Skynet Skynet - Router Firewall & Security Enhancements

[wbartels]

I've pushed v7.0.0

Adamm thanks for the update!
I really apriciate all the hard work.

 

[skeal]

Weird, seems like a Mac only issue. Try out some of the suggestions in this thread;

https://serverfault.com/questions/475925/how-to-fix-putty-showing-garbled-characters

Fixed it by changing default font type.

 

[Safemode]

Just ran the update on a rt ac3200 and now i get these 2 errors :
Downloading filter.list | [0s]
Refreshing Whitelists | /jffs/scripts/firewall: line 5228: can't fork
[7s]
Consolidating Blacklist | curl: option -fsLZ: is unknown
curl: try 'curl --help' for more information
[0s]
[*] List Content Error Detected - Stopping Banmalware
-*-
Any help would be greatly appreciated.

 

[Adamm]

Just ran the update on a rt ac3200 and now i get these 2 errors :
Downloading filter.list | [0s]
Refreshing Whitelists | /jffs/scripts/firewall: line 5228: can't fork
[7s]
Consolidating Blacklist | curl: option -fsLZ: is unknown
curl: try 'curl --help' for more information
[0s]
[*] List Content Error Detected - Stopping Banmalware
-*-
Any help would be greatly appreciated.

What firmware version (and device) are you using? Skynet will now require v384.13 or the curl package from entware.

 

[Safemode]

What firmware version (and device) are you using? Skynet will now require v384.13 or the curl package from entware.

Running latest firmware for router specified (asus rtac3200 , 384.13_2 ) and my device is an hard drive formatted to ext4 running the scripts.

 

[dev_null]

What firmware version (and device) are you using? Skynet will now require v384.13 or the curl package from entware.

Would you consider retaining a "legacy version" similar to John's fork for those that cannot support the newer versions of AsusWrt? Maybe in an archive someplace? Caveated that no updates are being made but core functionality should work, etc, etc.

 

[Adamm]

Running latest firmware for router specified (asus rtac3200 , 384.13_2 ) and my device is an hard drive formatted to ext4 running the scripts.

Thats weird, whats the output of

curl --version
wc -l /jffs/shared-*

Would you consider retaining a "legacy version" similar to John's fork for those that cannot support the newer versions of AsusWrt? Maybe in an archive someplace? Caveated that no updates are being made but core functionality should work, etc, etc.

Worst case scenario entware hosts the latest version of curl so users could instead use that;

skynet@RT-AX88U-DC28:/tmp/home/root# opkg list | grep "curl - 7"
curl - 7.66.0-1 - A client-side URL transfer utility

 

[Zastoff]

Got the same on malware blacklist update as @Safemode

[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | [16s]
[i] Consolidating Blacklist         | curl: option -fsLZ: is unknown
curl: try 'curl --help' for more information
[0s]
[*] List Content Error Detected - Stopping Banmalware

curl --version

curl 7.65.3 (arm-unknown-linux-gnu) libcurl/7.65.3 OpenSSL/1.0.2t zlib/1.2.5
Release-Date: 2019-07-19
Protocols: file ftp ftps http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps tftp
Features: HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

wc -l /jffs/shared-*

 44 /jffs/shared-Diversion-whitelist
 1 /jffs/shared-SelectiveRouting-whitelist
 20 /jffs/shared-Skynet-whitelist
 14 /jffs/shared-Skynet2-whitelist
 79 total

 

[Adamm]

Running latest firmware for router specified (asus rtac3200 , 384.13_2 ) and my device is an hard drive formatted to ext4 running the scripts.

Got the same on malware blacklist update as @Safemode

[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | [16s]
[i] Consolidating Blacklist         | curl: option -fsLZ: is unknown
curl: try 'curl --help' for more information
[0s]
[*] List Content Error Detected - Stopping Banmalware

curl --version

curl 7.65.3 (arm-unknown-linux-gnu) libcurl/7.65.3 OpenSSL/1.0.2t zlib/1.2.5
Release-Date: 2019-07-19
Protocols: file ftp ftps http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps tftp
Features: HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

wc -l /jffs/shared-*

 44 /jffs/shared-Diversion-whitelist
 1 /jffs/shared-SelectiveRouting-whitelist
 20 /jffs/shared-Skynet-whitelist
 14 /jffs/shared-Skynet2-whitelist
 79 total

Oops, didn't realize the AC3200 / AC87U were only still on v384.13_2 which has the old curl version. You will have to either download the curl package from entware until the firmware update is available (this should work) or roll back to the previous Skynet version.

Roll back to Skynet v6.9.2;

/usr/sbin/curl -s "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/aac085a8866e95081e0713a78c760905aae885d1/firewall.sh" -o "/jffs/scripts/firewall" && chmod 755 /jffs/scripts/firewall

 

[randomName]

Just manually updated to the latest 7.0, running Merlin 384.14, will report issues, if any,

Thank you for your time and effort

 

[Zastoff]

Oops, didn't realize the AC3200 / AC87U were only still on v384.13_2 which has the old curl version. You will have to either download the curl package from entware until the firmware update is available (this should work) or roll back to the previous Skynet version.

