Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Do I need to keep running...

The install command only needs to be run if there is a change in the install script which you would like to add (e.g adding new boot args). So in 9/10 cases usually not.

 

[dvohwinkel]

I ran a firewall disable.. then wait 15 seconds and ran a firewall start debug..

Skynet: [Enabling Raw Debug Output] ... ... ...
Skynet: [IP Banning Started] ... ... ...
iptables: Bad rule (does a matching rule exist in that chain?).
Skynet: [Complete] 145672 IPs / 5136 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [4s]

any way to find out what it is complaining about?

I did this because it is blocking something on my Blizzard / Diablo III game and taking it offline.. but it's not finding it by itself.

 

[Adamm]

any way to find out what it is complaining about?

I removed enabled debug output on a command and forgot to re-silence it when fixing another issue today. Update to v4.2.4 and debug print should be working again. Sorry !

 

[dvohwinkel]

As per request, auto updating can now be enabled during install. I'll slow down eventually



Every time Unban_HTTP() is called, a scan will initiate. This function is called at the end of the hour during the save cronjob. Its also called when you run the commands (start/disable/save/stats/debug disable/debug filter).

Now what exactly does this function do? It will scan /jffs/skynet.log for any new bans based on traffic from ports 80 and 443 (HTTP and HTTPS). It then unbans anything meeting this criteria and marks it in the log. If the IP is ever banned a second time the same way during the next 2 weeks, the following scan it will whitelist the IP automatically.

So in a sense the script "learns", after a day or two you will most likely never run into any accidental blockage again as the whitelist is never wiped (unless forced by the user ofcoarse). I've just now added a new IPTables rule which should still handle invalid packets but only DROP (not ban) ones sent on TCP ports 80,443. So lets see if this works how we want it to, I've kept the old functionality for the time being as a fail-over. So as usual an update will be required to v4.2.1

So basically your script watches for any blocked traffic to ports 80, and/or 443 on the router.. and if it finds any it grabs the ip and adds it to the ban list. Then once an hour it takes that list and searches for any outbound traffic from ports 80/443 on the router and unbans that?

 

[Adamm]

So basically your script watches for any blocked traffic to ports 80, and/or 443 on the router.. and if it finds any it grabs the ip and adds it to the ban list. Then once an hour it takes that list and searches for any outbound traffic from ports 80/443 on the router and unbans that?

The built in SPI firewall detects invalid packets and adds them to the blacklist. Now for whatever reason some HTTP(s) traffic seems to be prone to sending "INVALID" traffic. Prior to a few hours ago we were manually scanning our logs for bans issued from the SPI Firewall on ports 80,433 and unbanning them. If it happened twice we would whitelist the IP.

As of an hour ago (v4.2.1), we now make an exception for traffic on these ports that is invalid at the IPTables level (realtime). Rather then drop & ban the packet, we are now just dropping it. Hopefully this will fix the issue entirely, we will see.

 

[bayern1975]

with automatic hourly update all baned ranges gone?

May 18 20:21:08 Skynet: [Complete] 142845 IPs / 18766 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked!
May 18 21:00:07 Skynet: [Complete] 142845 IPs / 0 Ranges banned. 0 New IPs / -18766 New Ranges Banned. 22 IP / 0 Range Connections Blocked!

 

[Adamm]

with automatic hourly update all baned ranges gone?

May 18 20:21:08 Skynet: [Complete] 142845 IPs / 18766 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked!
May 18 21:00:07 Skynet: [Complete] 142845 IPs / 0 Ranges banned. 0 New IPs / -18766 New Ranges Banned. 22 IP / 0 Range Connections Blocked!

I think this may just be the counter playing catch-up with the faster method I implemented (it should show the correct value next cycle). To confirm manually how many are still there, run the following command;

ipset -L BlockedRanges | wc -l

The only command that can ever clear that list completely is unban all, so I'm sure its just a graphical error.

 

[bayern1975]

I think this may just be the counter playing catch-up with the faster method I implemented (it should show the correct value next cycle). To confirm manually how many are still there, run the following command;

ipset -L BlockedRanges | wc -l

The only command that can ever clear that list completely is unban all, so I'm sure its just a graphical error.

hmm, don`t see if they exist? will see next cycle....

admin@RT-AC3200-7180:/jffs/scripts# firewall ipset -L BlockedRanges | wc -l
Skynet: [Complete] 142845 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 29 IP / 0 Range Connections Blocked! [1s]

 

[Adamm]

hmm, don`t see if they exist? will see next cycle....

admin@RT-AC3200-7180:/jffs/scripts# firewall ipset -L BlockedRanges | wc -l
Skynet: [Complete] 142845 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 29 IP / 0 Range Connections Blocked! [1s]

What output did the command I posted give? Should be a single number.

