What's new

Skynet Is default firewall good enough?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Quick question: last feb 5 i have 300+ added ips on my blocklist now when i check today it show only this. any idea?
1676520593246.png

i used this filter list:
thanks in advance
 
Quick question: last feb 5 i have 300+ added ips on my blocklist now when i check today it show only this. any idea?
View attachment 48010
i used this filter list:
thanks in advance
Most likely a bad list reference in this filter list causing it to bomb out. Feel free to use my list (https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list) or @SomeWhereOverTheRainBow's lists.
 
Two questions I would ask myself in this type of situation are "do you believe there are other legitimate blocks coming from the list?" and "does any of your other list also include those entries present in this list?" Also, keep in mind the nature and purpose of this list you are referencing.

View attachment 47989

If these are IP addresses resolved from DNS hostnames, I suspect those IP addresses would not change that much depending on how often new DNS hostnames get added to that list. It may turn out that those DNS hostnames may not change very often.

You have to first ask yourself "Is that DNS hostname list still being maintain?" I suspect the answer is yes, but it doesn't change that often.

View attachment 47992
In this case, that entry only exists in this particular list. I am not sure if I can trust a list that has not been updated by it’s maintainer for so long. There may be still legitimate address in the list but I prefer the maintainer to update it even though there is no changes.

7EA26693-0FF2-41C1-90AB-FCC3576714CB.jpeg

For example dshield, the description is last three days. But it has not been updated for over 2 months. I don’t feel comfortable blocking 20 class C subnet just like that. I may not access any of the IP but at the same time I don’t want to use a list that may contains false entry due to lack of update.
I have moved to local path and removed all lists that are not updated for over a week.

dshield_1d by DShield.org

DShield.org top 20 attacking class C (/24) subnets over the last three days
 
Last edited:
In this case, that entry only exists in this particular list. I am not sure if I can trust a list that has not been updated by it’s maintainer for so long. There may be still legitimate address in the list but I prefer the maintainer to update it even though there is no changes.

View attachment 48011
For example dshield, the description is last three days. But it has not been updated for over 2 months. I don’t feel comfortable blocking 20 class C subnet just like that. I may not access any of the IP but at the same time I don’t want to use a list that may contains false entry due to lack of update.
I have moved to local path and removed all lists that are not updated for over a week.

dshield_1d by DShield.org

DShield.org top 20 attacking class C (/24) subnets over the last three days
With that being said are you also going to also remove any of the lists that supposedly contain dshield?

eg.
Screenshot_20230216_070130_Samsung Internet.jpg


They are pulling from sources that haven't been up dated in over a week. Ergo they must be bad as well.
 
Last edited:
With that being said are you also going to also remove any of the lists that supposedly contain dshield?

eg.
View attachment 48012

They are pulling from sources that haven't been up dated in over a week. Ergo they must be bad as well.
You are right. They seems to cross reference everywhere.
I am not saying they are bad. What I am saying is there is a higher chance that it may contain false positive if it is not updated periodically. I have experience few occurrences of false positive. My personal choice is to exclude those list.
 
You are right. They seems to cross reference everywhere.
I am not saying they are bad. What I am saying is there is a higher chance that it may contain false positive if it is not updated periodically. I have experience few occurrences of false positive. My personal choice is to exclude those list.
The reality with community provided blocklists is, you never know when there will be a false positive.

What I do is, I build an allowlist off of common false positives. This allows me to hopefully avoid a good majority of the false positive scenario.

 
Last edited:
The reality with community provided blocklists is, you never know when there will be a false positive.

What I do is, I build an allowlist off of common false positives. This allows me to hopefully avoid a good majority of the false positive scenario.

With the local path after removal of some of those "old list", a few of my false positive are gone. In a way, a less but updated list helps.
I just check my false positive records are in your whitelist. So this is another approach to do it.

