Questions About SkyNet and Blocking

[djtech2k]

I am somewhat new to skynet, so please forgive me if I ask a dumb question. I upgraded my router OS several months back now and followed some advice here to replace my old functionality, and skynet was one of them.

I notice on a somewhat regular basis that I get websites that will not load. After it started happening, I looked into it and its definitely skynet. It happens a few times per week minimum.

As far as I can remember, the only thing I setup in skynet was I have some countries blocked. I think I turned on some of the malware blocking or something like that too, but again I do not remember much. I think I may just be blocking outgoing, but again not 100% sure.

So in my latest example, I website I wanted to see would not load. I resolved the dns name to an IP and checked the stats in skynet. Sure enough, it was there. Here is the entry:

519x | 151.139.128.10 (US) | https://otx.alienvault.com/indicator/ip/151.139.128.10 | BanMalware: firehol_level3.netset

So my question is really what should I do with stuff like this? I obviously want protection, but I am getting a lot of sites that do not work. Is there any recommendation on how I should configure skynet to have protection but also be able to load sites, or is it just a matter of choosing to whitelist or not?

Thanks in advance.

 

[dave14305]

Good and bad actors can be hosted on the same IP. Seems to be the case for Stackpath CDN. You might whitelist so you can get to your site, but what else have you then allowed unintentionally due to the shared IP?

I have this hit in my own logs as well. Still not sure what to do about it.

Someone reported it to the list maintainers on GitHub:
https://github.com/firehol/blocklist-ipsets/issues/116

 

[Adamm]

So my question is really what should I do with stuff like this? I obviously want protection, but I am getting a lot of sites that do not work. Is there any recommendation on how I should configure skynet to have protection but also be able to load sites, or is it just a matter of choosing to whitelist or not?

Whitelisting the few false positives is the best way. By coincidence I actually added the StackPath ASN to the CDN whitelist last night so this entry in particular should no longer be an issue next time you update.

 

[martinr]

I am somewhat new to skynet, so please forgive me if I ask a dumb question. ....

Thanks in advance.

No such thing as a dumb question, unless, I suppose, if you ignored the stickies or failed to do an obvious search. Dumb answers are possible, of course, but not here.

 

[djtech2k]

Since we are on the subject, I have another related question.

My son plays XBOX and PC Games, as shocking as that might be, and when I look at the skynet stats I see inbound blocked ports that are clearly for the game he is playing. In this case, it is an online multiplayer game that he connects to an online server that is hosting the game. That is how I recognize the ports, but the stats are showing these port in the "Top 10 Attacker Source Ports (Inbound);".

I want to make sure that his stuff can work well so I'm not really sure what to do on this. I mean we should not need those ports opened for inbound initiated connections because we are not hosting it. The traffic should be going from inside my network to the server, and then back.

Does that stat indicate that it is blocking traffic on those ports or is it just showing traffic that is flowing?

 

[Adamm]

My son plays XBOX and PC Games, as shocking as that might be, and when I look at the skynet stats I see inbound blocked ports that are clearly for the game he is playing. In this case, it is an online multiplayer game that he connects to an online server that is hosting the game. That is how I recognize the ports, but the stats are showing these port in the "Top 10 Attacker Source Ports (Inbound);".

You can most likely safely ignore these unless he has issues connecting to servers etc. The blocks could be unrelated traffic, servers from a server-list, P2p connections with other players etc. Hard to say without a first hand look.

 

[djtech2k]

Well I can give you an example. A game he is playing connects to servers on port 28960, and a few others close to it. I see a ton of those in that list I mentioned. I know he has complained of the performance of the game at times, but I just assumed it was bad servers because it isn't consistent. Now that I see those stats, it makes me wonder if the firewall is blocking some of the packets.

 

[Adamm]

Now that I see those stats, it makes me wonder if the firewall is blocking some of the packets.

Skynet doesn't selectively block packets, it either blocks an IP entirely or it doesn't. If a server was being blocked he wouldn't be able to connect what so ever. If you need assistance whitelisting you can use the following guide;

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Debug Mode

sh /jffs/scripts/firewall settings debugmode enable

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[djtech2k]

Ok. He can connect but like I said, the stats show: Top 10 Attacker Source Ports (Inbound);. I didn't know if it would be blocking some and not others. If memory serves me correct, I think I have skynet to only block incoming. Blocking outgoing scares me a bit because I don't want a bunch of stuff to start failing.

 

[Adamm]

If memory serves me correct, I think I have skynet to only block incoming. Blocking outgoing scares me a bit because I don't want a bunch of stuff to start failing.

Even blocking inbound only you are essentially still stopping outbound connections to a degree as the two parties involved in a connection need to "talk" to each-other, there's no way to establish a handshake otherwise.


Like I previously mentioned, if you are having issues, follow the whitelisting guide above while the issue is present. That way you can effectively rule out if the "performance issues" are the result of the game/servers or the less likely option Skynet. Although I personally don't suspect the latter as a connection is either blocked or not blocked, there's no middle ground.

 

[bitmonster]

Can anyone think why SkyNet would be reporting that Cronjobs and IPSets would be failing?

Some system info. I noticed it while trying to work out why my VPN server won't start.

Router Model; RT-AC86U
Skynet Version; v6.8.6 (11/08/2019) (aaf3a1434f6d9cb904e466942b2647e5)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (124.171.96.29)
FW Version; 384.13_0 (Jul 31 2019) (4.1.27)
Install Dir; /tmp/mnt/System/skynet (12.4G / 14.3G Space Available)
SWAP File; /tmp/mnt/System/myswap.swp (1.0G)

Cron Jobs | [Failed]
IPSets | [Failed]
IPTables Rules | [Failed]

System Log
https://pastebin.com/V6ZMZsA5

Sysinfo here (JFFS seems fine)
https://pastebin.com/9EyyKtx5

Top looks like this
https://pastebin.com/96Hxr1gT

 

[consorts]

NVM, i figured it out ...

