Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Yup. I did the same search and it wasn’t in the malware list. There wasn’t a reason mentioned. This happened a few times with YouTube. Wonder if this is somehow kicking off the IPS in the router.

No reason being shown indicates an autoban (which can be further confirmed by the first entry in the "stats search ip" command), in which case if the feature is causing too many issues, its as simple as disabling it. Personally I don't have said issues, but everyones setup is different.

 

[juched]

No reason being shown indicates an autoban (which can be further confirmed by the first entry in the "stats search ip" command), in which case if the feature is causing too many issues, its as simple as disabling it. Personally I don't have said issues, but everyones setup is different.

I will try to capture more of this happens again but it doesn’t seem to be an autoban either. Odd.


Sent from my iPhone using Tapatalk

 

[el pescador]

Thinking of giving this a go.
My problem.

FIFA 18.
They have added new game servers in germany which really doesnt agree with me...getting more input delay.(server game modes like daily knockout and world league....which will leave me with the other 2 locations in europe , holland and ireland )
So want to block all of germany.

If they have a game mode hub in germay (FUT for example) i will whitelist that ip address...for obvious reasons.

Question.
What would i enter to ban germany and would whitelisting let that one through?

Thanks

 

[Adamm]

What would i enter to ban germany

sh /jffs/scripts/firewall ban country de

and would whitelisting let that one through?

Whitelist takes priority over the blacklist yes, but weather or not the game would still function correctly you can only find out by testing.

 

[Adamm]

For awhile I thought to myself "If I could start over, what would I have done different". Eventually I made a list of limitations and flaws in the current implementation. Some of these I could fix without the coming update, others however require pretty significant internal changes.

Without spilling the beans too much, the new version should open the door for a lot more user customization, remove several script limitations, while getting rid of a lot of generic naming schemes that have been around since v1 which have the potential for future conflict (filenames, ipset names etc).

So to-do this, v6 will require an extensive "upgrade" function. To make sure this process smooth as possible for the thousands of Skynet users, I will require some Beta testers. I'm not sure on exact beta date (hopefully sometime in the coming week), I want to make sure I test it extensively on my local system and get it right the first time. Then once the beta testers confirm everything works as expected we can push it out to everyone.

So if you'd like to help out, let me know so I can contact you once we have a beta version to ship. Thanks

 

[el pescador]

sh /jffs/scripts/firewall ban country de

Whitelist takes priority over the blacklist yes, but weather or not the game would still function correctly you can only find out by testing.

Thanks a lot.
Its a great program.
Works for sure.
Shame all of EA's daily knockout servers are in germany lol..

Sure this will come in very handy though.
I test ips a lot with pingplotter so will have to manually input them.

I will be willing to beta test

 

[skeal]

For awhile I thought to myself "If I could start over, what would I have done different". Eventually I made a list of limitations and flaws in the current implementation. Some of these I could fix without the coming update, others however require pretty significant internal changes.

Without spilling the beans too much, the new version should open the door for a lot more user customization, remove several script limitations, while getting rid of a lot of generic naming schemes that have been around since v1 which have the potential for future conflict (filenames, ipset names etc).

So to-do this, v6 will require an extensive "upgrade" function. To make sure this process smooth as possible for the thousands of Skynet users, I will require some Beta testers. I'm not sure on exact beta date (hopefully sometime in the coming week), I want to make sure I test it extensively on my local system and get it right the first time. Then once the beta testers confirm everything works as expected we can push it out to everyone.

So if you'd like to help out, let me know so I can contact you once we have a beta version to ship. Thanks

I'm in let me know!

 

[DonnyJohnny]

Suggestion..
Can include a nslookup for domain in the Skynet option.

Reason
I want to have a quick check of the domain IP address before I whitelist them. I don’t want to exit Skynet to do a nslookup

 

[noworries]

While you're looking into the internals.. My ISP went down today for an extended period. I enabled dual-wan and set primary to my USB-3 connected phone in tethered mode (because failover/failback has never really worked for me).

Everything appeared to start up OK, but Skynet continuously failed its IPTables test. Skynet would block outbound connections, but the syslog showed no blocked inbound connections, until my ISP came back and after I then reconfigured the router to point at them first.

Maybe an edge case, but perhaps something to consider.
Thanks

 

[JaimeZX]

Forgive me for only reading the first few of the 110 pages in this thread. I haven't installed Skynet but I'm definitely interested.

What I'd like to do is apply rules to a specific local (Wifi) MAC address. Or static IP; either way.
So, for clarity: basically I want my IoT things to ONLY have contact with those WAN IPs required for them to operate properly and block everything else. I've been assigning them consecutive static IPs, so I think that bit should be easy. (192.168.10.210, 211, 212, etc.,)

I have also identified some remote IPs they communicate with on a regular basis, although I don't (yet) know which of them are required and which are just sniffing my data.

Thanks!

 

[Adamm]

While you're looking into the internals.. My ISP went down today for an extended period. I enabled dual-wan and set primary to my USB-3 connected phone in tethered mode (because failover/failback has never really worked for me).

Everything appeared to start up OK, but Skynet continuously failed its IPTables test. Skynet would block outbound connections, but the syslog showed no blocked inbound connections, until my ISP came back and after I then reconfigured the router to point at them first.

Maybe an edge case, but perhaps something to consider.
Thanks

Unfortunately I don't know enough about the dual wan code nor have any way to personally test what happens during a "switchover" to debug the issue.

