Viktor Jaep
Part of the Furniture
Not necessarily... the 1.txt is 2.3mb... and as you go down to 8.txt, its down to 149 lines.
Skynet Is default firewall good enough?
- Thread starter BreakingDad
- Start date
I read the description again.
Quote:
“IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses.
…snipped…
In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).”
To be in 8.txt, the ip must exists in 8 or more of the total 30+ reference blacklists.
To be in 7.txt, the ip must exists in 7 or more of his reference lists. ip that exists 8 times also qualify here. This means everything in 8.txt is included in 7.txt.
It is correct that the size of 1.txt > 2.txt > 3.txt > … > 8.txt
Viktor Jaep
Part of the Furniture
So your logic was correct on this, @chongnt ... I cross-referenced entries from list 8.txt, and they were all contained within 3.txt. I've adjusted my filter list accordingly to prevent skynet from having to download and process dupes, which should save a few seconds on processing time.
Thanks again!You could install it and have it block Outbound traffic only.
Thanks @Viktor Jaep help on cross-reference the entries.So your logic was correct on this, @chongnt ... I cross-referenced entries from list 8.txt, and they were all contained within 3.txt. I've adjusted my filter list accordingly to prevent skynet from having to download and process dupes, which should save a few seconds on processing time.
The other day I could not find a good way to compare the files. Just found a way to do it with grep, it looks for all lines in the second file that does not match any line in the first file.
Code:
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists# wc -l 3.txt
17733 3.txt
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists# wc -l 4.txt
8742 4.txt
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists# grep -vxFf 3.txt 4.txt | wc -l
0
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists# grep -vxFf 4.txt 3.txt | wc -l
8991
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists#When I want to use @SomeWhereOverTheRainBow s custom filter list, I get 0 banned IPs:
Any suggestions why this is happening?
It was working good, before I tried some other lists mentioned above.
Then I decided to switch back to @SomeWhereOverTheRainBow s list, but it's not loading IPs...
Any suggestions why this is happening?
It was working good, before I tried some other lists mentioned above.
Then I decided to switch back to @SomeWhereOverTheRainBow s list, but it's not loading IPs...
Attachments
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
I
I need to adjust it because the energized list is nolonger good.
SomeWhereOverTheRainBow
Part of the Furniture
I finished updating it.
If you are feeling impowered you could also try my generated filter.
I curate my own list from those same sources every night.
@SomeWhereOverTheRainBow
Thanks, but Skynet says, your first link still has 0 IPs.
The second link does have ~ 300.000 IPs, but no ranges.
Thanks, but Skynet says, your first link still has 0 IPs.
The second link does have ~ 300.000 IPs, but no ranges.
Attachments
Thanks @SomeWhereOverTheRainBow and everyone for your contributions on these blocklists.
Figured I'd mention a few oddities I noticed when checking some of the individual filters:
** I _think_ Skynet can digest these properly. Unsure on the >><< characters. **
193.163.125.0 193.163.125.218 24 2638 CYBER-CASA GB >>UNKNOWN<<
167.94.146.0 167.94.146.20 24 2368 CENSYS-ARIN-02 US None
167.94.145.0 167.94.145.24 24 2329 CENSYS-ARIN-02 US None
185.81.68.0 185.81.68.102 24 2043 SELECTEL-MSK RU abuse@selectel.ru
185.224.128.0 185.224.128.17 24 2036 SPECTRAIP SpectraIP B.V. NL abuse@spectraip.net
** These use CIDR notation and contain a semi-colon, which is apparently unsupported by Skynet **
216.250.16.0/20 ; SBL530358
220.154.0.0/16 ; SBL234221
223.169.0.0/16 ; SBL208009
223.173.0.0/16 ; SBL204954
223.254.0.0/16 ; SBL212803
** curl produces no results, however a web browser properly redirects to this S3 bucket which contains the list of IP's **
Figured I'd mention a few oddities I noticed when checking some of the individual filters:
** I _think_ Skynet can digest these properly. Unsure on the >><< characters. **
193.163.125.0 193.163.125.218 24 2638 CYBER-CASA GB >>UNKNOWN<<
167.94.146.0 167.94.146.20 24 2368 CENSYS-ARIN-02 US None
167.94.145.0 167.94.145.24 24 2329 CENSYS-ARIN-02 US None
185.81.68.0 185.81.68.102 24 2043 SELECTEL-MSK RU abuse@selectel.ru
185.224.128.0 185.224.128.17 24 2036 SPECTRAIP SpectraIP B.V. NL abuse@spectraip.net
** These use CIDR notation and contain a semi-colon, which is apparently unsupported by Skynet **
216.250.16.0/20 ; SBL530358
220.154.0.0/16 ; SBL234221
223.169.0.0/16 ; SBL208009
223.173.0.0/16 ; SBL204954
223.254.0.0/16 ; SBL212803
** curl produces no results, however a web browser properly redirects to this S3 bucket which contains the list of IP's **
SomeWhereOverTheRainBow
Part of the Furniture
try it now, i updated it again:
I removed all incompatible lists from skynet filter list.
