Menu
What's new
By:
Filters Better Search

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DonnyJohnny said:
Question.
If Skynet let invalid packet come in due to whitelist, does the router own spi would have drop it? When we say whitelist, we are just letting in the packet to be process by the router?

My understanding is first line of defence is Skynet ipset at raw stage, then enter mangle and filter and nat? There is filter iptables blocking those invalid packet? That is what i see in the iptables.

-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
Click to expand...

I can't directly speak to the entire routing chain... But I can tell you that invalid packets from whitelisted hosts WERE making it to devices on my LAN when SkyNet's Autoban iptables rules were in place.

Please read through the messages between me, @Adamm, and @john9527 earlier in this thread -- there is ample evidence there. The ACCEPT rule for whitelisted hosts allowed the invalid packets to reach the LAN.
 
ScottW said:
I can't directly speak to the chain... But I can tell you that invalid packets from whitelisted hosts WERE making it to devices on my LAN when the SkyNet Autoban was used. Please read through the messages between me, @Adamm, and @john9527 earlier in this thread -- there is ample evidence there. The ACCEPT rule for whitelisted hosts allowed the invalid packets to reach the LAN.
Click to expand...
Can you try adding this to the mangle table
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
 
DonnyJohnny said:
Question.
If Skynet let invalid packet come in due to whitelist, does the router own spi would have drop it? When we say whitelist, we are just letting in the packet to be process by the router?

My understanding is first line of defence is Skynet ipset at raw stage, then enter mangle and filter and nat? There is filter iptables blocking those invalid packet? That is what i see in the iptables.

-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP


For me what I did was I add in the following to block them at mangle table where even before the packet are process by the router
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
Click to expand...
What does this do?
Code: 
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
 
DonnyJohnny said:
Can you try adding this to the mangle table
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
Click to expand...
No, I'm up to date with current Skynet and it is working perfectly. Removing the iptables rules (in particular, the Accept for whitelisted hosts) fixed the issue. I documented that in earlier posts, take a look at the iptables stats with various changes to the rules -- all posted in earlier messages.
 
Last edited:
skeal said:
What does this do?
Code: 
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
Click to expand...
You can check your iptables ( iptables -S ) and you will see. (If you have enable firewall)
-A INPUT -m state --state INVALID -j DROP

It is similar function of dropping invalid packet but even before they are being process at filter table. They are being dropped at mangle table.
 
DonnyJohnny said:
Can you try adding this to the mangle table
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
Click to expand...

This is no longer relevant as the autobanning functionality was removed. But this would have effectively defeated the purpose anyway.

Dropping the packet at any stage before Skynet logged it would have been equivalent to autobanning being disabled.
 
Adamm said:
This is no longer relevant as the autobanning functionality was removed. But this would have effectively defeated the purpose anyway.

Dropping the packet at any stage before Skynet logged it would have been equivalent to autobanning being disabled.
Click to expand...
End of story... now know why I don’t see autoban at work... lol..
 
Twiglets said:
See https://docs.microsoft.com/en-us/pr.../it-pro/windows-server-2003/cc758040(v=ws.10)

Article is about "Interpreting the Windows Firewall Log", it should give enough info to allow, with a bit of 'guesstimation', for the firewall logs to be understood.
(Pay attention to tcpflags abreviations as they are slightly different e.g. urg is urgp in the router logs.)

Hope this helps.

Also see https://ubuntuforums.org/showthread...77735e91c1eedbbe60eb2&p=12361050#post12361050
Click to expand...
Thanks much!!
 
@Adamm, the events log skips hours on a daily basis now. This is a search for the last 10 hours of the hourly report. The syslog is cleared more often than before. I'd like to see what the banmalware command does each day when the cron runs.

Code: 
Apr  4 22:07:13 Skynet: [Complete] 117296 IPs / 1689 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 64 Inbound / 0 Outbound Connections Blocked! [debug] [4s]
Apr  4 22:25:07 Skynet: [Complete] 117296 IPs / 1689 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 87 Inbound / 0 Outbound Connections Blocked! [debug] [1057s]
Apr  5 20:44:03 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1601 Inbound / 0 Outbound Connections Blocked! [whitelist] [13s]
Apr  5 21:00:02 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1619 Inbound / 0 Outbound Connections Blocked! [save] [2s]
Apr  5 21:01:49 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1620 Inbound / 0 Outbound Connections Blocked! [whitelist] [12s]
Apr  5 21:05:59 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1622 Inbound / 0 Outbound Connections Blocked! [whitelist] [14s]
Apr  5 21:14:57 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1632 Inbound / 0 Outbound Connections Blocked! [whitelist] [16s]
Apr  6 06:00:02 Skynet: [Complete] 105887 IPs / 1720 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2308 Inbound / 0 Outbound Connections Blocked! [save] [2s]
Apr  6 07:00:01 Skynet: [Complete] 105887 IPs / 1720 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2381 Inbound / 0 Outbound Connections Blocked! [save] [1s]
Apr  6 08:00:02 Skynet: [Complete] 105887 IPs / 1720 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2448 Inbound / 0 Outbound Connections Blocked! [save] [2s]

Skynet: [Complete] 105887 IPs / 1720 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2498 Inbound / 0 Outbound Connections Blocked! [stats] [1s]
 
Content of my debug output...