 

[Adamm]

i still can't see https://www.stackpath.com/ -OR- https://www.stackpathcdn.com/

Make sure you update Skynet and run banmalware. I can assure you both servers are whitelisted.

skynet@RT-AX88U-DC28:/tmp/home/root# nslookup www.stackpath.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.stackpath.com
Address 1: 151.139.128.10
skynet@RT-AX88U-DC28:/tmp/home/root# firewall stats search ip 151.139.128.10
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 13/09/2019 -           Asus Firewall Addition By Adamm v6.8.6                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/USB/skynet/skynet.log - 4.1M
[i] Monitoring From Sep 13 05:20:00 To Sep 14 17:32:36
[i] 18007 Block Events Detected
[i] 1431 Unique IPs
[i] 0 Manual Bans Issued

151.139.128.10 is in set Skynet-Whitelist.
151.139.128.10 is in set Skynet-Blacklist.
151.139.128.10 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
 151.139.128.0/20 "CDN-Whitelist: AS20446 "
 151.139.128.0/24 "CDN-Whitelist: AS20446 "

If you are still having issues, follow the whitelisting guide.

 

[Adamm]

Can anyone think why SkyNet would be reporting that Cronjobs and IPSets would be failing?

Some system info. I noticed it while trying to work out why my VPN server won't start.

Router Model; RT-AC86U
Skynet Version; v6.8.6 (11/08/2019) (aaf3a1434f6d9cb904e466942b2647e5)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (124.171.96.29)
FW Version; 384.13_0 (Jul 31 2019) (4.1.27)
Install Dir; /tmp/mnt/System/skynet (12.4G / 14.3G Space Available)
SWAP File; /tmp/mnt/System/myswap.swp (1.0G)

Cron Jobs | [Failed]
IPSets | [Failed]
IPTables Rules | [Failed]

System Log
https://pastebin.com/V6ZMZsA5

Sysinfo here (JFFS seems fine)
https://pastebin.com/9EyyKtx5

Top looks like this
https://pastebin.com/96Hxr1gT

Reboot your router then check the syslog for any errors (from Skynet). Your router is having unrelated issues and repeatedly trying and failing(?) to restart services;

Sep 13 02:07:00 rc_service: service 31693:notify_rc restart_letsencrypt
Sep 13 02:07:00 rc_service: waitting "restart_firewall" via amas_lib ...
Sep 13 02:07:15 rc_service: skip the event: restart_letsencrypt.

 

[martinr]

Ok. .... If memory serves me correct, I think I have skynet to only block incoming. ....

I can’t find a setting in Skynet to block incoming or outgoing. There’s a “Filter Traffic” setting (Option 11, Settings, then Option 4) with the default setting All. Not that I want to block, but where is the setting for blocking traffic?

 

[Adamm]

I can’t find a setting in Skynet to block incoming or outgoing. There’s a “Filter Traffic” setting (Option 11, Settings, then Option 4) with the default setting All. Not that I want to block, but where is the setting for blocking traffic?

Filter traffic = Block traffic

 

[martinr]

Filter traffic = Block traffic

Thanks, Adam. I’d misunderstood djtech2k.

So when you replied: “Even blocking inbound only you are essentially still stopping outbound connections to a degree as the two parties involved in a connection” you implied “filtering” when you wrote “blocking”?

 

[consorts]

do i need to do anything about this "can't fork"?

[$] /jffs/scripts/firewall banmalware

============================================================================================================

[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | [9s]
[i] Consolidating Blacklist         | [12s]
[i] Filtering IPv4 Addresses        | [7s]
[i] Filtering IPv4 Ranges           | [0s]
[i] Applying New Blacklist          | [11s]
[i] Refreshing AiProtect Bans       | /jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
/jffs/scripts/firewall: line 5142: can't fork
[6s]
[i] Saving Changes                  | [8s]

[i] For Whitelisting Assistance -

if it matters, in merlin i have set;
advanced, firewall, general;
enable firewall -yes
enable dos protect -yes
logged packet type - dropped
respond icmp echo - yes (i need this)

under general, aiprotection, network protection = ON

 

[Adamm]

Thanks, Adam. I’d misunderstood djtech2k.

So when you replied: “Even blocking inbound only you are essentially still stopping outbound connections to a degree as the two parties involved in a connection” you implied “filtering” when you wrote “blocking”?

Correct

do i need to do anything about this "can't fork"?

Cannot fork indicates an issue with your SWAP file. I suggest a reboot and see if anything shows up in your syslog.

 

[consorts]

SWAP file.

i deleted my 256mb swap
created a fresh 512mb swap
rebooted router and all seems well;

[$] /jffs/scripts/firewall banmalware

================================================================================

[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | [7s]
[i] Consolidating Blacklist         | [15s]
[i] Filtering IPv4 Addresses        | [7s]
[i] Filtering IPv4 Ranges           | [1s]
[i] Applying New Blacklist          | [10s]
[i] Refreshing AiProtect Bans       | [3s]
[i] Saving Changes                  | [13s]

[i] For Whitelisting Assistance -

if you don't mind, look at the [##s] and
tell me if they look very slow to you
cause i'm using an old usb2 drive
and suspect i should get better.