Quick question: last feb 5 i have 300+ added ips on my blocklist now when i check today it show only this. any idea?
i used this filter list:
thanks in advance
i used this filter list:
thanks in advance
Most likely a bad list reference in this filter list causing it to bomb out. Feel free to use my list (https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list) or @SomeWhereOverTheRainBow's lists.Quick question: last feb 5 i have 300+ added ips on my blocklist now when i check today it show only this. any idea?
View attachment 48010
i used this filter list:
thanks in advance
In this case, that entry only exists in this particular list. I am not sure if I can trust a list that has not been updated by it’s maintainer for so long. There may be still legitimate address in the list but I prefer the maintainer to update it even though there is no changes.Two questions I would ask myself in this type of situation are "do you believe there are other legitimate blocks coming from the list?" and "does any of your other list also include those entries present in this list?" Also, keep in mind the nature and purpose of this list you are referencing.
View attachment 47989
If these are IP addresses resolved from DNS hostnames, I suspect those IP addresses would not change that much depending on how often new DNS hostnames get added to that list. It may turn out that those DNS hostnames may not change very often.
You have to first ask yourself "Is that DNS hostname list still being maintain?" I suspect the answer is yes, but it doesn't change that often.
View attachment 47992
With that being said are you also going to also remove any of the lists that supposedly contain dshield?In this case, that entry only exists in this particular list. I am not sure if I can trust a list that has not been updated by it’s maintainer for so long. There may be still legitimate address in the list but I prefer the maintainer to update it even though there is no changes.
View attachment 48011
For example dshield, the description is last three days. But it has not been updated for over 2 months. I don’t feel comfortable blocking 20 class C subnet just like that. I may not access any of the IP but at the same time I don’t want to use a list that may contains false entry due to lack of update.
I have moved to local path and removed all lists that are not updated for over a week.
dshield_1d by DShield.org
DShield.org top 20 attacking class C (/24) subnets over the last three days
You are right. They seems to cross reference everywhere.With that being said are you also going to also remove any of the lists that supposedly contain dshield?
eg.
View attachment 48012
They are pulling from sources that haven't been up dated in over a week. Ergo they must be bad as well.
The reality with community provided blocklists is, you never know when there will be a false positive.You are right. They seems to cross reference everywhere.
I am not saying they are bad. What I am saying is there is a higher chance that it may contain false positive if it is not updated periodically. I have experience few occurrences of false positive. My personal choice is to exclude those list.
With the local path after removal of some of those "old list", a few of my false positive are gone. In a way, a less but updated list helps.The reality with community provided blocklists is, you never know when there will be a false positive.
What I do is, I build an allowlist off of common false positives. This allows me to hopefully avoid a good majority of the false positive scenario.
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.18.7.81
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.19.116.195
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.130.204.160
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:18.119.154.66
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.161.222.85
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.209.32.212
/mnt/amtm/skynet/lists/firehol_level3.netset:104.26.4.191
/mnt/amtm/skynet/lists/firehol_level2.netset:138.199.37.227
/mnt/amtm/skynet/lists/greensnow.ipset:138.199.37.227
/mnt/amtm/skynet/lists/firehol_level2.netset:169.150.247.34/31
/mnt/amtm/skynet/lists/greensnow.ipset:169.150.247.34
While I can see some legitimate entries being false positives when trying to access them from your out bound traffic, I still wonder how many of these false positives would have a legitimate reason for accessing your network from inbound traffic. For example, why would they need to access a port you have open on your router unless it is a service you know should be accessing that port. In that regard, what may be considered a false positive on the outbound, may not necessarily be a false positive on the inbound.With the local path after removal of some of those "old list", a few of my false positive are gone. In a way, a less but updated list helps.
I just check my false positive records are in your whitelist. So this is another approach to do it.
I gone through your list 18k whitelist, and only got 9 entry hit my Skynet-Blacklist. And I still have 155225 IPs (+0) -- 3190 Ranges Banned (+0) in blocklist.
With a more aggressive lists, I wonder how many hit do you get.
Code:/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.18.7.81 /mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.19.116.195 /mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.130.204.160 /mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:18.119.154.66 /mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.161.222.85 /mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.209.32.212 /mnt/amtm/skynet/lists/firehol_level3.netset:104.26.4.191 /mnt/amtm/skynet/lists/firehol_level2.netset:138.199.37.227 /mnt/amtm/skynet/lists/greensnow.ipset:138.199.37.227 /mnt/amtm/skynet/lists/firehol_level2.netset:169.150.247.34/31 /mnt/amtm/skynet/lists/greensnow.ipset:169.150.247.34
It is intersting that dyndns_ponmocup.ipset only has 45 entry and yet there are already 6 in your whitelist. That is over 10% of false positive. I will consider to remove this in my list.
What link are you using, your screenshot cuts off the full link.@SomeWhereOverTheRainBow
Your list is now maxing out Skynets capacity with 500000 entries. It's breaking Skynet.
@SomeWhereOverTheRainBow
Your list is now maxing out Skynets capacity with 500000 entries. It's breaking Skynet.
Yep I recommend using the filter link. My list is for a more robust "OS". It is interesting it "temporarily" worked with skynet. Thanks to skynets hard limit it is best to use the regular filter.list and not the myfilter.list.Which brings the ranges back to zero again….
(I’m using @SomeWhereOverTheRainBow ’s “myfilter”, but I’m gonna try going back to “filter” now)
Interesting fact, the difference in size between now and the time it started working is 4000 entries. I suspect one of the services I use was temporarily unavailable, however is now available.Which brings the ranges back to zero again….
(I’m using @SomeWhereOverTheRainBow ’s “myfilter”, but I’m gonna try going back to “filter” now)
I switched to your regular “filter” list — everything is good. Thank you!! (As always)Interesting fact, the difference in size between now and the time it started working is 4000 entries. I suspect one of the services I use was temporarily unavailable, however is now available.
I didn't realize skynet had a hard limit as such. It is my humble apologies. You get the benefit of using most of my lists by using the regular filter.list anyways. The main difference in my list is I have a couple of compressed ".gz" format lists I import in. Skynet doesn't support using .gz lists. One of my sources must have drastically grown over night.I switched to your regular “filter” list — everything is good. Thank you!! (As always)
I hadn’t even noticed yet , so thanks @Ubimo !I didn't realize skynet had a hard limit as such. It is my humble apologies.
Yep the processing would have gotten interrupted. You would have been none the wiser because skynet does not incorporate diagnostics or give any warning about the processing failure.I hadn’t even noticed yet , so thanks @Ubimo !
interesting (to my limited knowledge base at least) that exceeding 500K entries broke ranges. Is that by a similar logic to yesterday’s issues… the process got interrupted, so the rest never get loaded?
Who has a good whitelist?
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!