Code: 
Router Model; RT-AC87U
Skynet Version; v6.1.0 (04/04/2018)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.4_2 (Mar 24 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ASUS/skynet (314.4M / 962.6M Space Available)
SWAP File; /tmp/mnt/ASUS/myswap.swp (514.0M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/ASUS/skynet
No Lock File Found

Checking Install Directory Write Permissions...         [Passed]
Checking Firewall-Start Entry...                        [Passed]
Checking Services-Stop Entry...                         [Passed]
Checking CronJobs...                                    [Passed]
Checking IPSet Comment Support...                       [Passed]
Checking Log Level 5 Settings...                        [Passed]
Checking For Duplicate Rules In RAW...                  [Passed]
Checking Inbound Filter Rules...                        [Passed]
Checking Inbound Debug Rules                            [Passed]
Checking Outbound Filter Rules...                       [Passed]
Checking Outbound Debug Rules                           [Passed]
Checking Whitelist IPSet...                             [Passed]
Checking BlockedRanges IPSet...                         [Passed]
Checking Blacklist IPSet...                             [Passed]
Checking Skynet IPSet...                                [Passed]
Checking For AB-Solution Plus Content...                [Dismissed]

Skynet: [Complete] 104927 IPs / 1724 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1330 Inbound / 15 Outbound Connections Blocked! [debug] [1s]

Just checking if I got Skynet and AB-Solution installed properly with the 'Dismissed' result?
 
Crazy world out there


My ip is being knocked like crazy for the past 3 days.
 
Butterfly Bones said:
@Adamm, the events log skips hours on a daily basis now. This is a search for the last 10 hours of the hourly report. The syslog is cleared more often than before. I'd like to see what the banmalware command does each day when the cron runs.

Code: 
Apr  4 22:07:13 Skynet: [Complete] 117296 IPs / 1689 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 64 Inbound / 0 Outbound Connections Blocked! [debug] [4s]
Apr  4 22:25:07 Skynet: [Complete] 117296 IPs / 1689 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 87 Inbound / 0 Outbound Connections Blocked! [debug] [1057s]
Apr  5 20:44:03 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1601 Inbound / 0 Outbound Connections Blocked! [whitelist] [13s]
Apr  5 21:00:02 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1619 Inbound / 0 Outbound Connections Blocked! [save] [2s]
Apr  5 21:01:49 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1620 Inbound / 0 Outbound Connections Blocked! [whitelist] [12s]
Apr  5 21:05:59 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1622 Inbound / 0 Outbound Connections Blocked! [whitelist] [14s]
Apr  5 21:14:57 Skynet: [Complete] 115510 IPs / 1703 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1632 Inbound / 0 Outbound Connections Blocked! [whitelist] [16s]
Apr  6 06:00:02 Skynet: [Complete] 105887 IPs / 1720 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2308 Inbound / 0 Outbound Connections Blocked! [save] [2s]
Apr  6 07:00:01 Skynet: [Complete] 105887 IPs / 1720 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2381 Inbound / 0 Outbound Connections Blocked! [save] [1s]
Apr  6 08:00:02 Skynet: [Complete] 105887 IPs / 1720 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2448 Inbound / 0 Outbound Connections Blocked! [save] [2s]

Skynet: [Complete] 105887 IPs / 1720 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2498 Inbound / 0 Outbound Connections Blocked! [stats] [1s]
Click to expand...

I’d have to see your full syslog to see what happened. It’s possible the syslog hit the size limit and purged itself. Are other syslog entries from this period still present?
 
bmb said:
Content of my debug output...

Code: 
Router Model; RT-AC87U
Skynet Version; v6.1.0 (04/04/2018)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.4_2 (Mar 24 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ASUS/skynet (314.4M / 962.6M Space Available)
SWAP File; /tmp/mnt/ASUS/myswap.swp (514.0M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/ASUS/skynet
No Lock File Found

Checking Install Directory Write Permissions...         [Passed]
Checking Firewall-Start Entry...                        [Passed]
Checking Services-Stop Entry...                         [Passed]
Checking CronJobs...                                    [Passed]
Checking IPSet Comment Support...                       [Passed]
Checking Log Level 5 Settings...                        [Passed]
Checking For Duplicate Rules In RAW...                  [Passed]
Checking Inbound Filter Rules...                        [Passed]
Checking Inbound Debug Rules                            [Passed]
Checking Outbound Filter Rules...                       [Passed]
Checking Outbound Debug Rules                           [Passed]
Checking Whitelist IPSet...                             [Passed]
Checking BlockedRanges IPSet...                         [Passed]
Checking Blacklist IPSet...                             [Passed]
Checking Skynet IPSet...                                [Passed]
Checking For AB-Solution Plus Content...                [Dismissed]

Skynet: [Complete] 104927 IPs / 1724 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1330 Inbound / 15 Outbound Connections Blocked! [debug] [1s]

Just checking if I got Skynet and AB-Solution installed properly with the 'Dismissed' result?
Click to expand...

