What's new

Skynet Is default firewall good enough?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

That means there is a list some where in there breaking things. A list that has a nonreal ipv4 address most likely. As I mentioned before, skynet has no actual protection against this. So, it will most likely fail the moment a list has a none real ip address. What I mean by a non-real ipv4 address is an address the is out side the range of real addresses. Skynet could fix this issue by strengthening its ipv4 grep regexp.
Right. I just thought you’d want to know. But if it’s not helpful to post this, I’m happy to follow your lead. Just say the word.

(My only real interest here has to do with country bans. You had mentioned that they won’t load in scenarios such as this …)
 
Right. I just thought you’d want to know. But if it’s not helpful to post this, I’m happy to follow your lead. Just say the word.

(My only real interest here has to do with country bans. You had mentioned that they won’t load in scenarios such as this …)
Yea so I am glad you mentioned it. I don't really have control over when a list decides to use a fake ip. I can remove the list from my filter list, but the real change needs to come from the developer of skynet because this can happen to anybody using any list of filters. Skynet should use a better regexp such that non real ip addresses is filtered out. This is completely doable.
 
OK... so I put together a little script that validates your filter entries, and determines if there's a bad IP on one of these lists...

1678036483963.png


Filter Validator tests the IPv4 addresses (and IPv6 if present) on a given filter list that are to be used with the Skynet Firewall on Asus-Merlin Firmware in order to block incoming/outgoing IPs. This script arose out of the need to determine exactly which blacklist URL contained an invalid IP that was causing our Skynet firewalls to fail importing the correct IP sets due to an invalid IP somewhere on these lists.

If there's an issue with an IP on any of these lists, you'll see something like this:

1678037095395.png


Usage Guide​

Execute the script as such: sh filtervalidator.sh

Upon execution, it will ask for a valid URL to the specified filter list to be tested. For example, here is a valid filter list URL that will be used if you press enter: https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list

NOTE: Should any list come back with any invalid IP entries (marked in Red), it would be advisable to #COMMENT out the offending entry in your filter list in order to get Skynet back in working condition, or get in touch with the entity that takes care of the list in order to correct their mistake.


Download​

Code:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/FilterValidator/master/filtervalidator.sh" -o "/jffs/scripts/filtervalidator.sh" && chmod a+rx "/jffs/scripts/filtervalidator.sh"
 
Last edited:
OK... so I put together a little script that validates your filter entries, and determines if there's a bad IP on one of these lists...

View attachment 48318

Filter Validator tests the IPv4 addresses (and IPv6 if present) on a given filter list that are to be used with the Skynet Firewall on Asus-Merlin Firmware in order to block incoming/outgoing IPs. This script arose out of the need to determine exactly which blacklist URL contained an invalid IP that was causing our Skynet firewalls fail importing the correct IP sets due to an invalid IP somewhere on these lists.

If there's an issue with an IP on any of these lists, you'll see something like this:

View attachment 48319

Usage Guide​

Execute the script as such: sh filtervalidator.sh

Upon execution, it will ask for a valid URL to the specified filter list to be tested. For example, here is a valid filter list URL that will be used if you press enter: https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list

NOTE: Should any list come back with any invalid IP entries (marked in Red), it would be advisable to #COMMENT out the offending entry in your filter list in order to get Skynet back in working condition, or get in touch with the entity that takes care of the list in order to correct their mistake.


Download​

Code:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/FilterValidator/master/filtervalidator.sh" -o "/jffs/scripts/filtervalidator.sh" && chmod a+rx "/jffs/scripts/filtervalidator.sh"
Oh, and just as a caveat... regex is my kryptonite, and I can't be quite sure if this will work to really nip everything in the bud... so @SomeWhereOverTheRainBow, knowing you're a wizard at this stuff -- if you want to collaborate on this to make it more effective, I would be happy to pitch in to help. ;)
 
Y’all are the best !!!
Yea so I am glad you mentioned it. I don't really have control over when a list decides to use a fake ip. I can remove the list from my filter list, but the real change needs to come from the developer of skynet because this can happen to anybody using any list of filters. Skynet should use a better regexp such that non real ip addresses is filtered out. This is completely doable.
OK... so I put together a little script that validates your filter entries, and determines if there's a bad IP on one of these lists...

View attachment 48318

Filter Validator tests the IPv4 addresses (and IPv6 if present) on a given filter list that are to be used with the Skynet Firewall on Asus-Merlin Firmware in order to block incoming/outgoing IPs. This script arose out of the need to determine exactly which blacklist URL contained an invalid IP that was causing our Skynet firewalls to fail importing the correct IP sets due to an invalid IP somewhere on these lists.

If there's an issue with an IP on any of these lists, you'll see something like this:

View attachment 48319

Usage Guide​

Execute the script as such: sh filtervalidator.sh

Upon execution, it will ask for a valid URL to the specified filter list to be tested. For example, here is a valid filter list URL that will be used if you press enter: https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list

NOTE: Should any list come back with any invalid IP entries (marked in Red), it would be advisable to #COMMENT out the offending entry in your filter list in order to get Skynet back in working condition, or get in touch with the entity that takes care of the list in order to correct their mistake.