To download curl via entware;

opkg update
opkg install curl

Or to roll back to Skynet v6.9.2;

/usr/sbin/curl -s "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/aac085a8866e95081e0713a78c760905aae885d1/firewall.sh" -o "/jffs/scripts/firewall" && chmod 755 /jffs/scripts/firewall

Updated curl via entware
Now i get

/tmp/home/root# curl --version
curl 7.66.0 (arm-openwrt-linux-gnu) libcurl/7.66.0 OpenSSL/1.1.1d zlib/1.2.11
Release-Date: 2019-09-11
Protocols: file ftp ftps http https imap imaps pop3 pop3s rtsp smtp smtps tftp
Features: HTTPS-proxy IPv6 Largefile libz SSL

But still get the error message when i do the malware blacklist update
Tried the ep (update/upgrade) option in amtm after that aswell

 

[Adamm]

Updated curl via entware
Now i get

/tmp/home/root# curl --version
curl 7.66.0 (arm-openwrt-linux-gnu) libcurl/7.66.0 OpenSSL/1.1.1d zlib/1.2.11
Release-Date: 2019-09-11
Protocols: file ftp ftps http https imap imaps pop3 pop3s rtsp smtp smtps tftp
Features: HTTPS-proxy IPv6 Largefile libz SSL

But still get the error message when i do the malware blacklist update
Tried the ep (update/upgrade) option in amtm after that aswell

Thought that might be the case, because we prioritize native binaries Skynet is still trying to use the older version. You unfortunately will have to downgrade to v6.9.2 for now until a new firmware is available with the updated curl component.

 

[Zastoff]

Thought that might be the case, because we prioritize native binaries Skynet is still trying to use the older version. You unfortunately will have to downgrade to v6.9.2 for now until a new firmware is available with the updated curl component.

Thanks Adamm
Will do the downgrade

edit:
Working fine again with v6.9.2 and fingers crossed for another awesome firmware update from RMerlin

 

[Twiglets]

Thought that might be the case, because we prioritize native binaries Skynet is still trying to use the older version. You unfortunately will have to downgrade to v6.9.2 for now until a new firmware is available with the updated curl component.

Hacky TEMP solution is to add your 'correct' path to wherever the 'new' curl is installed to the first line after the banner of the 'firewall' script.

i.e.

export PATH=/tmp/mnt/usb-data/entware/bin:/sbin:/bin:/usr/sbin:/usr/bin$PATH
​

This almost could be done *temporarily* in the shell *without* changing your script but you understandably force the '/sbin:/bin:/usr/sbin:/usr/bin' path to the front of the PATH environment variable, therefore the script needs to be slightly edited.

I will delete this post if this is a BIG 'No No' as I can understand that changes to your script will make supporting users a 'Pain', even if it is meant to be temporary.

 

[Adamm]

Hacky TEMP solution is to add your 'correct' path to wherever the 'new' curl is installed to the first line after the banner of the 'firewall' script.

i.e.

export PATH=/tmp/mnt/usb-data/entware/bin:/sbin:/bin:/usr/sbin:/usr/bin$PATH
​

This almost could be done *temporarily* in the shell *without* changing your script but you understandably force the '/sbin:/bin:/usr/sbin:/usr/bin' path to the front of the PATH environment variable, therefore the script needs to be slightly edited.

I will delete this post if this is a BIG 'No No' as I can understand that changes to your script will make supporting users a 'Pain', even if it is meant to be temporary.

If they remove the existing "export PATH" line manually from Skynet they will also get this effect. But for most users its probably easier to just wait for a firmware update

 

[wbartels]

I've pushed v7.0.0

Also for anyone keeping track, this is our 1000th Github commit, so quite fitting we celebrate the milestone with a

Thanks again and congrats with the 1000th Github commit.
I made you a small donation with PayPal for all the hard work!

 

[Adamm]

Thanks again and congrats with the 1000th Github commit.
I made you a small donation with PayPal for all the hard work!

Appreciate the kind words and generosity

 

[CaptainSTX]

Looks like putty doesn't use UTF-8 by default, this setting should fix it.

https://thegreyblog.blogspot.com/2009/08/configuring-putty-to-use-utf-8.html

That may not be the case for everyone as after reading this string I looked at my settings in Putty and it seems that on my installation, done in February 2019, that UTF-8 was used by default.

In any case many thanks for this utility. Works great!

 

[Mutzli]

Thank you for the update. The new logo looks great in Windows Terminal:

 

[cmkelley]

Thought that might be the case, because we prioritize native binaries Skynet is still trying to use the older version. You unfortunately will have to downgrade to v6.9.2 for now until a new firmware is available with the updated curl component.

I'm curious about that choice. Have you found incompatibilities between the busybox and Entware implementations of utilities other than busybox being only a subset of the Entware implementation? I'm careful to set my path to prefer Entware normally, and so far I haven't had any issues, but is there a reason I should do it differently?