Skynet Skynet - Router Firewall & Security Enhancements

[FreshJR]

Why is a USB installation preferred over JFFS?

Currently, I have a HDD connected to the usb2.0 port in the back.
The seek time on an HDD will be terrible compared to the internal solid state memory.

Is it to save nand wear, or performance reasons>?

Sorry if it was answered before. Will avoid a flash drive in the USB3.0 port if I can.

 

[Adamm]

Also, given the increase in updates lately, it would be nice if the update checking frequency could be configured by the user. These are just nice-to-haves, nothing critical.

Sometimes my daily releases have the occasional bug, the autoupdate feature is focused on long term installations as us power users are usually constantly tinkering anyway . I try to make sure by Monday things are stable as possible.

Why is a USB installation preferred over JFFS?

Currently, I have a HDD connected to the usb2.0 port in the back.
The seek time on an HDD will be terrible compared to the internal solid state memory.

Is it to save nand wear, or performance reasons>?

Sorry if it was answered before. Will avoid a flash drive in the USB3.0 port if I can.

Mostly for the "flare wear" debate. I personally don't believe its a huge concern but for those who do I keep satisfied by recommending USB installation. With that being said there is no functionality difference between the two, its totally user preference.

In future though USB installations may become mandatory. Currently the AC86U requires a swapfile or Skynet fails to function due to resource limitations. So if future devices have the same issue jffs installations will be reassessed.

 

[FreshJR]

Mostly for the "flare wear" debate.

Meh, even the worst nand can hit 500cycles easy. I'll buy a new router if I manage to kill it.

This was a huge debate with a jailbreak tweak that allowed original iPhone to use its storage as swap/virtual mem. That thing didn't die either with a significantly more write cycles so I doubt this will either.

 

[Adamm]

Meh, even the worst nand can hit 500cycles easy. I'll buy a new router if I manage to kill it.

This was a huge debate with a jailbreak tweak that allowed original iPhone to use its storage as swap/virtual mem. That thing didn't die either with a significantly more write cycles so I doubt this will either.

I agree that realistically it probably would never be an issue, which is why its a recommendation vs limitation.

 

[thelonelycoder]

I agree that realistically it probably would never be an issue, which is why its a recommendation vs limitation.

The fear of wearing out that partition is a constant fear with some and may even be true for certain manufacturers devices. But Asus seem not to be affected by it.

I have yet to hear of a concrete case where the read/write cycles have reached the limit and rendered the router to the role of dust gatherer or expensive bookend.
To me, it's more of a myth than reality with our routers.

 

[RMerlin]

The fear of wearing out that partition is a constant fear with some and may even be true for certain manufacturers devices. But Asus seem not to be affected by it.

Hard to have concrete facts because Asus changed NAND a few times over the years, but back when the RT-AC66U was released (with a much faster NAND than the RT-N66U), the chip used was rated for over 10,000 P/E cycles if I recall, and the manufacturer of the chip said it was designed to handle active logging.

I prefer to remain cautious because a) I can't tell which chip is used by which model, and b) there's always someone who will try something unexpected that might cause a ridiculous amount of writing to the flash, which could eventually reach any P/E limitation of their particular chip.

 

[Mutzli]

Follow this guide to find out what IP is incorrectly blocked, then report back here with your findings so we can whitelist it globally if you don't mind.

I also noticed that Microsoft Bing maps are blocked now. That means all of the apps that need access to the same map data like the Windows 10 Weather, Map and other apps are blocked too. After whitelisting the IP adess 96.16.204.103 everything worked again.

 

[rromeroa]

@Adamm, just out of curiosity...

why the days in skynet.log is not displayed correctly? appears "%_d" .

Thanks.

 

[Adamm]

I also noticed that Microsoft Bing maps are blocked now. That means all of the apps that need access to the same map data like the Windows 10 Weather, Map and other apps are blocked too. After whitelisting the IP adess 96.16.204.103 everything worked again.

Did you happen to check the ban reason before whitelisting it? I currently don't see it on any banmalware list or blocked on my local machine.

@Adamm, just out of curiosity...

why the days in skynet.log is not displayed correctly? appears "%_d" .

Thanks.

Mind showing me an example, the logs are correct on my end. The "%_d" should be phrased as part of the date command, it means show the day number and pad it with spaces, with the full command being (date +"%b %_d %T")

 

[rromeroa]

Mind showing me an example, the logs are correct on my end. The "%_d" should be phrased as part of the date command, it means show the day number and pad it with spaces, with the full command being (date +"%b %_d %T")

My router is an AC68U with merlin 384.3 now (although this behavior has always been in 380 branch), I have tested via ssh and this is the output:

#echo $(date +"%b %_d %T")
Feb %_d 10:16:42

A little fragment of my log in https://pastebin.com/raw/BYy6p6Yi

 

[Adamm]

My router is an AC68U with merlin 384.3 now (although this behavior has always been in 380 branch), I have tested via ssh and this is the output:

#echo $(date +"%b %_d %T")
Feb %_d 10:16:42

A little fragment of my log in https://pastebin.com/raw/BYy6p6Yi

What is the output of;

which date
date --help

As you can see from my AC86U, the output is very different;

admin@RT-AC86U-2EE8:/tmp/home/root# echo $(date +"%b %_d %T")
Feb 28 19:39:02

 

[rromeroa]

What is the output of;

admin@RT-AC68U-8C98:/tmp/home/root# which date
/bin/date
admin@RT-AC68U-8C98:/tmp/home/root# date --help
BusyBox v1.25.1 (2018-02-13 16:08:41 EST) multi-call binary.

