Menu
What's new
By:
Filters Better Search

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Which website did you choose to curl for geoip data? There’s a bunch of them out there. I’ve seen a few shutdown and some others spring up. I stopped using them after someone online pointed out the risk of curl-ing any site, especially obscure ones, because they could send back malicious script and you’d never realise it. What’s your take on this?
Edit: using the maxmind geoip database obviously would allow it to be done speedily without internet or potential security vulnerabilities of curling a third party site. Plus they have lookup limits and block you if you hammer them.
Adamm said:
With a little push from insomnia and bordem, I looked into this a-little further. I was able to achieve the desired result without a third party binary/database, but it came at a pretty extensive performance cost.

hXww5Vq.png


The problem is to-do this it requires a curl request for every listed entry. With the stat page this can mean hundreds of requests, which are slooooooooow. The best case scenario here increased total runtime on my AC86U from 6s => 20s which personally I don't find a good trade off. I'll see if adding this information makes sense in smaller use cases (individual ip lookup etc), but on the stat page as a whole it just not worth it right now.
Click to expand...
 
Last edited:
Zonkd said:
I stopped using them after someone online pointed out the risk of curl-ing any site, especially obscure ones, because they could send back malicious script and you’d never realise it. What’s your take on this?
Click to expand...

What your referring to I believe is curl’ing a script then executing it via a pipe as you have no chance to review what you just downloaded.

In this case all we are doing is essentially getting the plaintext version of a webpage and displaying the contents, at no time is there any sort of execution even in the highly unlikely scenario the URL was compromised.
 
Zonkd said:
Edit: using the maxmind geoip database obviously would allow it to be done speedily without internet or potential security vulnerabilities of curling a third party site. Plus they have lookup limits and block you if you hammer them.
Click to expand...

In an ideal world having a local copy of the database and querying it would be the best solution. But todo so would require use of either a third party binary or having to use their ruby/python api which as you can imagine adds significiant overhead on an embedded device and add a whole bunch of additional requirements and upkeep. I personally believe it doesn’t make sense in the scope of this project.
 
I agree..

The scope of this project should be limited to saving structured logs that something else can pick up and run with...

Any old PC running Linux would probably do an amazing job.

Sent from my SM-G965F using Tapatalk
 
Newbie question (for my clarification).
Am I correct with the following : Any router with no open ports and no port forwarding would stop all remote wan traffic from coming into a router (ignoring exploits) except traffic that was 'requested' from inside the lan.

After installing skynet, and using a block list, and maybe a country block or two, I see many periodic syslog 'BLOCKED INCOMING' messages - are they generic ones that would have been blocked anyway as they did not originate from inside the lan, or are they only ones that skynet blocks ?

I understand the blocked outgoing ones are deff skynet, as that is a rogue process/device inside the lan trying to connect to wan IP's that are no longer allowed.

Thanks.
 
Adamm said:
Try using the swap utilities built into Skynet, it _should_ be smart enough to figure it out. If not report back here with the output.
Click to expand...

I tried deleting the path but as you can see it won't delete:

8vB07N3.png
 
Skeptical.me said:
I tried deleting the path but as you can see it won't delete:
Click to expand...

That’s a funny looking Skynet :p. Please try with Skynet, that way I know exactly what’s going on based on the output.
 
Adamm said:
That’s a funny looking Skynet :p. Please try with Skynet, that way I know exactly what’s going on based on the output.
Click to expand...

Oh, oops lol
 
vw-kombi said:
Newbie question (for my clarification).
Am I correct with the following : Any router with no open ports and no port forwarding would stop all remote wan traffic from coming into a router (ignoring exploits) except traffic that was 'requested' from inside the lan.

After installing skynet, and using a block list, and maybe a country block or two, I see many periodic syslog 'BLOCKED INCOMING' messages - are they generic ones that would have been blocked anyway as they did not originate from inside the lan, or are they only ones that skynet blocks ?

I understand the blocked outgoing ones are deff skynet, as that is a rogue process/device inside the lan trying to connect to wan IP's that are no longer allowed.

Thanks.
Click to expand...

Bit of an open ended question, a router can respond in a number of ways depending on the request and rules in place. Packets can be dropped, rejected, marked invalid or in the event a service is exposed give some sort of reply exposing a potential attack surface.

The modern internet has a lot of background noise, with a large majority being bots constantly probing for vulnerable devices. So all those blocked incoming packets are generally this. Skynet drops the connection at the earliest possible point.

As for the outgoing blocks, they are connections initiated from your lan.
 
