What's new

Skynet Is default firewall good enough?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Question on this list. I am too lazy to go through the list to verify.
I have the impression that those in list 4-7 should be covered in list 3. Say, in at least 4 blacklists should also meet the criteria in at least 3 blacklists right? If this is the case, perhaps just 3.txt will do as it already covers everything in 4-7.txt.
Not necessarily... the 1.txt is 2.3mb... and as you go down to 8.txt, its down to 149 lines.
 
Does it make sense to install Skynet Firewall if my Fritzbox 6850 5G Modem with an public IPv4 is not providing a public IPv4 for the ASUS RT-AX86S router?

I don't think so but correct me if i am wrong.
 
Not necessarily... the 1.txt is 2.3mb... and as you go down to 8.txt, its down to 149 lines.

I read the description again.
Quote:
“IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses.
…snipped…
In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).”

To be in 8.txt, the ip must exists in 8 or more of the total 30+ reference blacklists.
To be in 7.txt, the ip must exists in 7 or more of his reference lists. ip that exists 8 times also qualify here. This means everything in 8.txt is included in 7.txt.
It is correct that the size of 1.txt > 2.txt > 3.txt > … > 8.txt
 
I read the description again.
Quote:
“IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses.
…snipped…
In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).”

To be in 8.txt, the ip must exists in 8 or more of the total 30+ reference blacklists.
To be in 7.txt, the ip must exists in 7 or more of his reference lists. ip that exists 8 times also qualify here. This means everything in 8.txt is included in 7.txt.
It is correct that the size of 1.txt > 2.txt > 3.txt > … > 8.txt
So your logic was correct on this, @chongnt ... I cross-referenced entries from list 8.txt, and they were all contained within 3.txt. I've adjusted my filter list accordingly to prevent skynet from having to download and process dupes, which should save a few seconds on processing time. ;) Thanks again!
 
Does it make sense to install Skynet Firewall if my Fritzbox 6850 5G Modem with an public IPv4 is not providing a public IPv4 for the ASUS RT-AX86S router?

I don't think so but correct me if i am wrong.
You could install it and have it block Outbound traffic only.
 
So your logic was correct on this, @chongnt ... I cross-referenced entries from list 8.txt, and they were all contained within 3.txt. I've adjusted my filter list accordingly to prevent skynet from having to download and process dupes, which should save a few seconds on processing time. ;) Thanks again!
Thanks @Viktor Jaep help on cross-reference the entries.
The other day I could not find a good way to compare the files. Just found a way to do it with grep, it looks for all lines in the second file that does not match any line in the first file.
Code:
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists# wc -l 3.txt
17733 3.txt
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists# wc -l 4.txt
8742 4.txt
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists# grep -vxFf 3.txt 4.txt | wc -l
0
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists# grep -vxFf 4.txt 3.txt | wc -l
8991
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/skynet/lists#
 

Attachments

  • Unbenannt.png
    Unbenannt.png
    16 KB · Views: 41
Last edited:
When I want to use @SomeWhereOverTheRainBow s custom filter list, I get 0 banned IPs:
Any suggestions why this is happening?

It was working good, before I tried some other lists mentioned above.
Then I decided to switch back to @SomeWhereOverTheRainBow s list, but it's not loading IPs...
I finished updating it.


If you are feeling impowered you could also try my generated filter.


I curate my own list from those same sources every night.
 
@SomeWhereOverTheRainBow
Thanks, but Skynet says, your first link still has 0 IPs.
The second link does have ~ 300.000 IPs, but no ranges.
 

Attachments

  • 1.png
    1.png
    13.3 KB · Views: 42
  • 2.png
    2.png
    13.5 KB · Views: 40
Thanks @SomeWhereOverTheRainBow and everyone for your contributions on these blocklists.
Figured I'd mention a few oddities I noticed when checking some of the individual filters:

** I _think_ Skynet can digest these properly. Unsure on the >><< characters. **
193.163.125.0 193.163.125.218 24 2638 CYBER-CASA GB >>UNKNOWN<<
167.94.146.0 167.94.146.20 24 2368 CENSYS-ARIN-02 US None
167.94.145.0 167.94.145.24 24 2329 CENSYS-ARIN-02 US None
185.81.68.0 185.81.68.102 24 2043 SELECTEL-MSK RU abuse@selectel.ru
185.224.128.0 185.224.128.17 24 2036 SPECTRAIP SpectraIP B.V. NL abuse@spectraip.net

