Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Sure... as above (which works great if you start it with an absolute path aka /jffs/scripts/firewall...)

Thanks nice bug, its because in two functions (banmalware and search malware) where I download multiple files (aka lists) I cd to certain directories and never swap back to the CWD, in 99% of cases this is fine (you managed to find the 1% where it isn't ). The fix is live

You'll get a big screen load of results. Which is great. But immediately then it will regen the menu without a pause, which is a long page of text. A more 'standard behaviour' would be if it paused before the menu respawn.

Okay makes much more sense now. I was conflicted between speed/usability when reloading the menu after a previous command is completed. I guess a fake read prompt in there wouldn't hurt and making the user aware they need to press enter to continue. I'll work on something.

Not showing up on a list... Is that a case of the IP getting 'cleared' from the external list but not updated in the local blacklist yet?

That is probably the case, the lists banmalware sources from are dynamic so lets say the banmalware function was run 12 hours ago, the same IP's may not be banned on current iterations of the lists which the "stats search malware" gets its info from.

 

[XIII]

I suggest using SSH keys though and disabling password authentication all together, its much more secure especially if you expose SSH to WAN.

I’m already using keys (only).

I think the attempts failed because Mosh requires an additional port to be open, but I don’t know enough about Mosh yet to troubleshoot... (opened a separate topic to discuss Mosh)

 

[Adamm]

@vibroverbus I've pushed v5.8.4 with both the bugfix and requested change that Skynet prompt the user before reloading the menu. There are also some other minor under the hood fixes and improvements.

I also updated the windows telemetry list, if anyone has any issues with Microsoft services being blocked let me know.

 

[XIII]

When I whitelist a domain, is the IP looked up only once, or repeatedly (every script/filter update, every day)?

Reason for asking: I have whitelisted my ASUS DDNS address at the routers of family members, but my IP address might change over time.

 

[Adamm]

When I whitelist a domain, is the IP looked up only once, or repeatedly (every script/filter update, every day)?

Reason for asking: I have whitelisted my ASUS DDNS address at the routers of family members, but my IP address might change over time.

It updates every time Skynet is either started or the following command is run;

sh /jffs/scripts/firewall whitelist refresh

So in your case you could probably run the latter on a cronjob (I suggest not using a time that would conflict with the save function that runs on the hour, pick a random minute value)

 

[vibroverbus]

@vibroverbus I've pushed v5.8.4 with both the bugfix and requested change that Skynet prompt the user before reloading the menu. There are also some other minor under the hood fixes and improvements.

I also updated the windows telemetry list, if anyone has any issues with Microsoft services being blocked let me know.

Thanks sir! Just updated.

(and BTW yes I noticed some Micro$suck blocks last week too..)

On the topic of the 'stale blacklist entries...' - I've had a fair few of them with users browsing... typically always some shared hosting servers that probably have a dozen sites on them... By the time I check it, its clear on the malware lists but hasn't been cleared on the router yet. Any reason I shouldn't just run the malware update cron job hourly or something? I mean aside from the CPU hit implications?

 

[Adamm]

On the topic of the 'stale blacklist entries...' - I've had a fair few of them with users browsing... typically always some shared hosting servers that probably have a dozen sites on them... By the time I check it, its clear on the malware lists but hasn't been cleared on the router yet. Any reason I shouldn't just run the malware update cron job hourly or something? I mean aside from the CPU hit implications?

I found running it daily was a pretty good middle ground which I use on my personal setup. Once you get the initial whitelists out of the way you can usually forget about it for the most part, unfortunately shared hosting will always be an issue as $2 a month services attract the wrong type of customers and when you put thousands of websites on the same IP, one is bound to be malicious and get everyone blacklisted.

 

[bilboSNB]

Is it likely any recent changes would have affected facebook? The wife was saying it has gone intermittently really slow. Troubleshooting now with debug, I dont lose my previous manual whitelist do I when I change to debug?

