Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

@Adamm, I have (re)installed Skynet, and when I run Banmalware, the script exists at the "Consolidating Blacklist", never finishing the update process. Any idea?

Typo on my end, v5.5.9 will fix this.

 

[skeal]

@Adamm How does a person edit the vpn white list or even view it to see if your ips are correctly added or removed?

 

[skeal]

I'm having trouble with my streaming media service. I can contact and connect to the server but cannot view content. If I disable skynet it works. I resolve by unbanning all non manual bans then I check whitelist then banmalware command and I'm up and running again. This is so freaking wierd. Any ideas?

 

[skeal]

I'm unable to use skynet now as it blocks my access to my streaming media. I have white listed the ip and domain and still after the firewall has a chance to settle in the ability to change channels stops and once I try I lose all access to that site. Tried debug and stats and I see nothing to tell me whats going on.

 

[Adamm]

@Adamm How does a person edit the vpn white list or even view it to see if your ips are correctly added or removed?

This is just a hardcoded function that covers the majority of nvram settings related to VPN services.

Whitelist_VPN () {
        ipset -q -A Whitelist "$(nvram get vpn_server1_sn)"/24 comment "nvram: vpn_server1_sn"
        ipset -q -A Whitelist "$(nvram get vpn_server2_sn)"/24 comment "nvram: vpn_server2_sn"
        ipset -q -A Whitelist "$(nvram get vpn_server_sn)"/24 comment "nvram: vpn_server_sn"
        ipset -q -A Whitelist "$(nvram get vpn_client1_addr)"/24 comment "nvram: vpn_client1_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client2_addr)"/24 comment "nvram: vpn_client2_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client3_addr)"/24 comment "nvram: vpn_client3_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client4_addr)"/24 comment "nvram: vpn_client4_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client5_addr)"/24 comment "nvram: vpn_client5_addr"
        if [ -f "/dev/astrill/openvpn.conf" ]; then ipset -q -A Whitelist "$(sed '\~remote ~!d;s~remote ~~' "/dev/astrill/openvpn.conf")"/24 comment "nvram: Astrill_VPN"; fi
}

And you can confirm what its added via;

ipset -L Whitelist | grep vpn

I'm unable to use skynet now as it blocks my access to my streaming media. I have white listed the ip and domain and still after the firewall has a chance to settle in the ability to change channels stops and once I try I lose all access to that site. Tried debug and stats and I see nothing to tell me whats going on.

If debug mode is enabled, whenever Skynet blocks anything it will be printed to the log, there is no exceptions to this rule. So if it is Skynet blocking this service, it will be printed to syslog in realtime for you to debug.

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and unban) anything incorrectly on your Blacklist!

1.) Enable Debug Mode via the installer

sh /jffs/scripts/firewall install

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[skeal]

This is just a hardcoded function that covers the majority of nvram settings related to VPN services.

Whitelist_VPN () {
        ipset -q -A Whitelist "$(nvram get vpn_server1_sn)"/24 comment "nvram: vpn_server1_sn"
        ipset -q -A Whitelist "$(nvram get vpn_server2_sn)"/24 comment "nvram: vpn_server2_sn"
        ipset -q -A Whitelist "$(nvram get vpn_server_sn)"/24 comment "nvram: vpn_server_sn"
        ipset -q -A Whitelist "$(nvram get vpn_client1_addr)"/24 comment "nvram: vpn_client1_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client2_addr)"/24 comment "nvram: vpn_client2_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client3_addr)"/24 comment "nvram: vpn_client3_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client4_addr)"/24 comment "nvram: vpn_client4_addr"
        ipset -q -A Whitelist "$(nvram get vpn_client5_addr)"/24 comment "nvram: vpn_client5_addr"
        if [ -f "/dev/astrill/openvpn.conf" ]; then ipset -q -A Whitelist "$(sed '\~remote ~!d;s~remote ~~' "/dev/astrill/openvpn.conf")"/24 comment "nvram: Astrill_VPN"; fi
}

And you can confirm what its added via;

ipset -L Whitelist | grep vpn

If debug mode is enabled, whenever Skynet blocks anything it will be printed to the log, there is no exceptions to this rule. So if it is Skynet blocking this service, it will be printed to syslog in realtime for you to debug.

Thanks @Adamm for your prompt reply. I used deport url and it worked so far I'm good to go using skynet with default blocking list. The command you gave me above listed similar results as yours.

 

[Adamm]

I've pushed v5.6.0

Over the past few weeks I've been working hand in hand with @thelonelycoder to provide a better user experience with less false positives.

As some of you may have noticed from time to time websites were being incorrectly blocked by banmalware. Part of the reason was because some of the lists we sourced were DNS lists that had been converted to IPs. In the case of shared hosting providers this unfortunately blocked some legitimate sites. To prevent this, Skynet now offloads a few lists to AB-Solution which is listed there as "Plus Content". This content is specifically security related and I recommend all security conscious users to enable it upon updating to AB-Solution 3.10 which is currently in BETA.

