Skynet Skynet - Router Firewall & Security Enhancements

[thelonelycoder]

This update adds "fast switching" for banamlware filters, AKA wife mode.

Meanwhile, on the other fast switch front:

Who would want that? Diversion only switches Skynet wifemode if enabled in Skynet (duh).

Edit: This is a teaser, Diversion 4.0.3 is still in development. No ETA.

 

[Adamm]

Meanwhile, on the other fast switch front:

Who would want that? Diversion only switches Skynet wifemode if enabled in Skynet (duh).Goo

Edit: This is a teaser, Diversion 4.0.3 is still in development. No ETA.

Good idea, two birds with one stone.

 

[JaimeZX]

Adamm - I must say I'm thrilled at the prospect of WM, or as I prefer to call it: In-law Mode. lol

Really for the in-laws, I'd just like to toggle China on/off because they WeChat constantly. [Currently blocking: cn ir kp ru ua]

Do you think this is easier done with WM or just going into the Ban Country option and updating the preferences there?

Enable/Configure "wife mode" with specified custom filter URL;

Related question - I've read through the original WM post several times and I'm not clear how to call the alternate filterlist; I assume it's not actually hosted on Google... are we saving it somewhere else non the thumbdrive? And if so what are its contents? How would I differentiate between 5x banned countries and 4x banned countries?

 

[Adamm]

Adamm - I must say I'm thrilled at the prospect of WM, or as I prefer to call it: In-law Mode. lol

Really for the in-laws, I'd just like to toggle China on/off because they WeChat constantly. [Currently blocking: cn ir kp ru ua]

Do you think this is easier done with WM or just going into the Ban Country option and updating the preferences there?

You are better off just re-issuing the command when it comes to countries as it unbans the old entries first.

sh /jffs/scripts/firewall "cn ir kp ru ua"

Related question - I've read through the original WM post several times and I'm not clear how to call the alternate filterlist; I assume it's not actually hosted on Google... are we saving it somewhere else non the thumbdrive? And if so what are its contents? How would I differentiate between 5x banned countries and 4x banned countries?

Just an example URL, the filter lists work the same way they do for banmalware. There's plenty of information available in this thread.

 

[blueshark]

Astrill vpn plugin not working with syknet! There is some especial config on skynet ?

 

[M@rco]

Astrill vpn plugin not working with syknet! There is some espcial config on skynet ?

Try running

sh /jffs/scripts/firewall debug watch

to see what's being blocked. Or open Skynet and type 12 > 1 > 1 from the menu to watch debug entries while they occur. Both will only work if you have debugging enabled in Skynet. Try reconnecting to your VPN provider and follow the debug entries to see which entries need to be whitelisted. Press <CTRL>+C to abort.

 

[agilani]

Astrill vpn plugin not working with syknet! There is some especial config on skynet ?

A lot of vpn endpoints get blacklisted. Try a different endpoint or check debug logs and see which ones are getting blocked and add them to the whitelist.

 

[blueshark]

Thank you. I’ll check

 

[DonnyJohnny]

anyone what does refresh whitelist do?
Is it re-nslookup those whitelist domain for ip?
( sh /jffs/scripts/firewall whitelist refresh ) Regenerate Shared Whitelist Files

 

[agilani]

So this has me pretty concerned. Its coming from my amazon firetv box destined to china on port 80. Other than the fact that this ip address is for china, i can't gather a lot of anything else. The firetv was sitting next to me and not being used during this time. The ip address does not respond to ping or any port probes and does not appear to be listening on port 80. Any ideas on what to do next? Anyone else with firetv sticks or boxes that has CN blocked? The firetv box code is dated sept 27, 2018

