Skynet Skynet - Router Firewall & Security Enhancements

[bayern1975]

is that normal that no more writing for blocked IP in syslog? i installed latest merlin 380.66 then factory reset and all manualy configured again.....syslog is clean about 4 hours?

EDIT: writing again, first i put
sh /jffs/scripts/firewall debug disable and then
sh /jffs/scripts/firewall debug enable

 

[Adamm]

is that normal that no more writing for blocked IP in syslog? i installed latest merlin 380.66 then factory reset and all manualy configured again.....syslog is clean about 4 hours?

Debug mode is disabled upon reboot (or when the router firewall service gets reset).

To have it enabled regardless of reboots etc you would need to add the following line to the bottom of your /jffs/firewall-start file;

sh /jffs/scripts/firewall debug enable

 

[bayern1975]

Debug mode is disabled upon reboot (or when the router firewall service gets reset).

To have it enabled regardless of reboots etc you would need to add the following line to the bottom of your /jffs/firewall-start file;

sh /jffs/scripts/firewall debug enable

i am totaly new with this script and i do not understand it yet....

 

[Adamm]

i am totaly new with this script and i do not understand it yet....

Its a mostly undocumented new feature, I don't blame you. Only way to find out is ask

 

[Jack Yaz]

Can I use this for dynamic banning, and rely on RedHat's "Yet Another Malware" and "IBlocklist loader" for the malware and country banning?

 

[Adamm]

Can I use this for dynamic banning, and rely on RedHat's "Yet Another Malware" and "IBlocklist loader" for the malware and country banning?

I don't see any obvious conflicts. Do note that my script won't post detections from his scripts.

Please also make sure that the firewall script is being executed last as rule placement is important.

 

[Adamm]

As of 360.66 there is a change in how the firewall-start script is handled. For the time being you may have to manually start the firewall upon boot.

If @RMerlin decides to not re-add similar functionality I will have to write a workaround into the script and change where its called from then use a cronjob to check if the restart_firewall event has been called (at the cost of reliability).

 

[bayern1975]

Another Malware Filter Script Detected And May Cause Conflicts, Are You Sure You Want To Continue? (yes/no)
To Ignore This Error In Future Use; "sh ./firewall banmalware -f"

what does this mean? so we can`t run two different scripts with same purpose?

this command inserted in services-start not working after reboot? this should be integrated over skynet firewall script?

sh /jffs/scripts/firewall debug enable

it working if manualy start over putty.....btw, why i got lot`s of google IP`s? should i ban them?

May 14 10:32:21 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=23569 PROTO=TCP SPT=443 DPT=45066 SEQ=3637572054 ACK=2749036775 WINDOW=42408 RES=0x00 ACK SYN URGP=0 OPT (020405640402080A6F9156F5003C6C9D01030307)
May 14 10:32:21 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=23780 PROTO=TCP SPT=443 DPT=45066 SEQ=3637572054 ACK=2749036775 WINDOW=42408 RES=0x00 ACK SYN URGP=0 OPT (020405640402080A6F915821003C6C9D01030307)
May 14 10:32:22 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=24187 PROTO=TCP SPT=443 DPT=45066 SEQ=3637572054 ACK=2749036775 WINDOW=42408 RES=0x00 ACK SYN URGP=0 OPT (020405640402080A6F915ADD003C6C9D01030307)
May 14 10:32:24 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=25279 PROTO=TCP SPT=443 DPT=45066 SEQ=3637572054 ACK=2749036775 WINDOW=42408 RES=0x00 ACK SYN URGP=0 OPT (020405640402080A6F9162AC003C6C9D01030307)
May 14 10:32:26 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=26338 PROTO=TCP SPT=443 DPT=45066 SEQ=3637572054 ACK=2749036775 WINDOW=42408 RES=0x00 ACK SYN URGP=0 OPT (020405640402080A6F916A7C003C6C9D01030307)
May 14 10:32:28 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=27451 PROTO=TCP SPT=443 DPT=45066 SEQ=3637572054 ACK=2749036775 WINDOW=42408 RES=0x00 ACK SYN URGP=0 OPT (020405640402080A6F917256003C6C9D01030307)
May 14 10:32:32 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=29627 PROTO=TCP SPT=443 DPT=45066 SEQ=3637572054 ACK=2749036775 WINDOW=42408 RES=0x00 ACK SYN URGP=0 OPT (020405640402080A6F9181F6003C6C9D01030307)
May 14 10:32:33 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=30267 PROTO=TCP SPT=443 DPT=18731 SEQ=3170448668 ACK=2326985664 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:33 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=49007 PROTO=TCP SPT=443 DPT=18733 SEQ=1720297655 ACK=170901996 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:33 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.36 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=43625 PROTO=TCP SPT=443 DPT=18732 SEQ=3118317615 ACK=3193391771 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=49164 PROTO=TCP SPT=443 DPT=18736 SEQ=509638654 ACK=2701904863 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=64257 PROTO=TCP SPT=443 DPT=18734 SEQ=868246697 ACK=2569651033 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.36 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=7526 PROTO=TCP SPT=443 DPT=18735 SEQ=4233219979 ACK=480342590 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=49219 PROTO=TCP SPT=443 DPT=18733 SEQ=1720297655 ACK=170901996 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=30478 PROTO=TCP SPT=443 DPT=18731 SEQ=3170448668 ACK=2326985664 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.36 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=43753 PROTO=TCP SPT=443 DPT=18732 SEQ=3118317615 ACK=3193391771 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=49394 PROTO=TCP SPT=443 DPT=18736 SEQ=509638654 ACK=2701904863 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=64358 PROTO=TCP SPT=443 DPT=18734 SEQ=868246697 ACK=2569651033 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.36 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=7569 PROTO=TCP SPT=443 DPT=18735 SEQ=4233219979 ACK=480342590 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)
May 14 10:32:36 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=216.58.209.174 DST=XX.XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=31503 PROTO=TCP SPT=443 DPT=18731 SEQ=3170448668 ACK=2326985664 WINDOW=42780 RES=0x00 ACK SYN URGP=0 OPT (020405640101040201030307)

