DonnyJohnny
Very Senior Member
So? Whitelist and get them unblock. What you waiting for?
Skynet Skynet - Router Firewall & Security Enhancements
Adamm
Part of the Furniture
That indicates USB related issues, I suggest starting with a reboot.
Looks like its a regional CDN, luckily whitelisting is pretty painless.
bitmonster
Senior Member
Thanks for your hard work!!! I was looking at Comodo and Google DNS (I already have Diversion installed, and I am not sure if Diversion and a custom DNS play nicely), and was wondering if blocking at the router level is actually a better option.
What are freely available blocklists like? Could I get theoretically as good if not better protection than say with Comodo Secure DNS? If something is blocked, for example my wife going to a stupid phishing site, can it present some sort of warning page?
I'm sporting a Asus RT-AC86U with everything running too so I hope it can handle this running as well - I assume it's literally just a script working with the already running firewall.
The reports look interesting too, which is what I was looking for with Comodo Secure DNS anyway.
What are freely available blocklists like? Could I get theoretically as good if not better protection than say with Comodo Secure DNS? If something is blocked, for example my wife going to a stupid phishing site, can it present some sort of warning page?
I'm sporting a Asus RT-AC86U with everything running too so I hope it can handle this running as well - I assume it's literally just a script working with the already running firewall.
The reports look interesting too, which is what I was looking for with Comodo Secure DNS anyway.
Adamm
Part of the Furniture
I guess it comes down to personal preference. I like to block things at a router level myself rather then rely on a third party service.
As for a "warning page", this is unfortunately not possible in its current design and instead it will just time you out, but identifying a block is pretty simple once you know what you're doing.
bitmonster
Senior Member
I'm with you. DNS filtering is nice but it seems like a 'layered' protection to me. Actual IP blocking is more solid. Where do these block lists come from and who maintains them anyway?
So with Diversion + Skynet + AIProtection it should be pretty solid now, except when I leave home :-( Which I'm working on via persistent VPN.
Adamm
Part of the Furniture
Skynet suggests the following lists by default but this can be customized to your liking. They are sourced from a number of reputable vendors.
https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list
bitmonster
Senior Member
Oh ok thanks..
So when say a phishing scam goes around there is a chance it may appear on these blocklists.
All the more reason to also implement on my mobile or force persistent VPN back through home.
Sent from my SM-G965F using Tapatalk
So when say a phishing scam goes around there is a chance it may appear on these blocklists.
All the more reason to also implement on my mobile or force persistent VPN back through home.
Sent from my SM-G965F using Tapatalk
Adamm
Part of the Furniture
Thats the plan
I highly suggest this setup which I use myself assuming you have enough bandwidth on both ends. That way you can take the benefits of Skynet + Diversion on any mobile device on other networks.
bitmonster
Senior Member
How did you force VPN clients to use local DNS and firewall? Do you use VPN auto connect? Any side effects?
Sent from my SM-G965F using Tapatalk
Sent from my SM-G965F using Tapatalk
Adamm
Part of the Furniture
Pretty straight forward setup, setup the OpenVPN server on your router and make sure “Advertise DNS to clients” is enabled.
Then I just connect using the openvpn app on my iPhone which has a range of options like only connect while on mobile networks.
M
M@rco
Guest
^Tripper^
Senior Member
Thought so but whenever I tried that, only the first country seemed to get banned. Figured ‘‘twas just something stupid I did. Will try that again once I’m back home.
Adamm
Part of the Furniture
The positioning of the quotes is important.
truglodite
Regular Contributor
Thank you so much sir. You have put my mind at rest. It looked to me that it was a legit NTP request also. I'm just wondering why a USA security company installed in central Canada would need to sync time with a server in the Ukraine? Hmmm....bit of a mystery.
Not sure if your security devices need wan access for more than ntp, but if not, you might try making use of this script by Martineau:
https://www.snbforums.com/threads/h...ce-stopping-outbound-connections.38086/page-2
I use it to block all outside access for my security cameras (I use a vpn for access, and have a secured app for phone notifications). The script also blocks ntp. So I use this script to run an ntp daemon right on the router for all local devices to use (in particular the cams which have no other means to get time):
https://github.com/RMerl/asuswrt-merlin/wiki/Setting-up-an-NTP-Server-for-your-local-lan
I suppose it wouldn't be hard to edit Martineau's script to allow comms through wan if you need that. Either way, this might be a way for you to avoid having to whitelist ntp servers.
^Tripper^
Senior Member
This is the result of trying to ban "cn pk kp"
/jffs/scripts/firewall: /tmp/mnt/rstick/skynet/skynet.cfg: line 17: pk: not found
Adamm
Part of the Furniture
Code:
skynet@RT-AC86U-2EE8:/tmp/home/root# sh /jffs/scripts/firewall ban country "cn pk kp"
#############################################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 24/09/2018 - Asus Firewall Addition By Adamm v6.4.7 #
## https://github.com/Adamm00/IPSet_ASUS #
#############################################################################################################
[i] Banning Known IP Ranges For (cn pk kp)
[i] Downloading Lists
[i] Filtering IPv4 Ranges & Applying Blacklists
[i] Saving Changes
[#] 162618 IPs (+0) -- 7291 Ranges Banned (+5419) || 3308 Inbound -- 86 Outbound Connections Blocked! [ban] [6s]
skynet@RT-AC86U-2EE8:/tmp/home/root#Works for me, are you using the same command?
Adamm
Part of the Furniture
I think I can reproduce this, if you are using the menu there's no need for quotes, I'll add an automated check to the function.
^Tripper^
Senior Member
Pretty sure. Tried "cn pk kp" and got the previous result. Now I tried the following;
Input Country Abbreviations To Ban:
[Countries]: "cn kp pk"
[$] /jffs/scripts/firewall ban country "cn kp pk"
Banning Known IP Ranges For ("cn kp pk")
Downloading Lists
Filtering IPv4 Ranges & Applying Blacklists
ipset v6.32: Unknown argument: `kp'
Try `ipset help' for more information.
Saving Changes
[#] 162786 IPs (+0) -- 1889 Ranges Banned (+0) || 0 Inbound -- 127 Outbound Connections Blocked! [ban] [10s]
Unknown argument?
Similar threads
Similar threads
Similar threads
-
-
Skynet Skynet showing router itself making calls to China?
- Started by Skywise
- Replies: 26
-
Skynet Skynet - Blocked outbounds coming from the router itself?
- Started by JuanGF
- Replies: 12
-
Skynet Installing Skynet causes router to crash and reboot
- Started by ovancantfort
- Replies: 26
-
Skynet I have installed the skynet firewall how do I configure it if the security of iot devices is important?
- Started by lenovomen
- Replies: 2
-
Skynet Message on SKYNET I havent seen before- Started by Davidncali001
- Replies: 1
-
-
-
Skynet SkyNet/Firewall blocking all ping requests, including outbound
- Started by nearlyheadlessarvie
- Replies: 6
-
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
- Started by WRobertE
- Replies: 10