Oct  8 14:12:32 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:f0:27:2d:cc:70:e4:08:00 SRC=192.168.1.229 DST=180.97.104.54 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7473 DF PROTO=TCP SPT=60791 DPT=80 SEQ=603826910 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A05ADB7EF0000000001030306)
Oct  8 14:12:33 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:f0:27:2d:cc:70:e4:08:00 SRC=192.168.1.229 DST=180.97.104.54 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7474 DF PROTO=TCP SPT=60791 DPT=80 SEQ=603826910 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A05ADB8530000000001030306)
Oct  8 14:12:35 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:f0:27:2d:cc:70:e4:08:00 SRC=192.168.1.229 DST=180.97.104.54 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7475 DF PROTO=TCP SPT=60791 DPT=80 SEQ=603826910 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A05ADB91B0000000001030306)
Oct  8 14:12:39 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:f0:27:2d:cc:70:e4:08:00 SRC=192.168.1.229 DST=180.97.104.54 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7476 DF PROTO=TCP SPT=60791 DPT=80 SEQ=603826910 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A05ADBAAC0000000001030306)
Oct  8 14:12:47 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:f0:27:2d:cc:70:e4:08:00 SRC=192.168.1.229 DST=180.97.104.54 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7477 DF PROTO=TCP SPT=60791 DPT=80 SEQ=603826910 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A05ADBDCE0000000001030306)
Oct  8 14:13:03 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:f0:27:2d:cc:70:e4:08:00 SRC=192.168.1.229 DST=180.97.104.54 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7478 DF PROTO=TCP SPT=60791 DPT=80 SEQ=603826910 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40402080A05ADC4100000000001030306)

 

[Adamm]

Astrill vpn plugin not working with syknet! There is some especial config on skynet ?

During my last round of testing with the plugin it worked fine as we have specific functions for compatibility. I'll check again in the near future when I get some time but I don't see any reason why it shouldn't work unless they did a major update recently.

anyone what does refresh whitelist do?
Is it re-nslookup those whitelist domain for ip?
( sh /jffs/scripts/firewall whitelist refresh ) Regenerate Shared Whitelist Files

It does exactly as the name suggests, refreshes the whitelist (nvram values, re-resolving domains, including new shared-*-whitelist files etc) . This was a function I built for Diversion internally so that we can sync whitelist updates.

So this has me pretty concerned. Its coming from my amazon firetv box destined to china on port 80. Other than the fact that this ip address is for china, i can't gather a lot of anything else. The firetv was sitting next to me and not being used during this time. The ip address does not respond to ping or any port probes and does not appear to be listening on port 80. Any ideas on what to do next? Anyone else with firetv sticks or boxes that has CN blocked? The firetv box code is dated sept 27, 2018

Alienvault shows relation to some API server for "www.duapps.com". I would assume you have one of their apps installed and its calling home for whatever reason good or bad.

 

[DonnyJohnny]

It does exactly as the name suggests, refreshes the whitelist (nvram values, re-resolving domains, including new shared-*-whitelist files etc) . This was a function I built for Diversion internally so that we can sync whitelist updates.

When using this command, how about previous resolved domain ip?

Will it remain in blacklist/whitelist and add on with newly resolved ip OR removed and re-resolved with the domains?

My question is some domain has multiple dynamic ip. It keep changing. So how does this refresh command able to help me?

 

[Adamm]

When using this command, how about previous resolved domain ip?

Will it remain in blacklist/whitelist and add on with newly resolved ip OR removed and re-resolved with the domains?

My question is some domain has multiple dynamic ip. It keep changing. So how does this refresh command able to help me?

Yes, all static entries are refreshed during various functions. Out with the old in with the new. The same goes for the blacklist.

Refresh_MBans () {
        if grep -qF "[Manual Ban] TYPE=Domain" "$skynetevents"; then
            grep -F "[Manual Ban] TYPE=Domain" "$skynetevents" | awk '{print $9}' | awk '!x[$0]++' | sed 's~Host=~~g' > /tmp/mbans.list
            sed -i '\~\[Manual Ban\] TYPE=Domain~d;' "$skynetevents"
            sed "\\~add Skynet-Blacklist ~!d;\\~ManualBanD~!d;s~ comment.*~~;s~add~del~g" "$skynetipset" | ipset restore -!
            while IFS= read -r "domain"; do
                for ip in $(Domain_Lookup "$domain"); do
                    ipset -q -A Skynet-Blacklist "$ip" comment "ManualBanD: $domain" && echo "$(date +"%b %d %T") Skynet: [Manual Ban] TYPE=Domain SRC=$ip Host=$domain " >> "$skynetevents"
                done
            done < /tmp/mbans.list
            wait
            rm -rf /tmp/mbans.list
        fi
}

