SkyNet & Diversion Questions

[DarkWolfSLV]

After some reading and a few days considering, I'm almost ready to install amtm and add Entware, Diversion and Skynet.
I do have a few questions about the last two before proceeding. I like idea of dynamic list Diversion (for ads) and Skynet (for known bad sources) add, but what about custom TCP/UDP rules?

Some threads say that Skynet is now your firewall, but I cannot find examples of TCP/UDP rules either for inbound or outbound traffic. I would like to only allow known ports like 22, 53, 80, 443, and a few others needed for IoT devices. Or I can still use the built-in firewall for that?

Also, both tools add some packet inspection and analysis, how much does this impact the CPU/RAM and performance of the router? (delays and throughput)

Thanks!

 

[dave14305]

Skynet enhances the built-in firewall by blocking known "bad" IP addresses regardless of what your built-in firewall allows. You can still make new firewall rules through the GUI, but if one of the incoming or outgoing connections via that rule are to or from one of the "bad" IP addresses, it will be blocked. Everything else will work as normal as long as it's not on one of the malware lists used by Skynet.

Diversion enhances the router's built-in DNS server by adding hosts entries to the router to prevent undesirable website hostnames from being resolved to their real IP address. Aside from the normal diversion blocklist updates, it isn't really active at all on your router in day-to-day use.

 

[thelonelycoder]

Also, both tools add some packet inspection and analysis, how much does this impact the CPU/RAM and performance of the router? (delays and throughput)

In addition to the excellent brief description by @dave14305 I only can add that throughput and latency are not affected when using Skynet and Diversion.
The router can handle the occasional extra peak processor and memory resources fine.

 

[DarkWolfSLV]

Thank you both for the comments! I'm currently in the process of installing Diversion via amtm.
I'll try that for a few days and then add skynet.

Thank you!

 

[thelonelycoder]

Thank you both for the comments! I'm currently in the process of installing Diversion via amtm.
I'll try that for a few days and then add skynet.

Thank you!

That's a good approach. Both need a bit of a learning curve if something gets blocked.
Ask further questions in the respective threads.

 

[thelonelycoder]

Also, first thing to install is amtm.

 

[Adamm]

I would like to only allow known ports like 22, 53, 80, 443, and a few others needed for IoT devices.

https://www.snbforums.com/threads/r...wall-security-enhancements.16798/#post-115872

This is all possible via the menu or CLI;

( sh /jffs/scripts/firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban IOT Device(s) (or CIDR) From Accessing WAN (Allow NTP / Remote Access Via OpenVPN Only) (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot list ) List Currently Banned IOT Devices
( sh /jffs/scripts/firewall settings iot ports 123,124,125 ) Allow Port(s) To Access WAN (Use Comma As Separator)
( sh /jffs/scripts/firewall settings iot ports reset ) Reset Allowed Port List To Default