I gone through your list 18k whitelist, and only got 9 entry hit my Skynet-Blacklist. And I still have 155225 IPs (+0) -- 3190 Ranges Banned (+0) in blocklist.
With a more aggressive lists, I wonder how many hit do you get.
Code:
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.18.7.81
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.19.116.195
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.130.204.160
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:18.119.154.66
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.161.222.85
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.209.32.212
/mnt/amtm/skynet/lists/firehol_level3.netset:104.26.4.191
/mnt/amtm/skynet/lists/firehol_level2.netset:138.199.37.227
/mnt/amtm/skynet/lists/greensnow.ipset:138.199.37.227
/mnt/amtm/skynet/lists/firehol_level2.netset:169.150.247.34/31
/mnt/amtm/skynet/lists/greensnow.ipset:169.150.247.34

It is intersting that dyndns_ponmocup.ipset only has 45 entry and yet there are already 6 in your whitelist. That is over 10% of false positive. I will consider to remove this in my list.
 
With the local path after removal of some of those "old list", a few of my false positive are gone. In a way, a less but updated list helps.
I just check my false positive records are in your whitelist. So this is another approach to do it.

I gone through your list 18k whitelist, and only got 9 entry hit my Skynet-Blacklist. And I still have 155225 IPs (+0) -- 3190 Ranges Banned (+0) in blocklist.
With a more aggressive lists, I wonder how many hit do you get.
Code:
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.18.7.81
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.19.116.195
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:3.130.204.160
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:18.119.154.66
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.161.222.85
/mnt/amtm/skynet/lists/dyndns_ponmocup.ipset:54.209.32.212
/mnt/amtm/skynet/lists/firehol_level3.netset:104.26.4.191
/mnt/amtm/skynet/lists/firehol_level2.netset:138.199.37.227
/mnt/amtm/skynet/lists/greensnow.ipset:138.199.37.227
/mnt/amtm/skynet/lists/firehol_level2.netset:169.150.247.34/31
/mnt/amtm/skynet/lists/greensnow.ipset:169.150.247.34

It is intersting that dyndns_ponmocup.ipset only has 45 entry and yet there are already 6 in your whitelist. That is over 10% of false positive. I will consider to remove this in my list.
While I can see some legitimate entries being false positives when trying to access them from your out bound traffic, I still wonder how many of these false positives would have a legitimate reason for accessing your network from inbound traffic. For example, why would they need to access a port you have open on your router unless it is a service you know should be accessing that port. In that regard, what may be considered a false positive on the outbound, may not necessarily be a false positive on the inbound.
 

Attachments

  • Screenshot_20230217_085516_JuiceSSH.jpg
    Screenshot_20230217_085516_JuiceSSH.jpg
    57.2 KB · Views: 61
@SomeWhereOverTheRainBow
Your list is now maxing out Skynets capacity with 500000 entries. It's breaking Skynet.
What link are you using, your screenshot cuts off the full link.

Are you using


?

Or you can try


The link in your screenshit looks like it has a "t" as part of the filter name. I cannot tell because the terminal wraps the text. I recommend using the first link with skynet.
 
Last edited:
Which brings the ranges back to zero again….

(I’m using @SomeWhereOverTheRainBow ’s “myfilter”, but I’m gonna try going back to “filter” now)
Yep I recommend using the filter link. My list is for a more robust "OS". It is interesting it "temporarily" worked with skynet. Thanks to skynets hard limit it is best to use the regular filter.list and not the myfilter.list.
 
Last edited:
I switched to your regular “filter” list — everything is good. Thank you!! (As always)
I didn't realize skynet had a hard limit as such. It is my humble apologies. You get the benefit of using most of my lists by using the regular filter.list anyways. The main difference in my list is I have a couple of compressed ".gz" format lists I import in. Skynet doesn't support using .gz lists. One of my sources must have drastically grown over night.
 
I didn't realize skynet had a hard limit as such. It is my humble apologies.
I hadn’t even noticed yet , so thanks @Ubimo !

interesting (to my limited knowledge base at least) that exceeding 500K entries broke ranges. Is that by a similar logic to yesterday’s issues… the process got interrupted, so the rest never get loaded?
 
I hadn’t even noticed yet , so thanks @Ubimo !

interesting (to my limited knowledge base at least) that exceeding 500K entries broke ranges. Is that by a similar logic to yesterday’s issues… the process got interrupted, so the rest never get loaded?
Yep the processing would have gotten interrupted. You would have been none the wiser because skynet does not incorporate diagnostics or give any warning about the processing failure.
 
Who has a good whitelist?
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top