Firewall Script?

[JT Strickland]

Anybody know of a good firewall script they would recommend?

 

[Ninko]

Anybody know of a good firewall script they would recommend?

Skynet - Skynet - Router Firewall & Security Enhancements

For support requests and questions please use the Github Issue Tracker where this script is actively maintained Skynet - Router Firewall & Security Enhancements Elevate your home network security with Skynet, a robust firewall and security tool meticulously crafted for ASUS routers running...

www.snbforums.com

 

[JT Strickland]

Skynet - Skynet - Router Firewall & Security Enhancements

For support requests and questions please use the Github Issue Tracker where this script is actively maintained Skynet - Router Firewall & Security Enhancements Elevate your home network security with Skynet, a robust firewall and security tool meticulously crafted for ASUS routers running...

www.snbforums.com

Thanks, but I was looking for something, ... different. If there is such a thing.
It's been a good ol' friend, and I would hate to part with it, but I may not have any choice in the matter.

 

[JaimeZX]

The only thing I would leave Skynet for is a dedicated device with pfSense or something.

 

[JT Strickland]

The only thing I would leave Skynet for is a dedicated device with pfSense or something.

I am worried about Skynet leaving me. How long will it continue to work with newer firmware without updates? Seems there are already problems.

 

[ColinTaylor]

Maybe just use the router's built-in firewall. What features do you need in a separate firewall?

 

[JT Strickland]

It may come to that. I like the added security of actively trying to block the enemy from doing me and my family harm.
Maybe it is superficial, but it makes me feel warm and fuzzy.

 

[JT Strickland]

It seems Pfsense and Opnsense may require a dedicated device to run on. While that could be the best choice, it doesn't fit in my little network model very well.

 

[dazedandlost]

Please excuse my ignorance. How does suricata fit into this kind of thing? I am running skynet too but aside from that I am concerned generally about my network and its vulnerabilities, and trying to keep in mind that "security is a process ..." and all that.

 

[JT Strickland]

Please excuse my ignorance. How does suricata fit into this kind of thing? I am running skynet too but aside from that I am concerned generally about my network and its vulnerabilities, and trying to keep in mind that "security is a process ..." and all that.

From what little I have read, which is not much, Suricata is a similar script that needs investigating on my part.
On the other hand, from a recent post, it looks like Skynet was updated yesterday to fix an issue, so it's not in the boneyard yet.

 

[dazedandlost]

For me, it's too soon to leave skynet, maybe not for a long time. I am wondering if suricata has capabilities that skynet does not, and if running both makes any sense or might just add conflicts.

 

[JaimeZX]

From what I can tell, Adamm is still maintaining Skynet; just not as actively as he once did. Further, changes to the script would only be required if something in the firewall breaks it, as you already mentioned. As long as that doesn't happen, Skynet should continue to function just fine even if Adamm never raises another finger to tweak the code.

Suricata is quite powerful; I think borderline too powerful for the hardware in our routers; I'm looking at an HP T620+ (thin client) to run that. But really I'd like to have Skynet outside the pfSense box... but then that becomes
INTERNET <=> Asus w/ Skynet <=> pfSense box <=> Asus w/ other scripts <=> LAN/WLAN

Seems complicated.

 

[ColinTaylor]

Please excuse my ignorance. How does suricata fit into this kind of thing? I am running skynet too but aside from that I am concerned generally about my network and its vulnerabilities, and trying to keep in mind that "security is a process ..." and all that.

Suricata is an IDS/IPS (similar to AiProtection). Skynet is a firewall.

 

[JT Strickland]

For me, it's too soon to leave skynet, maybe not for a long time. I am wondering if suricata has capabilities that skynet does not, and if running both makes any sense or might just add conflicts.

Me too, I was trying to prepare for if it left me. It was good to see a small update yesterday. It would be good to hear from Adamm once again too.

 

[dazedandlost]

Well yes. And most things are too complicated for me already, I don't need to add more. But I _really_ like the idea of intrusion detection (and egress monitoring from my vague understanding of that). Generally, I feel better having some idea of what's going on.

 

[JT Strickland]

Suricata is an IDS/IPS (similar to AiProtection). Skynet is a firewall.

Perhaps Suricata could be a replacement for Aiprotection. As @JaimeZX said though, it seems quite powerful, and probalby out of my league.

 

[dazedandlost]

Suricata is an IDS/IPS (similar to AiProtection). Skynet is a firewall.

Thanks. I appreciate. If I remember correctly, there are instructions for adding Suricata to the router. I may try it, sometime.

 

[dazedandlost]

Link: https://www.snbforums.com/threads/suricata-ids-on-asuswrt-merlin.63280/

 

[JT Strickland]

there is also Snort3, another ips similar to Suricata. The link is about all I know:

[Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

What is Snort? It is an open source intrusion prevention system (IPS) capable of real-time traffic analysis and packet logging. Snort is an open source project under Gnu Public License (GPL) 2.0, it is an open source alternative to some of the proprietary IDS/IPS such as TrendMicro's AiProtect...

www.snbforums.com

 

[JaimeZX]

Yes, Snort is an older piece of software; Suricata has replaced it for most people IIRC. My main concern is that I don't think our routers have enough power to run those... possibly the 88. Or... you'll see your throughput plummet if you're trying to inspect all the packets. That's why I'd love to have Skynet outside Suricata - blocks a bunch of stuff that then Suricata doesn't need to worry about scanning.

Still - to some extent it depends on your connection speed. If you have gigabit, no way is your router going to keep up... heck even people with a dedicated HP T620+ can't keep up with gigabit. If you have a much slower connection then it's more plausible.