Skynet Skynet - Router Firewall & Security Enhancements

[DonnyJohnny]

Both Alexa on a 7th Gen Fire HD and World of Tanks updater are blocked

So? Whitelist and get them unblock. What you waiting for?

 

[Adamm]

Hmm, that's possible. Interestingly I can't find the specific whiteliste entry in Skynet anymore. But I also get
`touch: /tmp/mnt/sda1/skynet/events.log: Input/output error`

That indicates USB related issues, I suggest starting with a reboot.

and then there's

Looks like its a regional CDN, luckily whitelisting is pretty painless.

Both Alexa on a 7th Gen Fire HD and World of Tanks updater are blocked

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Debug Mode

sh /jffs/scripts/firewall settings debugmode enable

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[dmsims]

I already have - just thought it might save some time for someone if they do a search ...........

The error in Alexa is ambiguous to say the least:

Certificate error, please update Android system webview

 

[bitmonster]

Thanks for your hard work!!! I was looking at Comodo and Google DNS (I already have Diversion installed, and I am not sure if Diversion and a custom DNS play nicely), and was wondering if blocking at the router level is actually a better option.

What are freely available blocklists like? Could I get theoretically as good if not better protection than say with Comodo Secure DNS? If something is blocked, for example my wife going to a stupid phishing site, can it present some sort of warning page?

I'm sporting a Asus RT-AC86U with everything running too so I hope it can handle this running as well - I assume it's literally just a script working with the already running firewall.

The reports look interesting too, which is what I was looking for with Comodo Secure DNS anyway.

 

[Adamm]

Thanks for your hard work!!! I was looking at Comodo and Google DNS (I already have Diversion installed, and I am not sure if Diversion and a custom DNS play nicely), and was wondering if blocking at the router level is actually a better option.

What are freely available blocklists like? Could I get theoretically as good if not better protection than say with Comodo Secure DNS? If something is blocked, for example my wife going to a stupid phishing site, can it present some sort of warning page?

I'm sporting a Asus RT-AC86U with everything running too so I hope it can handle this running as well - I assume it's literally just a script working with the already running firewall.

The reports look interesting too, which is what I was looking for with Comodo Secure DNS anyway.

I guess it comes down to personal preference. I like to block things at a router level myself rather then rely on a third party service.

As for a "warning page", this is unfortunately not possible in its current design and instead it will just time you out, but identifying a block is pretty simple once you know what you're doing.

 

[bitmonster]

I guess it comes down to personal preference. I like to block things at a router level myself rather then rely on a third party service.

I'm with you. DNS filtering is nice but it seems like a 'layered' protection to me. Actual IP blocking is more solid. Where do these block lists come from and who maintains them anyway?

So with Diversion + Skynet + AIProtection it should be pretty solid now, except when I leave home :-( Which I'm working on via persistent VPN.

 

[Adamm]

I'm with you. DNS filtering is nice but it seems like a 'layered' protection to me. Actual IP blocking is more solid. Where do these block lists come from and who maintains them anyway?

So with Diversion + Skynet + AIProtection it should be pretty solid now, except when I leave home :-( Which I'm working on via persistent VPN.

Skynet suggests the following lists by default but this can be customized to your liking. They are sourced from a number of reputable vendors.

https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list

 

[bitmonster]

Oh ok thanks..

So when say a phishing scam goes around there is a chance it may appear on these blocklists.

All the more reason to also implement on my mobile or force persistent VPN back through home.

Sent from my SM-G965F using Tapatalk

 

[Adamm]

So when say a phishing scam goes around there is a chance it may appear on these blocklists.

Thats the plan

All the more reason to also implement on my mobile or force persistent VPN back through home.

I highly suggest this setup which I use myself assuming you have enough bandwidth on both ends. That way you can take the benefits of Skynet + Diversion on any mobile device on other networks.

 

[bitmonster]

How did you force VPN clients to use local DNS and firewall? Do you use VPN auto connect? Any side effects?

Sent from my SM-G965F using Tapatalk

 

[Adamm]

How did you force VPN clients to use local DNS and firewall? Do you use VPN auto connect? Any side effects?

Sent from my SM-G965F using Tapatalk

Pretty straight forward setup, setup the OpenVPN server on your router and make sure “Advertise DNS to clients” is enabled.