In ab-solution you need to “add plus content” under the option [ b ].
 
Last edited:
Adamm said:
I’d have to see your full syslog to see what happened. It’s possible the syslog hit the size limit and purged itself. Are other syslog entries from this period still present?
Click to expand...
The syslog has purge three times today. Nothing significant has changed except now a huge increase in DROP IN=eth.... entries. Here is all I have from the last purge. I looked in /jffs and /tmp where there are sometimes other copies, but none found.

edit - I obviously obfuscated my MAC and IP.
https://pastebin.com/M7Wukjg2
 
Last edited:
Butterfly Bones said:
The syslog has purge three times today. Nothing significant has changed except now a huge increase in DROP IN=eth.... entries. Here is all I have from the last purge. I looked in /jffs and /tmp where there are sometimes other copies, but none found.
https://pastebin.com/M7Wukjg2
Click to expand...

The drop in entries are filling up your syslog causing it to be purged by the system. Maybe in a future version I'll manage these under Skynet and rebrand them into a separate category so users don't think they are a regular inbound entry.
 
Adamm said:
The drop in entries are filling up your syslog causing it to be purged by the system. Maybe in a future version I'll manage these under Skynet and rebrand them into a separate category so users don't think they are a regular inbound entry.
Click to expand...
I suspected as such. I know I can turn them off in the Asuswrt firewall settings. I like to see what is going on. This is just one more push for me to get syslog-ng working, pain in the #$% that it has been with attempts to date on my AC86U, something is strange on this router for some Entware apps. Others have issues with the NTP daemon. Thanks.
 
Butterfly Bones said:
I suspected as such. I know I can turn them off in the Asuswrt firewall settings. I like to see what is going on. This is just one more push for me to get syslog-ng working, pain in the #$% that it has been with attempts to date on my AC86U, something is strange on this router for some Entware apps. Others have issues with the NTP daemon. Thanks.
Click to expand...

I've pushed v6.1.1 which now tracks invalid packets being dropped.
 
Blacklistedcard said:
The attacks is what really ruins the Internet. Can everyone imagine what things would be like if these attack did not exist?
Click to expand...
Well.. it is a cycle... in the past before ddos is the trend, we have viruses and people know lots of viruses are created by Anti-virus companies and make consumers subscribe to them for antidote.
Now same trend... the anti ddos market is blooming... but the game now is a whole new level of playing. The Attack is getting bigger and bigger with recent 1.7Tbps ddos our github. And not only ddos but randomware also a trend. People no longer need to rob on street. Everyone is riding on the Digital world.
 
You must log in or register to reply here.

Similar threads

W
Looking for an add-on that does...
Replies
5
Views
2K
JGrana
JGrana
Viktor Jaep
Skynet Filter Validator v0.7 - Skynet Firewall Filter List IPv4 Integrity Validator
3 4 5
Replies
83
Views
13K
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
Viktor Jaep
TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (Now available in AMTM!)
Replies
2
Views
251
Viktor Jaep
Viktor Jaep
RMerlin
Fun with ChatGPT...
2
Replies
33
Views
2K
RMerlin
RMerlin
M
Firewall doesen't block custom rules, neighter Skynet
Replies
0
Views
1K
MamaLing
M
Similar threads
Thread starter Title Forum Replies Date
Klonoa Skynet Skynet causes router to crash and reboot Asuswrt-Merlin AddOns 1
S Skynet Skynet showing router itself making calls to China? Asuswrt-Merlin AddOns 26
J Skynet Skynet - Blocked outbounds coming from the router itself? Asuswrt-Merlin AddOns 12
O Skynet Installing Skynet causes router to crash and reboot Asuswrt-Merlin AddOns 26
L Skynet I have installed the skynet firewall how do I configure it if the security of iot devices is important? Asuswrt-Merlin AddOns 2
Davidncali001 Skynet Message on SKYNET I havent seen before Asuswrt-Merlin AddOns 1
S Skynet firewall reduces wireless range Asuswrt-Merlin AddOns 14
P Skynet Internet speed lower with Skynet on Asuswrt-Merlin AddOns 9
N Skynet SkyNet/Firewall blocking all ping requests, including outbound Asuswrt-Merlin AddOns 6
W Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14 Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 885 (members: 26, guests: 859)
Top