** These use CIDR notation and contain a semi-colon, which is apparently unsupported by Skynet **
216.250.16.0/20 ; SBL530358
220.154.0.0/16 ; SBL234221
223.169.0.0/16 ; SBL208009
223.173.0.0/16 ; SBL204954
223.254.0.0/16 ; SBL212803

** curl produces no results, however a web browser properly redirects to this S3 bucket which contains the list of IP's **
 
@SomeWhereOverTheRainBow
Thanks, but Skynet says, your first link still has 0 IPs.
The second link does have ~ 300.000 IPs, but no ranges.
try it now, i updated it again:


I removed all incompatible lists from skynet filter list.

Weird there are no ranges from the my list. I see the subnet indicators on some of my addresses. I believe it is because skynet (or iptables) is having trouble processing that long of a list. If it was successfully processed it would be closer to 400,000 ips including ranges.
@Ubimo
I implemented a new sort technique to make sure the ip were in an understandable order:

 
Last edited:
BTW curl works fine on the last link

Code:
curl -fsSL https://www.talosintelligence.com/documents/ip-blacklist

Code:
46.101.197.155
167.114.238.104
45.55.178.34
103.214.54.82
94.26.2.74
64.137.206.52
5.196.58.96
163.172.143.114
178.239.167.15
185.128.40.220
192.151.155.130
85.207.155.39
181.143.253.106
139.59.9.200
192.207.61.178
158.58.170.222
185.61.138.104
181.143.153.250
178.32.53.124
163.172.29.9
163.172.29.81
101.0.54.130
185.80.222.78
82.163.79.61
37.187.247.3
104.236.58.27
91.108.183.170
92.222.92.152
212.47.247.226
108.61.187.24
88.150.157.14
186.205.89.48
193.138.219.231
64.137.178.3
31.31.72.43
59.115.115.115
91.134.232.63
178.62.18.173
119.17.192.102
59.93.84.191
98.124.243.32
119.93.79.68
212.47.248.81
162.210.173.109
197.254.106.218
14.176.1.82
117.239.224.138
41.33.197.132
188.161.150.22
116.68.103.36
181.143.243.98
159.203.30.48
37.187.57.57
178.159.36.185
67.205.149.140
188.225.46.219
31.3.230.31
185.234.218.247
185.62.189.56
185.234.216.59
185.107.70.202
185.10.68.16
185.242.113.224
<SNIP>LAST BIT OF CURL IPS<SNIP>

in the terminal gives a list.

That is the curl technique skynet uses.

You have to tell curl to accept redirects.
 
Last edited:
You could install it and have it block Outbound traffic only.
What`s "Outbound traffic"?

Would i need a public IPv4 for my router for it?
Currently i do not have an public IPv4 for the router but i am in good hope that i will fix this but i do need more information and jnowlege regarding Portforwarding etc. to get an/ the publik IPv4 from my Fritzbox 6850 5G.
 
@SomeWhereOverTheRainBow
Thanks!
This link is working again, but is not blocking any ranges. It's blocking ~200.000 IPs, but no ranges.
The second link is also blocking about 400.000 IPs but no ranges.

Some time ago, your filter list also included ranges.
Not sure what to tell you, unless iptables is not cooperating with the entries. Or maybe the list that is no longer any good was the list that had all the ranges. Tbh most of the lists don't list ranges, they only list the either subnet form or straight ip form.
 
@SomeWhereOverTheRainBow
Screenshot 1 is your list - 0 ranges banned
Screenshot 2 is Skynet default - 2055 ranges banned
Okay so using the first link, i am not sure why there are no ranges since it would be pulling the lists straight from the sources like skynet default does:

as you can see, there is not that much difference between the default, versus mine:


in fact I include all the lists that are in skynet default. So it should be banning those "ranges" still.

@SomeWhereOverTheRainBow
Thanks!
This link is working again, but is not blocking any ranges. It's blocking ~200.000 IPs, but no ranges.
The second link is also blocking about 400.000 IPs but no ranges.

Some time ago, your filter list also included ranges.