Thanks Adamm, Been spending a bit of time on the analysis of the logs.
I have blocked countries ru kr kp ir cn.
My stats show tons of outgoing blocks to loads of pool.ntp.org IP's. I assume these are from blocked countries and I can whitelist this domain ? :

12x https://otx.alienvault.com/indicator/ip/203.217.204.135 - [asia.pool.ntp.org pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.84.186 - [pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.40.78 - [pool.ntp.org]
7x https://otx.alienvault.com/indicator/ip/185.105.186.198 - [pool.ntp.org]
5x https://otx.alienvault.com/indicator/ip/195.78.244.50 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/91.198.10.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/85.21.78.23 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/80.240.216.155 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/79.142.192.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/195.210.189.106 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.211 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.20 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/185.103.110.248 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/144.217.181.221 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/94.247.111.10 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/91.218.89.74 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.221.207.113 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.175.20.7 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/85.93.216.115 - [pool.ntp.org]
1x http://otx.alienvault.com/indicator/ip/85.21.78.91 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/79.142.192.130 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/78.140.251.2 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/46.173.6.142 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/195.78.244.34 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/193.27.208.100 - [pool.ntp.org]
 
Not sure if it helps anyone else, i am blocking

cn ru vn ua br kp

Only the brazil block causes me any issues thus far. I see microsoft traffic being dropped, but so far its had no visible effect on functionality that i can pin down.

These are some of the top offenders according abuseipdb

https://www.abuseipdb.com/statistics

I may try to block France, India, and Indonesia next.
 
A thing of absolute beauty - thank you @Adamm !
155808 IPs (+0) -- 1773 Ranges Banned (+0) || 2227 Inbound -- 2123 Outbound Connections Blocked!
 
I would whitelist pool.ntp.org domains because they are the time servers your devices (and router) sync their clock with. Not malicious at all.

vw-kombi said:
Thanks Adamm, Been spending a bit of time on the analysis of the logs.
I have blocked countries ru kr kp ir cn.
My stats show tons of outgoing blocks to loads of pool.ntp.org IP's. I assume these are from blocked countries and I can whitelist this domain ? :

12x https://otx.alienvault.com/indicator/ip/203.217.204.135 - [asia.pool.ntp.org pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.84.186 - [pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.40.78 - [pool.ntp.org]
7x https://otx.alienvault.com/indicator/ip/185.105.186.198 - [pool.ntp.org]
5x https://otx.alienvault.com/indicator/ip/195.78.244.50 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/91.198.10.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/85.21.78.23 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/80.240.216.155 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/79.142.192.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/195.210.189.106 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.211 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.20 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/185.103.110.248 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/144.217.181.221 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/94.247.111.10 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/91.218.89.74 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.221.207.113 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.175.20.7 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/85.93.216.115 - [pool.ntp.org]
1x http://otx.alienvault.com/indicator/ip/85.21.78.91 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/79.142.192.130 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/78.140.251.2 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/46.173.6.142 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/195.78.244.34 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/193.27.208.100 - [pool.ntp.org]
Click to expand...
 
Is there a way to tell the Skynet is running? I tried to set ban some countries but got a message that Skynet was not running. On a router reboot, is there an autostart script somewhere that should have run but maybe did not?
 
TonyK132 said:
Is there a way to tell the Skynet is running? I tried to set ban some countries but got a message that Skynet was not running. On a router reboot, is there an autostart script somewhere that should have run but maybe did not?
Click to expand...

Please post the output of;

Code: 
sh /jffs/scripts/firewall debug info
 
TonyK132 said:
Is there a way to tell the Skynet is running? I tried to set ban some countries but got a message that Skynet was not running. On a router reboot, is there an autostart script somewhere that should have run but maybe did not?
Click to expand...

Also, how can I tell if the countries I am trying to block really are blocked? Will they show up in the blacklist list?
 
TonyK132 said:
Also, how can I tell if the countries I am trying to block really are blocked? Will they show up in the blacklist list?
Click to expand...

They will show up in the command above and I will also be able to use the output to diagnose your situation.
 
You must log in or register to reply here.

Similar threads

W
Looking for an add-on that does...
Replies
5
Views
2K
JGrana
JGrana
Viktor Jaep
Skynet Filter Validator v0.7 - Skynet Firewall Filter List IPv4 Integrity Validator
3 4 5
Replies
83
Views
13K
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
Viktor Jaep
TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (Now available in AMTM!)
Replies
2
Views
86
Viktor Jaep
Viktor Jaep
RMerlin
Fun with ChatGPT...
2
Replies
33
Views
2K
RMerlin
RMerlin
M
Firewall doesen't block custom rules, neighter Skynet
Replies
0
Views
1K
MamaLing
M
Similar threads
Thread starter Title Forum Replies Date
Klonoa Skynet Skynet causes router to crash and reboot Asuswrt-Merlin AddOns 1
S Skynet Skynet showing router itself making calls to China? Asuswrt-Merlin AddOns 26
J Skynet Skynet - Blocked outbounds coming from the router itself? Asuswrt-Merlin AddOns 12
O Skynet Installing Skynet causes router to crash and reboot Asuswrt-Merlin AddOns 26
L Skynet I have installed the skynet firewall how do I configure it if the security of iot devices is important? Asuswrt-Merlin AddOns 2
Davidncali001 Skynet Message on SKYNET I havent seen before Asuswrt-Merlin AddOns 1
S Skynet firewall reduces wireless range Asuswrt-Merlin AddOns 14
P Skynet Internet speed lower with Skynet on Asuswrt-Merlin AddOns 9
N Skynet SkyNet/Firewall blocking all ping requests, including outbound Asuswrt-Merlin AddOns 6
W Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14 Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 735 (members: 29, guests: 706)
Top