What's new

Skynet Is default firewall good enough?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The built-in firewall still drops all unsolicited inbound connections. If someone really wants to hurt you and knows how they will do it from a different IP not included in your updated once a day and publicly available community generated blocklists. The blocking show only gives you some sense of security.
 
The built-in firewall still drops all unsolicited inbound connections. If someone really wants to hurt you and knows how they will do it from a different IP not included in your updated once a day and publicly available community generated blocklists. The blocking show only gives you some sense of security.
Amen.
 
That Phillips-Hue looks like IoT blocking. I have Philips-Hue bridge on YazFi Guest one way Samsung TV. There were huge inbound/outbound blocked from my Samsung before
My hue constantly sends ntp requests to China for some reason, and for that reason is always at number 1 on skynet, i believe the ntp is hardcoded and even a divert doesn't fix it.
 
Hello,

for a few days I noticed that the numbers of the blocked IPs didn't change, despite the cron banmalware run correctly.

After some investigation on the script, I have made a little modify at parameters in the curl invocation that download the .ipset, .netset file based on urls provided in the filter.list.

and I have founded the error:

Code:
curl(6) could not resolve host

but the nslookup resolve the url correctly.

and another strage thigs is, if I run the statement outside script works correctly.

Anyone cuold help me in throbleshooting?

On the router i use the Merlin 388.2_alpha1-g0372e21e53 firmware

Regards
Commodoro
 

Attachments

  • Screenshot 2023-01-27 alle 17.42.35.jpg
    Screenshot 2023-01-27 alle 17.42.35.jpg
    78 KB · Views: 62
Hello,

for a few days I noticed that the numbers of the blocked IPs didn't change, despite the cron banmalware run correctly.

After some investigation on the script, I have made a little modify at parameters in the curl invocation that download the .ipset, .netset file based on urls provided in the filter.list.

and I have founded the error:

Code:
curl(6) could not resolve host

but the nslookup resolve the url correctly.

and another strage thigs is, if I run the statement outside script works correctly.

Anyone cuold help me in throbleshooting?

On the router i use the Merlin 388.2_alpha1-g0372e21e53 firmware

Regards
Commodoro
What is your entries for wan dns1 and wan dns2 on the wan settings page of your router webui?(because skynet relies on these entries to perform these services which are considered router side services).

What happens if you try to use command utility dig to resolve the same host?
 
Last edited:
hi @SomeWhereOverTheRainBow ,

thanks for replay, mine configurations of dns is

Screenshot 2023-01-28 alle 10.07.57.jpg


Screenshot 2023-01-28 alle 10.09.41.jpg


i have modified it in this direction, and now the curl command inside skynet script works correctly.

Screenshot 2023-01-28 alle 10.07.33.jpg


Screenshot 2023-01-28 alle 10.07.19.jpg


At this point I don't understand why in previous firmware the first configuration worked well.

With the first configuration the dig command report the following:

Screenshot 2023-01-28 alle 10.51.53.jpg


Regards
Commdoro
 
hi @SomeWhereOverTheRainBow ,

thanks for replay, mine configurations of dns is

View attachment 47533

View attachment 47534

i have modified it in this direction, and now the curl command inside skynet script works correctly.

View attachment 47535

View attachment 47537

At this point I don't understand why in previous firmware the first configuration worked well.

With the first configuration the dig command report the following:

View attachment 47536

Regards
Commdoro
I am assuming you had wan dns pointed at the routers address?

Expected behavior: the local router request attempts to use the encrypted upstream just like lan clients.

Actual behavior: local router dns resolution breaks, while lan client resolution remains functioning.
 
Hi @SomeWhereOverTheRainBow,

correct the DNS wan was pointing to the router itself.

Clear explanation, but is it a misconfiguration or misbehavior?

Also seen that by curl from the router's ssh the invocation worked with the pointing to the router itself.

Regards
Commodoro
 
Hi @SomeWhereOverTheRainBow,

correct the DNS wan was pointing to the router itself.

Clear explanation, but is it a misconfiguration or misbehavior?

Also seen that by curl from the router's ssh the invocation worked with the pointing to the router itself.

Regards
Commodoro
I believe it is a misbehavior. Probably caused by a chain of broken parts due to wan not being set to a "real" dns address. For example, maybe curl was using ssl to make the request which may have required the router clock to be set correctly. Maybe the router clock did not have the correct time due to wan dns not being set to an external DNS source. There are many variables at stake when WAN DNS is not set to an external source simply because the router requires WAN DNS access before the router himself can effectively serve as a DNS server during the boot process. This creates a race condition that breaks functionality for numerous router services. You are only just seeing the consequences when curl decides not to work.

In the boot process, the routers local services make request for DNS access way before the routers DNSMASQ instance is available. The routers local services utilize the entries in resolv.conf. When you modify the WAN DNS addresses, it changes what dns servers are used in resolv.conf. By setting the WAN dns to point at the router, you are telling the router services to use the router as DNS. Typically, these services will not wait around for the routers DNSMASQ instance to start. You will find other services not working correctly, such as ntp service. The routers clock wont sync properly. No telling what other services break behind the scenes.
 
No... actually you need to switch to a different filter list in order to use this... under 3 -> 2

And then insert this URL:

Code:
https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list

(or one of your own choosing/making)

Hi @Viktor Jaep

would you mind to ad the following lists to your?
I would appreciate it.

regards







I will not use @laracroftonline s because of the domain where the list is from. I see if i check the homepage that it is a page hosted in russia.

 
Hi @Viktor Jaep

would you mind to ad the following lists to your?
I would appreciate it.

regards







I will not use @laracroftonline s because of the domain where the list is from. I see if i check the homepage that it is a page hosted in russia.

The domain is my own domain so it's safe to use. But i can upload it on github too if you want.
 
Hi @Viktor Jaep

would you mind to ad the following lists to your?
I would appreciate it.

I'm utilizing diversion, which I hope contains many/most of these Adblock IPs

This list calls many random sources... I try to keep them from one source if at all possible, and calling many of these directly from firehol itself.

I opted not to use 1.txt and 2.txt due to many false positives, and opted to use 3 through 7 instead. I figure, if they're on at least 3 blacklists or more, then its getting pretty legit that it needs to be blacklisted.

This one is not functional
I already had this one on my list...

:)
 
I opted not to use 1.txt and 2.txt due to many false positives, and opted to use 3 through 7 instead. I figure, if they're on at least 3 blacklists or more, then its getting pretty legit that it needs to be blacklisted.


:)
Question on this list. I am too lazy to go through the list to verify.
I have the impression that those in list 4-7 should be covered in list 3. Say, in at least 4 blacklists should also meet the criteria in at least 3 blacklists right? If this is the case, perhaps just 3.txt will do as it already covers everything in 4-7.txt.
 
Last edited:

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top