Download​

Code:
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/FilterValidator/master/filtervalidator.sh" -o "/jffs/scripts/filtervalidator.sh" && chmod a+rx "/jffs/scripts/filtervalidator.sh"
 
Oh, and just as a caveat... regex is my kryptonite, and I can't be quite sure if this will work to really nip everything in the bud... so @SomeWhereOverTheRainBow, knowing you're a wizard at this stuff -- if you want to collaborate on this to make it more effective, I would be happy to pitch in to help. ;)
It looks good, but ipv6 can be abit trickier because you have valid expanded addresses and valid unexpanded addresses as well. So what I do is I have a function that expands all ipv6 before attempting to validate. But your validation script should particularly only be used for ipv4 since skynet doesn't work with ipv6. I will not really be able to look at this till I am back from my work trip, but this will only pull all real ipv4 addresses from a list @Viktor Jaep

grep -E '^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$'

This will give all invalid ipv4 if you modify the pipe for ipv4 in your script @Viktor Jaep

grep -vE '^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$'

E.g.

Code:
ipresults=$(curl --silent --retry 3 --request GET --url $blacklisturl | grep "^[^#;]" | grep "\s*$" | grep -vE '^(((((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)|(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?))$')
 
Last edited:
It looks good, but ipv6 can be abit trickier because you have valid expanded addresses and valid unexpanded addresses as well. So what I do is I have a function that expands all ipv6 before attempting to validate. But your validation script should particularly only be used for ipv4 since skynet doesn't work with ipv6. I will not really be able to look at this till I am back from my work trip, but this will only pull all real ipv4 addresses from a list @Viktor Jaep

grep -E '^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$'

This will give all invalid ipv4 if you modify the pipe for ipv4 in your script @Viktor Jaep

grep -vE '^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$'
Thanks @SomeWhereOverTheRainBow! I think the IPv4 stuff is working OK, but I will check this against what I've got... The whole reason I threw the IPv6 regex in there was to validate valid IPs because one of the lists (https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst) contains both IPv4 and IPv6... and having only the IPv4 regex in there was causing it to error. Since I didn't have a way to filter this out, at least I wanted to check to make sure these addresses were valid so they wouldn't error out... and the other crazy thing I was trying to do was validate both IPv4 and v6 in the same statement. LOL.
 
For your case @Viktor Jaep

Code:
ipresults=$(curl --silent --retry 3 --request GET --url $blacklisturl | grep "^[^#;]" | grep "\s*$" | grep -vE '^((((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)|(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?))$')

This should handle both ipv4 and ipv6.

I had to edit because there were too many of these ()
 
Last edited:
For your case @Viktor Jaep

Code:
ipresults=$(curl --silent --retry 3 --request GET --url $blacklisturl | grep "^[^#;]" | grep "\s*$" | grep -vE '^(((((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)|(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?))$')

This should handle both ipv4 and ipv6.
Wut!! I'll check it out and let you know!
 
Moved this discussion on the Skynet Filter Validator over to:

 
grep -E '^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$'

This will give all invalid ipv4 if you modify the pipe for ipv4 in your script @Viktor Jaep

grep -vE '^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$'

If you're also seeking to minimize the workload on the Regular Expression Engine, you could streamline the regex for the last part of the CIDR notation.

FROM:
Bash:
(\/(1?[0-9]|2?[0-9]|3?[0-2]))
TO:
Bash:
(\/(1?[0-9]|2[0-9]|3[0-2]))

The question marks in "|2?[0-9]" and "|3?[0-9]" are not needed because the 1st part of the regex ("1?[0-9]I") already includes the possibility of single-digit entries. The simpler regex is a little more efficient because it results in fewer pattern-matching parsing rules. Yes, under "normal conditions" the improvement would be insignificant, but when the script starts parsing many hundreds of thousands or millions of IP addresses every bit helps, IMO.

Just my 2 cents.
 
Why is the IP adress red? The AC86U is behind a Starlink router. It does not block anything.

Screenshot_20230306_162135_JuiceSSH.jpg
 
Last edited:
Thanks, but Starlink router is in bypass mode.
The IP Address in red should be the same as the one that the ISP gives or assigns for your Modem.
If you changed something on your end then look at that. (post #375: Isn’t that a private IP address?)
How does that IP Address compare to the one assigned by Starlink?

Also, Skynet has been updated to 7.3.6 : https://github.com/Adamm00/IPSet_ASUS
 
The function that identifies whether an IP address is private or not is as follows


which includes as private IPs even those that start with 100
Now I'm no expert on IP addressing but I know the following ranges as private IPs

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
169.254.0.0 - 169.254.255.255 (169.254/16 prefix linklocal)

and the local host 127.0.0.1
 
Last edited:
The function that identifies whether an IP address is private or not is as follows


which includes as private IPs even those that start with 100
Now I'm no expert on IP addressing but I know the following ranges as private IPs

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Starlink does things a bit differently:


See Hacks section: https://hackaday.com/2021/05/24/starlink-a-review-and-some-hacks/






Do I get a public IP address with Starlink? Not at this time. Starlink uses Carrier Grade Network Address Translation ( CGNAT ). This is the same technology used by cellular carriers and commonly uses an IP in the 100.64.0.0/10 range.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top