 

[Adamm]

Is it likely any recent changes would have affected facebook? The wife was saying it has gone intermittently really slow. Troubleshooting now with debug, I dont lose my previous manual whitelist do I when I change to debug?

No issues that I'm aware of. Also you don't loose any settings while switching boot options, the only time that would ever happen if you explicitly used a command that would imply so in the readme.

 

[XIII]

I also updated the windows telemetry list, if anyone has any issues with Microsoft services being blocked let me know.

I might have had problems on some (but not all) PC's due to local blocks in their "hosts" file (result of running Windows privacy tools; not caused by SkyNet).

I have reverted to the default Windows hosts file and will try your telemetry blocking via the router instead.

Wonder what will happen next "Patch Tuesday"... Will all PC's update finally?

 

[Raphie]

Office365 services are now blocked, can’t sign into microsoft account, these “telemetry” services blocked is way to agressive and breaks basic windows and office functionality.

 

[Adamm]

Office365 services are now blocked, can’t sign into microsoft account, these “telemetry” services blocked is way to agressive and breaks basic windows and office functionality.

Okay thanks I've reverted the changes for now until I can verify further. Not sure why there are any blockages at all considering its one of the bigger projects I got the list from and was just one of their regular updates to the list already in place.

 

[Davidncali001]

Hi, I and the rest of the people in my house when using the AC1900P router with the latest stable Merlin Firmware, ab-solution and SkyNet have noticed that on our iPhones, the iMessage feature called #images does not work when SkyNet is running (this #images feature allows you to send animated apple hosted. gif files to family and friends.) Trivial I know but when you are in control of the router and you have 20 year old's in the house, they would rather me disabled the SkyNet Firewall just so they can use this feature. Something which I refuse to do.

I did a test and disabled SkyNet and the iMessage #images feature worked again, so I narrowed it down to SkyNet.

I looked all over the internet for a IP address that I could whitelist and ended up adding around 15 Apple IP addresses, but none of those IP addresses I whitelisted let this feature work. The only info I could obtain from Apple was that that #images feature uses port 5223 and they said to whitelist that port. I tried there recommendation and the feature #images still doesn't work.

Do you happen to know how I would go about whitelisting the IOS iMessage feature called #images?

Thanks for your time,

David

 

[Adamm]

Hi, I and the rest of the people in my house when using the AC1900P router with the latest stable Merlin Firmware, ab-solution and SkyNet have noticed that on our iPhones, the iMessage feature called #images does not work when SkyNet is running (this #images feature allows you to send animated apple hosted. gif files to family and friends.) Trivial I know but when you are in control of the router and you have 20 year old's in the house, they would rather me disabled the SkyNet Firewall just so they can use this feature. Something which I refuse to do.

I did a test and disabled SkyNet and the iMessage #images feature worked again, so I narrowed it down to SkyNet.

I looked all over the internet for a IP address that I could whitelist and ended up adding around 15 Apple IP addresses, but none of those IP addresses I whitelisted let this feature work. The only info I could obtain from Apple was that that #images feature uses port 5223 and they said to whitelist that port. I tried there recommendation and the feature #images still doesn't work.

Do you happen to know how I would go about whitelisting the IOS iMessage feature called #images?

Thanks for your time,

David

Follow this guide to find out what IP is incorrectly blocked, then report back here with your findings so we can whitelist it globally if you don't mind.

 

[Raphie]

Thanks Adamm,

On a more general note, we need to be cautious for “Black Viper” and likes “tweak lists” which are CONSUMER HOBBYIST lists of “tweaks” which bring no clear advantage and just break core windows or Office 365 functionality. (Templates no longer appearing, office update not being available, Outlook configuration services being broken etc etc)

When you are working from home like me, you are depending on this core functionallity to work, the challenge being that a lot of these services are hardcoded into the application and will never reveal itself to the end user as a domain or IP adress, like https://d.docs.live.net which provides the sync functionality between onenote via Onedrive.