 

[Adamm]

so we can`t run two different scripts with same purpose

Redhat27, swetoast and my own malware banning scripts all use the same filter sources compiled by yours truly. This check is in place because there is no reason to use multiple scripts to ban the same list of IPs and only needs to be done from one of the 3 scripts.

why i got lot`s of google IP`s? should i ban them

Due to bad coding on their behalf, these IP's are picked up by either the routers built in SPI firewall or DOS protection as potentially malicious. Apple is another legitimate service which sometimes gets detected by these measures.

In the event I scan the logs and find a legitimate provider being banned, I have been manually been adding them to the whitelist for the time being. I will work on better false positive detection in the coming updates.

Please run the following command in SSH and paste the result;

nvram get fw_dos_x

 

[Jack Yaz]

Redhat27, swetoast and my own malware banning scripts all use the same filter sources compiled by yours truly. This check is in place because there is no reason to use multiple scripts to ban the same list of IPs and only needs to be done from one of the 3 scripts.


Due to bad coding on their behalf, these IP's are picked up by either the routers built in SPI firewall or DOS protection as potentially malicious. Apple is another legitimate service which sometimes gets detected by these measures.

In the event I scan the logs and find a legitimate provider being banned, I have been manually been adding them to the whitelist for the time being. I will work on better false positive detection in the coming updates.

Please run the following command in SSH and paste the result;

nvram get fw_dos_x

Do you recommend disabling DOS protection then, if it's throwing false positives?

 

[Adamm]

Do you recommend disabling DOS protection then, if it's throwing false positives?

That's one of the measures I've been investigating and force disabling it on boot, but ideally I'd like to be keeping all features compatible.

 

[Adamm]

I have pushed an update to fully support "DoS Protection". Please run the following commands after doing so (or reboot)

service restart_firewall
sh /jffs/scripts/firewall start

You may want to clear your blacklists after this update if you were experiencing false positive bans prior from providers like google/apple.

sh /jffs/scripts/firewall unban all

 

[Jack Yaz]

@Adamm out of interest, why does your script run from firewall-start rather than services-start?

 

[Adamm]

@Adamm out of interest, why does your script run from firewall-start rather than services-start?

services-start only gets called once initially at boot.

firewall-start gets called every time a change is made to iptables rules. This happens a lot more then you think, a good amount of GUI options will completely clear and rebuild IPTables rules after pressing apply (thus losing all skynet rules).

 

[Jack Yaz]

I thought so, I wondered why iblocklistloader and ya-malware recommended the one time run. I suppose that's a question for @redhat27 !

 

[Adamm]

I thought so, I wondered why iblocklistloader and ya-malware recommended the one time run. I suppose that's a question for @redhat27 !

Most scripts until recently used firewall-start, but as of 380.66 there has been a functionality change (the script is initiated multiple times at boot) and what I believe to be a bug which hopefully will be fixed or similar functionality added (any IPTables rules called from here are not applied).

 

[yk101]

[emoji106]

 

[john9527]

Most scripts until recently used firewall-start, but as of 380.66 there has been a functionality change (the script is initiated multiple times at boot) and what I believe to be a bug which hopefully will be fixed or similar functionality added (any IPTables rules called from here are not applied).

firewall-start has always been able to be called multiple times during boot, and I doubt your assertion that iptables rules are not being applied.

Didn't you move your rules from the filter table to the raw table? More likely is that the raw table may be directly flushed/modified by the Trend Micro engine, just like is possible with the mangle table. (You cannot guarantee that your changes to the mangle table via firewall-start won't be silently removed, and is why the VPN selective routing was done via routes and not the mangle table).

 

[Adamm]

Solved

 

[RMerlin]

Try supplying the complete path to the iptables command.

You might also want to redirect the output of that command to a debug file to see what it returns.