Usage: date [OPTIONS] [+FMT] [TIME]

Display time (using +FMT), or set time

        [-s,--set] TIME Set time to TIME
        -u,--utc        Work in UTC (don't convert to local time)
        -R,--rfc-2822   Output RFC-2822 compliant date string
        -I[SPEC]        Output ISO-8601 compliant date string
                        SPEC='date' (default) for date only,
                        'hours', 'minutes', or 'seconds' for date and
                        time to the indicated precision
        -r,--reference FILE     Display last modification time of FILE
        -d,--date TIME  Display TIME, not 'now'
        -D FMT          Use FMT for -d TIME conversion

Recognized TIME formats:
        hh:mm[:ss]
        [YYYY.]MM.DD-hh:mm[:ss]
        YYYY-MM-DD hh:mm[:ss]
        [[[[[YY]YY]MM]DD]hh]mm[.ss]
        'date TIME' form accepts MMDDhhmm[[YY]YY][.ss] instead
admin@RT-AC68U-8C98:/tmp/home/root#

In my router the output without padding character "_" is fine:

# echo $(date +"%b %d %T")
Feb 28 10:51:45

 

[Adamm]

In my router the output without padding character "_" is fine:

Okay this makes more sense now, it seems this is due to the differentiating versions of busybox between the HND and older platforms. It looks like blackfuel got it to compile some time ago, but @RMerlin was occupied with other changes and didn't want to merge it just yet. Maybe this is something that can be looked at again now the HND platform is more mature.

What is surprising is the fact the functionality of date regresses after a version update (you would expect the older version to have less functionality). I'll have to look through busybox changelogs to see what the deal is.

 

[rromeroa]

Okay this makes more sense now, it seems this is due to the differentiating versions of busybox between the HND and older platforms.

Ok, doubt solved. This behavior does not affect the correct functioning of your wonderful script.
Thanks very much.

 

[Adamm]

Ok, doubt solved. This behavior does not affect the correct functioning of your wonderful script.
Thanks very much.

I've reverted the change that caused the bug (it was put in place actually to fix an aesthetic bug with logs), but as this functionality isn't compatible on any device besides the AC86U until the BusyBox versions are unified, our OCD will have to suffer for the time being

You will have to force update to apply the changes as there was no version change.

 

[RMerlin]

What is surprising is the fact the functionality of date regresses after a version update (you would expect the older version to have less functionality). I'll have to look through busybox changelogs to see what the deal is.

On my firmware, HND actually has an older Busybox.

Asus ARM: 1.17
Asus HND: 1.24
Merlin HND: 1.24
Merlin ARM: 1.25

After 384.4 is done, I will take another look at moving HND to the same 1.25 version as the other ARM models.

 

[skeal]

@Adamm The logs on my ac3100 get cleansed of skynet entries every day at 9am roughly. On my ac68u this never happens the log entries stay. Any thoughts?

 

[Adamm]

@Adamm The logs on my ac3100 get cleansed of skynet entries every day at 9am roughly. On my ac68u this never happens the log entries stay. Any thoughts?

This is newish functionality to prevent "hogging" of the syslog. Every time 24 "Completed" entries are counted in the syslog, they are purged to skynet.log

You can review these entries via;

sh /jffs/scripts/firewall stats search reports

(You can also add a number after this command to change the TopX number)

In doing so we are able to significantly expand the overview (plus make it much more readable) and unclog the syslog for other applications at the same time.

 

[skeal]

This is newish functionality to prevent "hogging" of the syslog. Every time 24 "Completed" entries are counted in the syslog, they are purged to skynet.log

You can review these entries via;

sh /jffs/scripts/firewall stats search reports

(You can also add a number after this command to change the TopX number)

In doing so we are able to significantly expand the overview (plus make it much more readable) and unclog the syslog for other applications at the same time.

Excellent I thought I had a problem...lol. Thanks my friend!! This is a great script man!

 

[Adamm]

On my firmware, HND actually has an older Busybox.

Asus ARM: 1.17
Asus HND: 1.24
Merlin HND: 1.24
Merlin ARM: 1.25

After 384.4 is done, I will take another look at moving HND to the same 1.25 version as the other ARM models.

Thanks. Also for reference I was implying that for whatever reason even though HND's BusyBox is older, the date binary seems to have more functionality (it was stripped in 1.25.0 for whatever reason with no documentation). Regardless a unified version would be great.