Turris omnia is different case. Omnia has stats sending disabled and you can activate it if you want. So out of the box you have no sending data to CZ.NIC
    (personally i will left it disabled because i have FUP limits and i am behind NAT of my ISP)
  3. You can use only one of these ports. So SFP or WAN port… This is the question… You can use any port of switch but you can cause your 4. question.
  4. On wan/sfp it is secured because of design. I don’t know if switch is configured to patch this issue.
4
  1. unlike the original Turris, Omnia has the automated data sending to CZ.NIC switched off by default
    optionally you will be able to swith it on in Omnia’s settings