Refresh_MWhitelist () {
        if grep -qE "Manual Whitelist.* TYPE=Domain" "$skynetevents"; then
            grep -E "Manual Whitelist.* TYPE=Domain" "$skynetevents" | awk '{print $9}' | awk '!x[$0]++' | sed 's~Host=~~g' > /tmp/mwhitelist.list
            sed -i '\~\[Manual Whitelist\] TYPE=Domain~d;' "$skynetevents"
            sed "\\~add Skynet-Whitelist ~!d;\\~ManualWlistD~!d;s~ comment.*~~;s~add~del~g" "$skynetipset" | ipset restore -!
            while IFS= read -r "domain"; do
                for ip in $(Domain_Lookup "$domain"); do
                    ipset -q -A Skynet-Whitelist "$ip" comment "ManualWlistD: $domain" && echo "$(date +"%b %d %T") Skynet: [Manual Whitelist] TYPE=Domain SRC=$ip Host=$domain " >> "$skynetevents"
                done &
            done < /tmp/mwhitelist.list
            wait
            cat /tmp/mwhitelist.list >> /jffs/shared-Skynet2-whitelist
            rm -rf /tmp/mwhitelist.list
        fi
}

 

[agilani]

During my last round of testing with the plugin it worked fine as we have specific functions for compatibility. I'll check again in the near future when I get some time but I don't see any reason why it shouldn't work unless they did a major update recently.



It does exactly as the name suggests, refreshes the whitelist (nvram values, re-resolving domains, including new shared-*-whitelist files etc) . This was a function I built for Diversion internally so that we can sync whitelist updates.




Alienvault shows relation to some API server for "www.duapps.com". I would assume you have one of their apps installed and its calling home for whatever reason good or bad.

Thanks Adamm

So the only piece of software that i have installed on this was esfileexplorer which is listed under the domain estrongs.com. A whois of estrongs.com shows that it was registered by dns registrar in Xiamen, China. Can't be sure, but if/why esfileexplorer decided to phone home would be worrisome. This device isn't rooted, but esfileexplorer is commonly used as a root file explorer.

 

[jsbeddow]

Has anyone else run across this odd one? The option in Skynet to disable insecure services (SSH from WAN side, etc...) worked perfectly for me when using it on the Merlin branch, but now that I have switched to John's fork, I can no longer use it, as it incorrectly sees these "insecure" options as turned on, when in fact they are not. Differences in the underlying code that represents those SSH options, perhaps? Any chance of a hotfix here @Adamm?

 

[Adamm]

Has anyone else run across this odd one? The option in Skynet to disable insecure services (SSH from WAN side, etc...) worked perfectly for me when using it on the Merlin branch, but now that I have switched to John's fork, I can no longer use it, as it incorrectly sees these "insecure" options as turned on, when in fact they are not. Differences in the underlying code that represents those SSH options, perhaps? Any chance of a hotfix here @Adamm?

Johns fork is based on an older version so the nvram values are probably slightly different. I'll search tomorrow for the equivalent of "sshd_enable" and "misc_http_x".

 

[Adamm]

@john9527 do you happen to know the two equivalent values off the top of your head? Github doesn't let me search forked repos.

 

[Xentrk]

@john9527 do you happen to know the two equivalent values off the top of your head? Github doesn't let me search forked repos.

I ran into the search issue too when trying to search the Fork last week. I wanted to see the stubby.yml @john9527 used for the Fork. I ended up groveling for it!

I recently found this post on how to search:
https://help.github.com/articles/searching-in-forks/
But have not tried it yet.

 

[thelonelycoder]

Here's the deal @Adamm : You add a wf function similar to fs in Diversion, I'll add the www/non-www function to Diversion whitelisting

@Adamm the deal is complete: Diversion 4.0.3 is out!

 

[Adamm]

@Adamm the deal is complete: Diversion 4.0.3 is out!

I just so happened to do a clean install for other reason and noticed, install process went smooth and all working as expected. Now we can both relax