Weird there are no ranges from the my list. I see the subnet indicators on some of my addresses. I believe it is because skynet (or iptables) is having trouble processing that long of a list. If it was successfully processed it would be closer to 400,000 ips including ranges.
@Ubimo
I implemented a new sort technique to make sure the ip were in an understandable order:
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
BTW curl works fine on the last link
Code:
curl -fsSL https://www.talosintelligence.com/documents/ip-blacklist
Code:
46.101.197.155
167.114.238.104
45.55.178.34
103.214.54.82
94.26.2.74
64.137.206.52
5.196.58.96
163.172.143.114
178.239.167.15
185.128.40.220
192.151.155.130
85.207.155.39
181.143.253.106
139.59.9.200
192.207.61.178
158.58.170.222
185.61.138.104
181.143.153.250
178.32.53.124
163.172.29.9
163.172.29.81
101.0.54.130
185.80.222.78
82.163.79.61
37.187.247.3
104.236.58.27
91.108.183.170
92.222.92.152
212.47.247.226
108.61.187.24
88.150.157.14
186.205.89.48
193.138.219.231
64.137.178.3
31.31.72.43
59.115.115.115
91.134.232.63
178.62.18.173
119.17.192.102
59.93.84.191
98.124.243.32
119.93.79.68
212.47.248.81
162.210.173.109
197.254.106.218
14.176.1.82
117.239.224.138
41.33.197.132
188.161.150.22
116.68.103.36
181.143.243.98
159.203.30.48
37.187.57.57
178.159.36.185
67.205.149.140
188.225.46.219
31.3.230.31
185.234.218.247
185.62.189.56
185.234.216.59
185.107.70.202
185.10.68.16
185.242.113.224
<SNIP>LAST BIT OF CURL IPS<SNIP>in the terminal gives a list.
That is the curl technique skynet uses.
You have to tell curl to accept redirects.
Last edited:
B255ea006
Regular Contributor
What`s "Outbound traffic"?
Would i need a public IPv4 for my router for it?
Currently i do not have an public IPv4 for the router but i am in good hope that i will fix this but i do need more information and jnowlege regarding Portforwarding etc. to get an/ the publik IPv4 from my Fritzbox 6850 5G.
@SomeWhereOverTheRainBow
Thanks!
This link is working again, but is not blocking any ranges. It's blocking ~200.000 IPs, but no ranges.
The second link is also blocking about 400.000 IPs but no ranges.
Some time ago, your filter list also included ranges.
Thanks!
This link is working again, but is not blocking any ranges. It's blocking ~200.000 IPs, but no ranges.
The second link is also blocking about 400.000 IPs but no ranges.
Some time ago, your filter list also included ranges.
SomeWhereOverTheRainBow
Part of the Furniture
Not sure what to tell you, unless iptables is not cooperating with the entries. Or maybe the list that is no longer any good was the list that had all the ranges. Tbh most of the lists don't list ranges, they only list the either subnet form or straight ip form.
SomeWhereOverTheRainBow
Part of the Furniture
Why don't you switch back to skynets default and see if you have ranges then?
@SomeWhereOverTheRainBow
Screenshot 1 is your list - 0 ranges banned
Screenshot 2 is Skynet default - 2055 ranges banned
Screenshot 1 is your list - 0 ranges banned
Screenshot 2 is Skynet default - 2055 ranges banned
Attachments
SomeWhereOverTheRainBow
Part of the Furniture
Okay so using the first link, i am not sure why there are no ranges since it would be pulling the lists straight from the sources like skynet default does:
as you can see, there is not that much difference between the default, versus mine:
in fact I include all the lists that are in skynet default. So it should be banning those "ranges" still.
The question begs to ask why is skynet doing this incorrectly in some instances?