The question begs to ask why is skynet doing this incorrectly in some instances?

Let us look at what skynet code defines to be a "range"-

This is User added ranges (added by skynet menu option for ranges):


This is ranges blocked by blocking countries:


This is ranges blocked by blocking VIA "ASN" codes


@Adamm- "Why are when users load a custom filter.list, their user defined ranges are not included in the iptable rules; however, when they use the default filter lists their user defined ranges are included in the iptable rules?"

Basically @Ubimo has pointed out when they load a custom filter.list, not much different from the default, there are no longer any ranges showing up as being banned in the statistic ( which implies the skynet-banned ranges rules are not getting loaded when switching to custom filter.list option). However, when they switch back to default filter.list, their banned ranges are once again included in the statistics (which implies skynet-banned ranges are once again loaded properly into the iptable ruleset).

@Ubimo

In the code link below, I see reference to using the custom list with the banmalware option. Possibly different steps are taking if "fast-switch" is enabled in diversion or skynet. Maybe this is causing the skipping of adding ranges when using custom filter lists? But I don't know @Adamm script well enough yet to tell you.


more specifically, this line:



@Ubimo

A temporary solution is to manually restart skynet after switching to custom filter lists and your "blocked ranges" should hopefully be added back. (banned ranges = ranges you have added, any countries you block, and any ASN codes you block, and anything that gets added with a subnet attached like /24 at the end of the ipaddress).

Code:
( firewall ban range 8.8.8.8/24 "Apples" ) This Bans the CIDR Block Specified With The Comment Apples
( firewall ban country "pk cn sa" ) This Bans The Known IPs For The Specified Countries (Accepts Single/Multiple Inputs If Quoted) https://www.ipdeny.com/ipblocks/
( firewall ban asn AS123456 ) This Bans the ASN Specified

@Ubimo

If the custom filter list were loading correctly, here would be the amount of banned IPS ranges contributed.

Code:
curl -fsL --retry 3 --connect-timeout 3 "https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list" | awk -F/ '{print $0}' | xargs "curl" -fsSL | grep -E '^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$' | grep -vE '^(0\.|10\.|100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\.|127\.|169\.254\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.0\.0\.|192\.0\.2\.|192\.168\.|198\.(1[8-9])\.|198\.51\.100\.|203\.0\.113\.|2(2[4-9]|[3-4][0-9]|5[0-5])\.|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)' | awk '!x[$0]++' | grep -F "/" | wc -l
9230

IP from non-Ranges:

Code:
curl -fsL --retry 3 --connect-timeout 3 "https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list" | awk -F/ '{print $0}' | xargs "curl" -fsSL | grep -E '^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$' | grep -vE '^(0\.|10\.|100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\.|127\.|169\.254\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.0\.0\.|192\.0\.2\.|192\.168\.|198\.(1[8-9])\.|198\.51\.100\.|203\.0\.113\.|2(2[4-9]|[3-4][0-9]|5[0-5])\.|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)' | awk '!x[$0]++' | grep -vF "/" | wc -l
334724

If my custom list was loaded correctly here would be the amount of banned IPS ranges it contributed.

Code:
curl -fsL --retry 3 --connect-timeout 3 "https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/myfilter.list" | awk -F/ '{print $0}' | xargs "curl" -fsSL | grep -E '^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$' | grep -vE '^(0\.|10\.|100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\.|127\.|169\.254\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.0\.0\.|192\.0\.2\.|192\.168\.|198\.(1[8-9])\.|198\.51\.100\.|203\.0\.113\.|2(2[4-9]|[3-4][0-9]|5[0-5])\.|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)' | awk '!x[$0]++' | grep -F "/" | wc -l
63802

IP from non-Ranges:

Code:
curl -fsL --retry 3 --connect-timeout 3 "https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/myfilter.list" | awk -F/ '{print $0}' | xargs "curl" -fsSL | grep -E '^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$' | grep -vE '^(0\.|10\.|100\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\.|127\.|169\.254\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.0\.0\.|192\.0\.2\.|192\.168\.|198\.(1[8-9])\.|198\.51\.100\.|203\.0\.113\.|2(2[4-9]|[3-4][0-9]|5[0-5])\.|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)' | awk '!x[$0]++' | grep -vF "/" | wc -l
475801
 
Last edited:

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top