Skynet Does whitelisting a DDNS domain only block the IP resolved when adding? Or update regularly? Frequency?

[XIII]

SkyNet (on my router) often blocks me accessing my router at home when trying to SSH to it from family members' homes... Therefore I want to whitelist their IP addresses. Unfortunately their ISP's only offer dynamic IP addresses. Fortunately, their routers do support a DDNS service like No-IP. If I add such a DDNS domain to SkyNet (example: firewall whitelist domain mychosenworg.hopto.org), I see that it adds the currently resolved IP (example: 1.2.3.4).

Does filtering a DDNS domain only block the IP address resolved when adding the (DDNS) domain?

Or will SkyNet regularly resolve/update the IP address? If so, with which frequency?

If it doesn't, can/should I use "cru" to delete/add the domain every day?

 

[eibgrad]

That doesn't make sense. Why would any such tool like Skynet be blocking your port forwards? In effect, you're claiming it's blacklisting those source IPs. Why? On what grounds?

Admittedly I don't use Skynet, so maybe it is. But on the face of it, I just find it surprising this would be the case. I don't understand the justification for it, esp. if you explicitly defined port forwards which obviously need to be accessible from *any* public IP *unless* you specifically limit the source IP based on the source IP field of the port forward.

 

[cptnoblivious]

I ssh into my router regularly. But I VPN into the router first, so that I don't expose the SSH port. No issues with skynet and I can also bounce though there if I need to do anything where I want it to look like I'm coming from the same IP as always.

Something to consider perhaps, easy to setup.

 

[XIII]

That doesn't make sense. Why would any such tool like Skynet be blocking your port forwards? In effect, you're claiming it's blacklisting those source IPs. Why? On what grounds?

Has happened to me before... Recently the USB flash drive in my router died and I installed from scratch, but forgot to whitelist those IP's.

What made me more certain this time is this:

• I could not remotely SSH to my router or any Pi (all have an open/forwarded port) from my family member's network
• I could still use TeamViewer to connect to a PC at home (which was very rare; I usually don't have this PC turned on)
• In the TeamViewer session on that PC I could locally SSH to my router and every Pi
• When I disabled SkyNet (from that PC) I could again remotely SSH to my router and every Pi
• When I re-enabled SkyNet (from that PC) I could no longer remotely SSH to my router or any Pi
• When I whitelisted the family member's network public IP (from that PC) I could again remotely SSH to my router and every Pi

(Note that I'm not using SkyNet's Secure Mode)

It would be great if anybody could answer my original question so I can prevent this from happening again.

 

[Adamm]

It would be great if anybody could answer my original question so I can prevent this from happening again.

Refresh_MWhitelist() is run during startup and the banmalware function. It can also be manually triggered using the whitelist refresh command. (This all assuming you used the whitelist domain command to add it in the first place)

 

[XIII]

Refresh_MWhitelist() is run during startup and the banmalware function. It can also be manually triggered using the whitelist refresh command. (This all assuming you used the whitelist domain command to add it in the first place)

I executed this:

firewall whitelist domain myhostname.hopto.org

But got confused by this:

➜ firewall whitelist view domain | grep hopto
1.2.3.4 comment "ManualWlistD: myhostname.hopto.org"

(I was not sure the text from the comment would be used to update the IP)

So thank you for your confirmation!

I see this:

➜ cru l | grep firewall
25 22 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
10 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
51 */12 * * * sh /jffs/scripts/firewall debug genstats #Skynet_genstats#

So it's updated daily, which should be good enough; I don't need to write a script myself that updates these entries in SkyNet. Excellent!