Quick question: last feb 5 i have 300+ added ips on my blocklist now when i check today it show only this. any idea?
i used this filter list:
thanks in advance
i used this filter list:
thanks in advance
Skynet Is default firewall good enough?
- Thread starter BreakingDad
- Start date
Viktor Jaep
Part of the Furniture
Most likely a bad list reference in this filter list causing it to bomb out. Feel free to use my list (https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list) or @SomeWhereOverTheRainBow's lists.
In this case, that entry only exists in this particular list. I am not sure if I can trust a list that has not been updated by it’s maintainer for so long. There may be still legitimate address in the list but I prefer the maintainer to update it even though there is no changes.
For example dshield, the description is last three days. But it has not been updated for over 2 months. I don’t feel comfortable blocking 20 class C subnet just like that. I may not access any of the IP but at the same time I don’t want to use a list that may contains false entry due to lack of update.
I have moved to local path and removed all lists that are not updated for over a week.
dshield_1d by DShield.org
DShield.org top 20 attacking class C (/24) subnets over the last three days
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
With that being said are you also going to also remove any of the lists that supposedly contain dshield?
eg.
They are pulling from sources that haven't been up dated in over a week. Ergo they must be bad as well.
Last edited:
You are right. They seems to cross reference everywhere.
I am not saying they are bad. What I am saying is there is a higher chance that it may contain false positive if it is not updated periodically. I have experience few occurrences of false positive. My personal choice is to exclude those list.
SomeWhereOverTheRainBow
Part of the Furniture
The reality with community provided blocklists is, you never know when there will be a false positive.
What I do is, I build an allowlist off of common false positives. This allows me to hopefully avoid a good majority of the false positive scenario.
Last edited:
With the local path after removal of some of those "old list", a few of my false positive are gone. In a way, a less but updated list helps.
I just check my false positive records are in your whitelist. So this is another approach to do it.
I gone through your list 18k whitelist, and only got 9 entry hit my Skynet-Blacklist. And I still have 155225 IPs (+0) -- 3190 Ranges Banned (+0) in blocklist.
With a more aggressive lists, I wonder how many hit do you get.
Code:
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.18.7.81
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.19.116.195
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.130.204.160
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:18.119.154.66
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.161.222.85
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.209.32.212
/mnt/amtm/skynet/lists/firehol_level3.netset:104.26.4.191
/mnt/amtm/skynet/lists/firehol_level2.netset:138.199.37.227
/mnt/amtm/skynet/lists/greensnow.ipset:138.199.37.227
/mnt/amtm/skynet/lists/firehol_level2.netset:169.150.247.34/31
/mnt/amtm/skynet/lists/greensnow.ipset:169.150.247.34It is intersting that dyndns_ponmocup.ipset only has 45 entry and yet there are already 6 in your whitelist. That is over 10% of false positive. I will consider to remove this in my list.
SomeWhereOverTheRainBow
Part of the Furniture
While I can see some legitimate entries being false positives when trying to access them from your out bound traffic, I still wonder how many of these false positives would have a legitimate reason for accessing your network from inbound traffic. For example, why would they need to access a port you have open on your router unless it is a service you know should be accessing that port. In that regard, what may be considered a false positive on the outbound, may not necessarily be a false positive on the inbound.
@SomeWhereOverTheRainBow
Your list is now maxing out Skynets capacity with 500000 entries. It's breaking Skynet.
Your list is now maxing out Skynets capacity with 500000 entries. It's breaking Skynet.
Attachments
SomeWhereOverTheRainBow
Part of the Furniture
What link are you using, your screenshot cuts off the full link.
Are you using
?
Or you can try
The link in your screenshit looks like it has a "t" as part of the filter name. I cannot tell because the terminal wraps the text. I recommend using the first link with skynet.
Last edited:
Which brings the ranges back to zero again….
(I’m using @SomeWhereOverTheRainBow ’s “myfilter”, but I’m gonna try going back to “filter” now)
SomeWhereOverTheRainBow
Part of the Furniture
Yep I recommend using the filter link. My list is for a more robust "OS". It is interesting it "temporarily" worked with skynet. Thanks to skynets hard limit it is best to use the regular filter.list and not the myfilter.list.
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
Interesting fact, the difference in size between now and the time it started working is 4000 entries. I suspect one of the services I use was temporarily unavailable, however is now available.
I switched to your regular “filter” list — everything is good. Thank you!! (As always)
SomeWhereOverTheRainBow
Part of the Furniture
I didn't realize skynet had a hard limit as such. It is my humble apologies. You get the benefit of using most of my lists by using the regular filter.list anyways. The main difference in my list is I have a couple of compressed ".gz" format lists I import in. Skynet doesn't support using .gz lists. One of my sources must have drastically grown over night.
I hadn’t even noticed yet , so thanks @Ubimo !
interesting (to my limited knowledge base at least) that exceeding 500K entries broke ranges. Is that by a similar logic to yesterday’s issues… the process got interrupted, so the rest never get loaded?
SomeWhereOverTheRainBow
Part of the Furniture
Yep the processing would have gotten interrupted. You would have been none the wiser because skynet does not incorporate diagnostics or give any warning about the processing failure.
laracroftonline
Regular Contributor
I have deleted my lists and went with @SomeWhereOverTheRainBow his list.
Last edited:
laracroftonline
Regular Contributor
Who has a good whitelist?
SomeWhereOverTheRainBow
Part of the Furniture
You might not be able to import it because I think it is too big.
Similar threads
Similar threads
-
scMerlin Is this feature enabled by default in scMerlin?
- Started by lenovomen
- Replies: 2
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-
Skynet I have installed the skynet firewall how do I configure it if the security of iot devices is important?
- Started by lenovomen
- Replies: 2
-
-
Skynet SkyNet/Firewall blocking all ping requests, including outbound
- Started by nearlyheadlessarvie
- Replies: 6
-