Then I just connect using the openvpn app on my iPhone which has a range of options like only connect while on mobile networks.

 

[^Tripper^]

Forgive my ignorance but can I do the following;

1) list the country abbreviations
2) select more then 1 country to block?

I’ve blocked CN which I’m assuming is China but how do I add to that list?

I’m sure the answer is simple, obvious and show how clueless I am. )

 

[M@rco]

can I do the following;

1) list the country abbreviations
2) select more then 1 country to block?

( sh /jffs/scripts/firewall ban country "pk cn sa" ) This Bans The Known IPs For The Specified Countries (Accepts Single/Multiple Inputs If Quoted) http://www.ipdeny.com/ipblocks/data/countries/

From the first post:

https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/

 

[^Tripper^]

From the first post:

https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/

Thought so but whenever I tried that, only the first country seemed to get banned. Figured ‘‘twas just something stupid I did. Will try that again once I’m back home.

 

[Adamm]

Thought so but whenever I tried that, only the first country seemed to get banned. Figured ‘‘twas just something stupid I did. Will try that again once I’m back home.

The positioning of the quotes is important.

 

[truglodite]

Thank you so much sir. You have put my mind at rest. It looked to me that it was a legit NTP request also. I'm just wondering why a USA security company installed in central Canada would need to sync time with a server in the Ukraine? Hmmm....bit of a mystery.

Not sure if your security devices need wan access for more than ntp, but if not, you might try making use of this script by Martineau:

https://www.snbforums.com/threads/h...ce-stopping-outbound-connections.38086/page-2

I use it to block all outside access for my security cameras (I use a vpn for access, and have a secured app for phone notifications). The script also blocks ntp. So I use this script to run an ntp daemon right on the router for all local devices to use (in particular the cams which have no other means to get time):

https://github.com/RMerl/asuswrt-merlin/wiki/Setting-up-an-NTP-Server-for-your-local-lan

I suppose it wouldn't be hard to edit Martineau's script to allow comms through wan if you need that. Either way, this might be a way for you to avoid having to whitelist ntp servers.

 

[^Tripper^]

The positioning of the quotes is important.

This is the result of trying to ban "cn pk kp"

/jffs/scripts/firewall: /tmp/mnt/rstick/skynet/skynet.cfg: line 17: pk: not found

 

[Adamm]

This is the result of trying to ban "cn pk kp"

/jffs/scripts/firewall: /tmp/mnt/rstick/skynet/skynet.cfg: line 17: pk: not found

skynet@RT-AC86U-2EE8:/tmp/home/root# sh /jffs/scripts/firewall ban country "cn pk kp"
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 24/09/2018 -           Asus Firewall Addition By Adamm v6.4.7                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


[i] Banning Known IP Ranges For (cn pk kp)
[i] Downloading Lists
[i] Filtering IPv4 Ranges & Applying Blacklists
[i] Saving Changes

[#] 162618 IPs (+0) -- 7291 Ranges Banned (+5419) || 3308 Inbound -- 86 Outbound Connections Blocked! [ban] [6s]

skynet@RT-AC86U-2EE8:/tmp/home/root#

Works for me, are you using the same command?

 

[Adamm]

This is the result of trying to ban "cn pk kp"

/jffs/scripts/firewall: /tmp/mnt/rstick/skynet/skynet.cfg: line 17: pk: not found

I think I can reproduce this, if you are using the menu there's no need for quotes, I'll add an automated check to the function.

 

[^Tripper^]

Works for me, are you using the same command?

Pretty sure. Tried "cn pk kp" and got the previous result. Now I tried the following;

Input Country Abbreviations To Ban:
[Countries]: "cn kp pk"

[$] /jffs/scripts/firewall ban country "cn kp pk"

Banning Known IP Ranges For ("cn kp pk")
Downloading Lists
Filtering IPv4 Ranges & Applying Blacklists
ipset v6.32: Unknown argument: `kp'
Try `ipset help' for more information.
Saving Changes

[#] 162786 IPs (+0) -- 1889 Ranges Banned (+0) || 0 Inbound -- 127 Outbound Connections Blocked! [ban] [10s]

Unknown argument?