Menu
What's new
By:
Filters Better Search

Skynet Show Country Names instead of Codes?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Viktor Jaep said:
Country blocks will shave off a nice slice of that risk pie, but isn't a cure-all. My hope is that if we do get hit with some kind of malware, or some sneaky app or roomba vaccuum appliance is trying to exfiltrate our data, that this method will stop it in its tracks. It may work for some attacks, but not for others. That's all.
Click to expand...
and this.
 
Skeptical.me said:
I banned all those countries and it stopped my VPN client from working properly, ExpressVPN. I was connected to an Australian server but when I did a test on ipleak.net it showed my ISP IP address. So I got rid of all those countries and just like that, it worked again. I could be wrong but it certainly appears to have been the blocked countries causing it. I won't block any for now.
Click to expand...
When you apply major skynet firewall changes like this, sometimes you need to re-establish your VPN connection afterwards for it to apply everything correctly. I'd give it another shot, but remember to reset that VPN.
 
Here’s my list of blocked countries, all considered high risk according to some stuff I read:

Code: 
sh /jffs/scripts/firewall ban country "ru cn kp ir sa pk ae ng in af dz by bf bi cf td co cd cg cu eg sv er ht hn iq ke lb ly gn ml mr mx mm ne ph so ss sd th to ua ve ye zw br np ro”
 
Last edited:
I've got a couple of outdoor IP Cams that love calling home to China, why would I want that? So I block that country. They still function ok...



1673051958207.png
 
BreakingDad said:
I want to do all I can to protect my family and myself from rogue states.
Click to expand...

And they are rogue because your TV says so, I guess. They protect you well and you apply the protection on your family.

BreakingDad said:
Have you not just applied your own censorship on this very forum for example, because you don't like someones viewpoint? Basically the same thing.
Click to expand...

No, very different thing - for me only personally, not for all network users and not based on viewpoints. This is a tech forum.

@BrokenDad, :)
Block whatever you want, just don't share your viewpoints here. Not needed. This is what triggered this discussion.
 
Last edited:
Skeptical.me said:
Here’s my list of blocked countries, all considered high risk according to some stuff I read
Click to expand...

According to some stuff you missed, there is no need to mask private IP addresses. The same addresses are used by hundreds of thousands other devices:

www.snbforums.com

Skynet - Is default firewall good enough?

Why? I think there was an initial bug, but was fixed almost same day. I'm running the latest version of skynet with no issue...
www.snbforums.com www.snbforums.com

Not a good idea to copy someone else's settings without good understanding what are you doing and what's happening. I don't recommend Skynet at all to people who can't troubleshoot eventual self-created or community blocklists related issues. I'm sure you don't know the answer to the question do you need Skynet or not and you can't analyze the results you're getting in charts. Most of what you see Inbound is not blocked by Skynet.
 
Tech9 said:
According to some stuff you missed, there is no need to mask private IP addresses. The same addresses are used by hundreds of thousands other devices:

www.snbforums.com

Skynet - Is default firewall good enough?

Why? I think there was an initial bug, but was fixed almost same day. I'm running the latest version of skynet with no issue...
www.snbforums.com www.snbforums.com

Not a good idea to copy someone else's settings without good understanding what are you doing and what's happening. I don't recommend Skynet at all to people who can't troubleshoot eventual self-created or community blocklists related issues. I'm sure you don't know the answer to the question do you need Skynet or not and you can't analyze the results you're getting in charts. Most of what you see Inbound is not blocked by Skynet.
Click to expand...
cool
 
Tech9 said:
And there are rogue because your TV says so, I guess. They protect you well and you apply the protection on your family.



No, very different thing - for me only personally, not for all network users and not based on viewpoints. This is a tech forum.
Click to expand...
On the plus side, the family might still access those countries over IPv6. :cool:
 
For whatever reason you guys are doing it it's like locking a gate with no fence.

1673062089110.png


Server in another country, IPv6, VPN, Proxy, Cellular Network, someone else's Wi-Fi. Your best chance on a local network is SSL Proxy with true IDS/IPS. Not where it is coming from, but what is coming. This approach comes with issues and better hardware is needed. You have to block QUIC as well to increase traffic identification and reduce eventual traffic fingerprinting. Block all known DoH servers as well for a chance of better DNS filtering. If you are really security concerned forget about "free" options. You are 24h behind for all dangerous attacks. Discussions in an open to Internet forum only make things easier for whoever wants to do harm. What hardware, what firmware, what version, what method and what is blocked. Anything else to share?
 
Last edited:
Tech9 said:
For whatever reason you guys are doing it it's like locking a gate with no fence.

Server in another country, IPv6, VPN, Proxy, Cellular Network, someone else's Wi-Fi. Your best chance on a local network is SSL Proxy with true IDS/IPS. Not where it is coming from, but what is coming. This approach comes with issues and better hardware is needed. You have to block QUIC as well to increase traffic identification and reduce eventual traffic fingerprinting. Block all known DoH servers as well for a chance of better DNS filtering.
Click to expand...
That's sure a lot trouble if all you want to do is send/receive faxes! Sheesh! :p
 
Tech9 said:
For whatever reason you guys are doing it it's like locking a gate with no fence.