Let us look at what skynet code defines to be a "range"-
This is User added ranges (added by skynet menu option for ranges):
This is ranges blocked by blocking countries:
This is ranges blocked by blocking VIA "ASN" codes
@Adamm- "Why are when users load a custom filter.list, their user defined ranges are not included in the iptable rules; however, when they use the default filter lists their user defined ranges are included in the iptable rules?"
Basically @Ubimo has pointed out when they load a custom filter.list, not much different from the default, there are no longer any ranges showing up as being banned in the statistic ( which implies the skynet-banned ranges rules are not getting loaded when switching to custom filter.list option). However, when they switch back to default filter.list, their banned ranges are once again included in the statistics (which implies skynet-banned ranges are once again loaded properly into the iptable ruleset).
@Ubimo
In the code link below, I see reference to using the custom list with the banmalware option. Possibly different steps are taking if "fast-switch" is enabled in diversion or skynet. Maybe this is causing the skipping of adding ranges when using custom filter lists? But I don't know @Adamm script well enough yet to tell you.
more specifically, this line:
@Ubimo
A temporary solution is to manually restart skynet after switching to custom filter lists and your "blocked ranges" should hopefully be added back. (banned ranges = ranges you have added, any countries you block, and any ASN codes you block, and anything that gets added with a subnet attached like /24 at the end of the ipaddress).
Code:
( firewall ban range 8.8.8.8/24 "Apples" ) This Bans the CIDR Block Specified With The Comment Apples
( firewall ban country "pk cn sa" ) This Bans The Known IPs For The Specified Countries (Accepts Single/Multiple Inputs If Quoted) https://www.ipdeny.com/ipblocks/
( firewall ban asn AS123456 ) This Bans the ASN Specified@Ubimo
If the custom filter list were loading correctly, here would be the amount of banned IPS ranges contributed.
Code:
curl -fsL --retry 3 --connect-timeout 3 "https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list" | awk -F/ '{print $0}' | xargs "curl" -fsSL | grep -E '^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$' | grep -vE '^(0\.|10\.|100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\.|127\.|169\.254\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.0\.0\.|192\.0\.2\.|192\.168\.|198\.(1[8-9])\.|198\.51\.100\.|203\.0\.113\.|2(2[4-9]|[3-4][0-9]|5[0-5])\.|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)' | awk '!x[$0]++' | grep -F "/" | wc -l
9230IP from non-Ranges:
Code:
curl -fsL --retry 3 --connect-timeout 3 "https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list" | awk -F/ '{print $0}' | xargs "curl" -fsSL | grep -E '^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$' | grep -vE '^(0\.|10\.|100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\.|127\.|169\.254\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.0\.0\.|192\.0\.2\.|192\.168\.|198\.(1[8-9])\.|198\.51\.100\.|203\.0\.113\.|2(2[4-9]|[3-4][0-9]|5[0-5])\.|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)' | awk '!x[$0]++' | grep -vF "/" | wc -l
334724If my custom list was loaded correctly here would be the amount of banned IPS ranges it contributed.
Code:
curl -fsL --retry 3 --connect-timeout 3 "https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/myfilter.list" | awk -F/ '{print $0}' | xargs "curl" -fsSL | grep -E '^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$' | grep -vE '^(0\.|10\.|100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\.|127\.|169\.254\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.0\.0\.|192\.0\.2\.|192\.168\.|198\.(1[8-9])\.|198\.51\.100\.|203\.0\.113\.|2(2[4-9]|[3-4][0-9]|5[0-5])\.|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)' | awk '!x[$0]++' | grep -F "/" | wc -l
63802IP from non-Ranges:
Code:
curl -fsL --retry 3 --connect-timeout 3 "https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/myfilter.list" | awk -F/ '{print $0}' | xargs "curl" -fsSL | grep -E '^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$' | grep -vE '^(0\.|10\.|100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\.|127\.|169\.254\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.0\.0\.|192\.0\.2\.|192\.168\.|198\.(1[8-9])\.|198\.51\.100\.|203\.0\.113\.|2(2[4-9]|[3-4][0-9]|5[0-5])\.|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)' | awk '!x[$0]++' | grep -vF "/" | wc -l
475801
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
Similar threads
Similar threads
-
scMerlin Is this feature enabled by default in scMerlin?
- Started by lenovomen
- Replies: 2
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-
Skynet I have installed the skynet firewall how do I configure it if the security of iot devices is important?
- Started by lenovomen
- Replies: 2
-
-
Skynet SkyNet/Firewall blocking all ping requests, including outbound
- Started by nearlyheadlessarvie
- Replies: 6
-