Upon updating Skynet, this will add a "flag" to AB-Solution prompting the user to add the content as suggested above.

 

[skeal]

I've pushed v5.6.0

Over the past few weeks I've been working hand in hand with @thelonelycoder to provide a better user experience with less false positives.

As some of you may have noticed from time to time websites were being incorrectly blocked by banmalware. Part of the reason was because some of the lists we sourced were DNS lists that had been converted to IPs. In the case of shared hosting providers this unfortunately blocked some legitimate sites. To prevent this, Skynet now offloads a few lists to AB-Solution which is listed there as "Plus Content". This content is specifically security related and I recommend all security conscious users to enable it upon updating to AB-Solution 3.10 which is currently in BETA.

Upon updating Skynet, this will add a "flag" to AB-Solution prompting the user to add the content as suggested above.

Thank you for the update testing now with ab-solution blocking files 8 which gives 10 hosts files. I must say it kicked up my ram usage but still do not need a swap file.

 

[Andy1932]

My biggest issue with skynet is the blocking of blogs--mainly wordpress blogs that my wife likes to read. Every time she tries to view one it's blocked and I have to whitelist it. WHy are these so heavily blocked?

 

[Adamm]

My biggest issue with skynet is the blocking of blogs--mainly wordpress blogs that my wife likes to read. Every time she tries to view one it's blocked and I have to whitelist it. WHy are these so heavily blocked?

As mentioned in my post above, it was due to DNS lists being converted to IPs. After updating banmalware this will no longer be as big of an issue. Wordpress for example is no longer blocked by default due to malicious subdomains, now AB will specifically block the bad eggs so to speak.

 

[Andy1932]

As mentioned in my post above, it was due to DNS lists being converted to IPs. After updating banmalware this will no longer be as big of an issue. Wordpress for example is no longer blocked by default due to malicious subdomains, now AB will specifically block the bad eggs so to speak.

Roger that. I'll update and see how it goes! Thanks.

 

[eighteen]

Hello @Adamm,

Why this fail happens?

 

[Adamm]

Why this fail happens?

Restart Skynet and see if it still occurs, if it does run;

sh /jffs/scripts/firewall debug info

 

[iManuB]

Hello, after a problem at my router, I had to clean everything and install again.
Now, I have this problem:

Checking For AB-Solution Plus Content... [Failed]

_______________

Checking Install Directory Write Permissions...         [Passed]
Checking Firewall-Start Entry...                        [Passed]
Checking Services-Stop Entry...                         [Passed]
Checking CronJobs...                                    [Passed]
Checking IPSet Comment Support...                       [Passed]
Checking Log Level 5 Settings...                        [Passed]
Checking Autobanning Status...                          [Passed]
Checking Debug Mode Status...                           [Passed]
Checking For Duplicate Rules In RAW...                  [Passed]
Checking For Duplicate Rules In Filter...               [Passed]
Checking Skynet IPTable...                              [Passed]
Checking Whitelist IPSet...                             [Passed]
Checking BlockedRanges IPSet...                         [Passed]
Checking Blacklist IPSet...                             [Passed]
Checking Skynet IPSet...                                [Passed]
Checking For AB-Solution Plus Content...                [Failed]

Thanks so much!

 

[pattiri]

Checking For AB-Solution Plus Content... [Failed]

go to AB-Solution then "b" and "8", but you should be using "AB-Solution 3.10.2 beta"

 

[iManuB]

go to AB-Solution then "b" and "8", but you should be using "AB-Solution 3.10.2 beta"

Ah... thanks so much, pattiri.

So is everything regular?

 

[Adamm]

Hello, after a problem at my router, I had to clean everything and install again.
Now, I have this problem:

go to AB-Solution then "b" and "8", but you should be using "AB-Solution 3.10.2 beta"

As pattiri said, this is optional and based on a new feature myself and thelonlycoder has been working on.

I've pushed v5.6.0

Over the past few weeks I've been working hand in hand with @thelonelycoder to provide a better user experience with less false positives.

As some of you may have noticed from time to time websites were being incorrectly blocked by banmalware. Part of the reason was because some of the lists we sourced were DNS lists that had been converted to IPs. In the case of shared hosting providers this unfortunately blocked some legitimate sites. To prevent this, Skynet now offloads a few lists to AB-Solution which is listed there as "Plus Content". This content is specifically security related and I recommend all security conscious users to enable it upon updating to AB-Solution 3.10 which is currently in BETA.

Upon updating Skynet, this will add a "flag" to AB-Solution prompting the user to add the content as suggested above.

 

[skeal]

As pattiri said, this is optional and based on a new feature myself and thelonlycoder has been working on.

Working excellent on my two routers. RT-AC68U and RT-AC3100 both running the latest firmware.

 

[skeal]

I found that if you do a lot of VPN or Torrents you will likely need the swap. Just saying from user experience.

 

[iManuB]

As pattiri said, this is optional and based on a new feature myself and thelonlycoder has been working on.

Thanks so much!