Bored tinfoul hatts, who only use windows to just sniff out it’s traffic and block all ports they can find, not having a clue what they are blocking, might not be the best source to copy tweaks from. These guys HATE windows with a passion, use Linux on day2day basis and ruin things for 99.999% of the other users who depend on Windows for a living.

Let’s try to keep the scope to real world threats and not cater to tinnfoils who try to turn an ONLINE OS into an OFFLINE OS by crippling it’s connectivity.

Sorry for the rant, but It hurts usabillity badly.

Okay thanks I've reverted the changes for now until I can verify further. Not sure why there are any blockages at all considering its one of the bigger projects I got the list from and was just one of their regular updates to the list already in place.

 

[Adamm]

Let’s try to keep the scope to real world threats and not cater to tinnfoils who try to turn an ONLINE OS into an OFFLINE OS by crippling it’s connectivity.

Sorry for the rant, but It hurts usabillity badly.

I agree, functionality is indeed the highest priority. With that being said, including telemetry in the default banmalware list was a highly requested feature.

I researched and found the most widely used, and recommended opensource list available. It is used by many respected projects like pi-hole, LEDE, OpenWRT adblock to name a few. The list in question was this one, it is supposed to be only telemetry based IP's (there are three options to block different levels of services). Each IP is evaluated and sniffed with packet capture tools on a Virtual Machine before it is delegated to a specific list to prevent false positives. With that being said in a list of 200 IP's I guess a few had more then one purpose (telemetry + core services). And in their defense, windows collects excessive amounts of telemetry data, even applications like paint phone home for god knows what reason.

It is definitely not my intention to block any legitimate services, I merely updated the list that has already been in place for months, but as you found out I guess a few IP's in the latest update hurt office 360 functionality which unfortunately I don't personally have installed to test before I pushed said update.

For future reference, users who don't mind telemetry are more then welcome to use a custom banmalware filter removing the telemetry list from it. That list is just an example I personally use and others can base their own around if they desire. But as I previously mentioned adding telemetry blocking was one of the most requested features so I catered to my audience.

 

[Davidncali001]

Hello and thank you Adamm, I did as you instructed and watched the SkyNet debug output and found two IP addresses both hosted by the same company being blocked. I whitelisted those two IP addresses and now our IOS iMessage #images function is back to normal and working correctly.

Here are the two IP addresses I whitelisted in order to get full functions working on IOS iMessage:

205.185.216.42

205.185.216.10

Thank again for all your help!

David

Follow this guide to find out what IP is incorrectly blocked, then report back here with your findings so we can whitelist it globally if you don't mind.

 

[Adamm]

Hello and thank you Adamm, I did as you instructed and watched the SkyNet debug output and found two IP addresses both hosted by the same company being blocked. I whitelisted those two IP addresses and now our IOS iMessage #images function is back to normal and working correctly.

Here are the two IP addresses I whitelisted in order to get full functions working on IOS iMessage:

205.185.216.42

205.185.216.10

Thank again for all your help!

David

Thanks for the input. It seem's I missed some of HighWinds CDN space when previously adding it to the global whitelist, I've done some digging and added additional CIDR ranges I could find (which includes the IP's you mentioned). I also went ahead and removed the bbcan lists from the default banmalware filter as I feel they are not frequently updated enough to be used anymore.

 

[Davidncali001]

Good stuff, thanks for Skynet and all your efforts to maintain it.

David

Thanks for the input. It seem's I missed some of HighWinds CDN space when previously adding it to the global whitelist, I've done some digging and added additional CIDR ranges I could find (which includes the IP's you mentioned). I also went ahead and removed the bbcan lists from the default banmalware filter as I feel they are not frequently updated enough to be used anymore.

 

[M@rco]

Somehow I never noticed this before, but it seems all UI options return to the menu, except the Update option. Regardless whether finds a new version, it exits to the terminal. It's just a minor thing but could it return to the menu when it doesn't find and updates and perhaps, if it does find an update, restart (as it does now) and return to the UI as well? Also, given the increase in updates lately, it would be nice if the update checking frequency could be configured by the user. These are just nice-to-haves, nothing critical.