View attachment 46974

Server in another country, IPv6, VPN, Proxy, Cellular Network, someone else's Wi-Fi. Your best chance on a local network is SSL Proxy with true IDS/IPS. Not where it is coming from, but what is coming. This approach comes with issues and better hardware is needed. You have to block QUIC as well to increase traffic identification and reduce eventual traffic fingerprinting. Block all known DoH servers as well for a chance of better DNS filtering.
Click to expand...
Yes, network “monitoring” has changed a lot since the days of https://www.ipcop.org/ :)
 
Viktor Jaep said:
That's sure a lot trouble if all you want to do is send/receive faxes!
Click to expand...

Exactly. Or watch YouTube. What's the point creating an entire strategy that has zero effect after one tap on the screen?

1673064703194.png


Works on business network with all wired clients, but not home Wi-Fi mostly used for saving our data on mobile plans.
 
I have question on country ban. I have been using Skynet for some time but this is my first time use this feature. For start, I banned four countries "bg ru sc ua".

I noticed this IP is blocked and the country is Singapore.
1673077058166.png


When I check in https://www.whatismyip.com/156.225.96.79/ , this ip location is indeed in Singapore.

However, according to https://ipinfo.io/AS35916/156.225.96.0/19-156.225.96.0/25
the subnet 156.225.96.0/25 belongs to a corporation assigned by AFRINIC. So probably it is right, Singapore IP should be assigned by APNIC.

I edit the country ban and zoom in to only one country. When I check Skynet BlockedRanges, It appears the banned IP 156.225.96.79 falls into the IP range 156.224.0.0/11 in my banned country sc. SC is the two-letter country abbreviation for Seychelles.
Code: 
156.224.0.0/11 comment "Country: sc"

Then I check https://www.countryipblocks.net/acl.php, select the same country and try to create CIDR format. It does not show this subnet though. I am puzzled which should be correct. Nothing breaks though, just an observation from the blocked list.
 
Tech9 said:
And they are rogue because your TV says so
Click to expand...
They are rogue, because of how they behave and are known to be rogue by the majority of respected media.

Tech9 said:
Block whatever you want, just don't share your viewpoints here. Not needed. This is what triggered this discussion.
Click to expand...
I will share whatever I think is relevant to the discussion, there was no viewpoint, just sharing how I set up skynet. Afterall the thread is entitled "country codes for skynet" there is a clue there to what people want to discuss.

It has already been noted that it is not a catch all measure, we know that, it's just one part of protection, like dns, like av, like windoze fw, like mwb, like trendnet, etc etc

It was your distortion; implication that anyone who blocks a country is doing it out of reasons of xenophobia rather than pragmatic security mitigation that triggered this.
 
BreakingDad said:
They are rogue, because of how they behave and are known to be rogue by the majority of respected media.


I will share whatever I think is relevant to the discussion, there was no viewpoint, just sharing how I set up skynet. Afterall the thread is entitled "country codes for skynet" there is a clue there to what people want to discuss.

It has already been noted that it is not a catch all measure, we know that, it's just one part of protection, like dns, like av, like windoze fw, like mwb, like trendnet, etc etc

It was your distortion; implication that anyone who blocks a country is doing it out of reasons of xenophobia rather than pragmatic security mitigation that triggered this.
Click to expand...
The way I see it-block all you want. In general the need to allowlist increases the greater the ranges blocked. Blocking countries and asn may require you to be more ready to allowlist when something breaks then if you are blocking a simple subnet or single ip address.
 
SomeWhereOverTheRainBow said:
The way I see it-block all you want. In general the need to allowlist increases the greater the ranges blocked. Blocking countries and asn may require you to be more ready to allowlist when something breaks then if you are blocking a simple subnet or single ip address.
Click to expand...
Just added some more tr tm it af al dz sv il na sd ae zw sd kw qa tj bt cu ke mw mx ni ne ps rw so, kept separate from mainlist just to make sure nothing breaks.
 
Last edited:
You must log in or register to reply here.

Similar threads

eibgrad
OpenVPN Client: mishandled route directives
Replies
7
Views
759
eibgrad
eibgrad
Klueless
  • Poll
How Many SSIDs (WiFi Names) is Too Many?
Replies
12
Views
8K
Klueless
Klueless
Xruptor
QoS Graph/Details like Tomato?
Replies
7
Views
3K
FreshJR
FreshJR
azazel1024
Wireless is hard, 5dBi to 7dBi antennas
Replies
5
Views
4K
azazel1024
azazel1024
D
Confessions of a pfSense Newbie ...
4 5 6
Replies
104
Views
104K
sfx2000
sfx2000
Similar threads
Thread starter Title Forum Replies Date
Tarek Yag DomainVPNRouting "ip rule show" does not take any arguments Asuswrt-Merlin AddOns 15
P Skynet show inbound block on Digital TV Vlan300 Asuswrt-Merlin AddOns 4
M Unbound Show local names in unbound log requests Asuswrt-Merlin AddOns 5
Gary_Dexter Blocking “RO” country code in Skynet blocks Proton VPN UK connections Asuswrt-Merlin AddOns 2
C Skynet Problem with country block for incoming connections Asuswrt-Merlin AddOns 5
amplatfus Unbound [solved] unblock country Asuswrt-Merlin AddOns 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 717 (members: 26, guests: 691)
Top