Forgive me for only reading the first few of the 110 pages in this thread. I haven't installed Skynet but I'm definitely interested.

What I'd like to do is apply rules to a specific local (Wifi) MAC address. Or static IP; either way.
So, for clarity: basically I want my IoT things to ONLY have contact with those WAN IPs required for them to operate properly and block everything else. I've been assigning them consecutive static IPs, so I think that bit should be easy. (192.168.10.210, 211, 212, etc.,)

I have also identified some remote IPs they communicate with on a regular basis, although I don't (yet) know which of them are required and which are just sniffing my data.

Thanks!

Per device blocking is not currently possible with Skynet alone. The only close solution I could recommend would be the monitor the traffic from these devices and block anything non critical globally.

 

[HardCat]

For awhile I thought to myself "If I could start over, what would I have done different". Eventually I made a list of limitations and flaws in the current implementation. Some of these I could fix without the coming update, others however require pretty significant internal changes.

Without spilling the beans too much, the new version should open the door for a lot more user customization, remove several script limitations, while getting rid of a lot of generic naming schemes that have been around since v1 which have the potential for future conflict (filenames, ipset names etc).

So to-do this, v6 will require an extensive "upgrade" function. To make sure this process smooth as possible for the thousands of Skynet users, I will require some Beta testers. I'm not sure on exact beta date (hopefully sometime in the coming week), I want to make sure I test it extensively on my local system and get it right the first time. Then once the beta testers confirm everything works as expected we can push it out to everyone.

So if you'd like to help out, let me know so I can contact you once we have a beta version to ship. Thanks

@Adamm - I would be interested in lending a hand at testing the new beta when it is ready.

 

[XIII]

I might be able to beta test as well, depending on when you have the beta ready.

 

[JaimeZX]

Per device blocking is not currently possible with Skynet alone. The only close solution I could recommend would be the monitor the traffic from these devices and block anything non critical globally.

Adamm - Please don't get me wrong - I'm not a programmer but I took a few classes in college so I understand how much effort goes into this sort of thing and I appreciate that you've put a lot of work into Skynet! I guess I'm struggling to understand the utility here specifically with regards to my question about per-device filtering.
What about per-network? Is there a way to run one guest wifi (or one VLAN, whatever) in a whitelist-only technique? With there now being at least two MAJOR IoT botnets running, setting smart-home devices up to network whitelist-only seems very logical. Am I missing something? Thanks very much for your expertise here.

 

[Blacklistedcard]

What type of file system does everyone recommend for the swap file? FAT or EXT4....

 

[Adamm]

Adamm - Please don't get me wrong - I'm not a programmer but I took a few classes in college so I understand how much effort goes into this sort of thing and I appreciate that you've put a lot of work into Skynet! I guess I'm struggling to understand the utility here specifically with regards to my question about per-device filtering.
What about per-network? Is there a way to run one guest wifi (or one VLAN, whatever) in a whitelist-only technique? With there now being at least two MAJOR IoT botnets running, setting smart-home devices up to network whitelist-only seems very logical. Am I missing something? Thanks very much for your expertise here.

Skynet was not designed with this functionality in mind. It's a blacklist based system running on the whole network. Possibly in the future I will look towards this type of functionality, but for the time being you would have to adapt your usage to a blacklist based approach.

What type of file system does everyone recommend for the swap file? FAT or EXT4....

Personally I use ext4 on the same device as Skynet is installed.

 

[Blacklistedcard]

Personally I use ext4 on the same device as Skynet is installed.

Thanks........

 

[DonnyJohnny]

May I know what cause this?

Mar 16 00:00:17 Skynet: [Complete] 234616 IPs / 39658 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1645 Inbound / 1197 Outbound Connections Blocked! [17s]
Mar 16 00:06:15 kernel: tdts_core_ioctl_udb_op_prog_ctrl() fail!
Mar 16 00:07:00 Skynet: [Complete] 192 IPs / 32323 Ranges Banned. -234424 New IPs / -7335 New Ranges Banned. 1653 Inbound / 1197 Outbound Connections Blocked! [119s]

 

[Adamm]

May I know what cause this?

Which commands did you use to produce the output?

Assuming the second was banmalware, it looks like there was some sort of disk error mid way which corrupted the data so only a partial amount of the downloaded lists were applied. I've never seen or heard of this before (the only google result was related to a GT-AC5300). I'd say it was just a weird once off error, without being able to reproduce it I can't do much debugging wise (its more of a firmware issue anyway then Skynet by the looks of it).

 

[DonnyJohnny]

Which commands did you use to produce the output?

Assuming the second was banmalware, it looks like there was some sort of disk error mid way which corrupted the data so only a partial amount of the downloaded lists were applied. I've never seen or heard of this before (the only google result was related to a GT-AC5300). I'd say it was just a weird once off error, without being able to reproduce it I can't do much debugging wise (its more of a firmware issue anyway then Skynet by the looks of it).

It was just a normal scheduled corn job ... I set it at every 6 hr 5 min...
This is not first time I saw this.. it happened in the last 24 hr. It seems to have this error at 0005 hr only throughout the day. I will change the update to every 6 hr at 10min and monitor.

Could it be memory issue? Due to recent update of pixelserv-tls and I am using dnscrypt-proxy v2 which used lots of memory resources.
Prior to the pixelserv-tls, the update is fine thou..

Could be data drive issue too.. I will find time to do a scan for error when I am free during weekend..