 

[dvohwinkel]

Any ideas how I can figure out why this is blocking the Blizzard App? When I "firewall disable" it connects with no issue.. but when I enable it gets blocked somehow and it is not finding it as a false positive.

 

[TheUntouchable]

Same problem here, my imap server got blocked (imap.web.de). No ping goes out, after disabling the firewall everything worked again A howto unblock would be nice

PS: And how can I reset the black and whitelists to zero?

 

[Adamm]

Any ideas how I can figure out why this is blocking the Blizzard App? When I "firewall disable" it connects with no issue.. but when I enable it gets blocked somehow and it is not finding it as a false positive.

Enable debug mode (either via the install script or by using)

sh /jffs/scripts/firewall debug enable

This will print debug output to your syslog, once you start the App in question you should start seeing a low of "BLOCKED - RAW" from the same IP. That will more then likely be the IP you are looking for.

 

[Adamm]

Same problem here, my imap server got blocked (imap.web.de). No ping goes out, after disabling the firewall everything worked again A howto unblock would be nice

PS: And how can I reset the black and whitelists to zero?

Try whitelisting the domain first;

sh /jffs/scripts/firewall whitelist domain imap.web.de

If that doesn't work, like the post above, enable debug mode and watch for spam in the syslog when you try connect to the service.

 

[dvohwinkel]

I did an uninstall and then reinstalled.. followed the instructions from page 1..
Skynet: [IP Banning Started] ... ... ...
Skynet: [Enabling Raw Debug Output] ... ... ...
grep: /jffs/scripts/ipset.txt: No such file or directory
grep: /jffs/scripts/ipset.txt: No such file or directory
Skynet: [Complete] 0 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [1s]

 

[TheUntouchable]

To late, completly uninstalled the script as I had some other strange things xD

EDIT: Damn! dvohwinkel was faster then me, was going to report the same

 

[Adamm]

I did an uninstall and then reinstalled.. followed the instructions from page 1..
Skynet: [IP Banning Started] ... ... ...
Skynet: [Enabling Raw Debug Output] ... ... ...
grep: /jffs/scripts/ipset.txt: No such file or directory
grep: /jffs/scripts/ipset.txt: No such file or directory
Skynet: [Complete] 0 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [1s]

That output is perfect, ipset.txt shouldn't exist on a fresh install, I just need to mute that output in a future update. Beyond that it shows your script working perfectly

 

[TheUntouchable]

Mh, after a fresh installation of the script it seems that I can't enable the debuggin mode..?

Installing Skynet v4.2.5
This Will Remove Any Old Install Arguements And Can Be Run Multiple Times
Please Select Installation Mode (Number)
1. Vanilla -           Default Installation
2. NoAuto -            Default Installation Without Autobanning
3. Debug -             Default Installation With Debug Print For Extended Stat Reporting
4. NoAuto & Debug -    Default Installation With No Autobanning And Debug Print

1
Vanilla Selected

Would You Like To Enable Weekly Malwarelist Updating
1. Yes
2. No
Please Select Option (Number)
2
Malware List Updating Disabled

Would You Like To Enable Daily Auto Script Updating
Skynet By Default Only Checks For Updates But They Are Never Downloaded

1. Yes
2. No
Please Select Option (Number)
1
Auto Updating Enabled
Skynet Updates Scheduled For 2.25am Daily

Restarting Firewall To Apply Changes

Done.

sh firewall stats

!!! Debug Mode Is Disabled !!!

No Debug Data Detected - Give This Time To Generate

sh firewall debug enable
Skynet: [Complete] 23 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 54 IP / 0 Range Connections Blocked! [0s]

sh firewall stats
!!! Debug Mode Is Disabled !!!

No Debug Data Detected - Give This Time To Generate

 

[Adamm]

Mh, after a fresh installation of the script it seems that I can't enable the debuggin mode..?

Try enable it via the install command, that way it will be persistent beyond restart_firewall events (you can remove this at any time using the same command)

 

[TheUntouchable]

Okay, that worked

 

[dvohwinkel]

That output is perfect, ipset.txt shouldn't exist on a fresh install, I just need to mute that output in a future update. Beyond that it shows your script working perfectly

After ten minutes I disabled it.. and no ipset.txt was created..
and upon restart..
Skynet: [Complete] 0 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [1s]

even though the log has plenty of [BAN - RAW] in it.