What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Yep can confirm that Skynet is now working like a dream Thanks Merlin & Adamm

Nov 23 01:08:08 Skynet: [#] 172571 IPs (+0) -- 20069 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [21s]
 
Yep can confirm that Skynet is now working like a dream Thanks Merlin & Adamm

Nov 23 01:08:08 Skynet: [#] 172571 IPs (+0) -- 20069 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [21s]

Good to hear. Out of curiosity whats the runtime like on banmalware? The command acts as a nice CPU benchmark
 
Thanks, thats a bug specific to Johns fork (he uses the same nvram values w/ different settings). I've pushed a fix accordingly.
I generally try to keep things in sync to avoid this....which nvram?
 
I generally try to keep things in sync to avoid this....which nvram?

Your fork uses the older values;
Code:
sshd_enable 0|1 = Enable SSH
sshd_wan 0|1 = Expose SSH to WAN


I believe the 380 update unified this to;
Code:
sshd_enable 0|1|2
 
hi, in my Ac68u with ssh enabled on lan+wan... and skynet secure settings disabled then I having IPTables rules violation error..
 
hi, in my Ac68u with ssh enabled on lan+wan... and skynet secure settings disabled then I having IPTables rules violation error..

I can't reproduce this. Can you please make sure you are running the latest version of Skynet, restart the firewall and check again.
 
I've pushed v6.6.4

Code:
Fix various spinner related issues
Fix settings on Johns fork being misinterperated
Improved IPTables / IPSet rule validation w/ watchdog
Base update system on md5 hash so minor updates are downloaded
Improved aesthetics

As promised, this update includes better IPTables rule validation to make sure Skynet is always running as expected. This is checked before most functions to ensure things always work as expected. It is also attached to the save cronjob, in this case if it detects an issue it will restart the firewall service to flush out the bad rules acting as a watchdog.

I have also changed the update system to be based on md5 hashes, this means I can push minor updates without version changes and users will recieve them as per usual (we can also then use this information to tell exactly which commit you are running).
 
I can't reproduce this. Can you please make sure you are running the latest version of Skynet, restart the firewall and check again.

Yes I am in latest version of skynet with Merlin 384.7_2.
Now, with 6.6.4 same issue, I have uninstalled and reinstalled many times

thanks @Adamm
 
Yes I am in latest version of skynet with Merlin 384.7_2.
Now, with 6.6.4 same issue, I have uninstalled and reinstalled many times

thanks @Adamm

Whats the output of the following commands;

Code:
sh /jffs/scripts/firewall debug info


sh -x /jffs/scripts/firewall save
 
Code:
sh /jffs/scripts/firewall debug info

From debug info:

Code:
Router Model; RT-AC68U
Skynet Version; v6.6.4 (25/11/2018) (a05b7db78155b8ffd2e55ba6e8792b85)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.7_2 (Oct 21 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/entware/skynet (2.8G / 3.8G Space Available)
SWAP File; /tmp/mnt/entware/myswap.swp (512.5M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/entware/skynet
Banned Countries; af ax az bs bm br cn hr cu cz eg fj in id ir iq il jm kz kp kr kw kg la np pk pa ro ru sa sc sg si sk te hk za lkn
No Lock File Found


--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
SWAP                                | [Passed]
Cron Jobs                           | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
Inbound Filter Rules                | [Passed]
Inbound Debug Rules                 | [Disabled]
Outbound Filter Rules               | [Passed]
Outbound Debug Rules                | [Disabled]
Whitelist IPSet                     | [Passed]
BlockedRanges IPSet                 | [Passed]
Blacklist IPSet                     | [Passed]
Skynet IPSet                        | [Passed]
Diversion Plus Content              | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Autoupdate                          | [Disabled]
Auto-Banmalware Update              | [Enabled]
Debug Mode                          | [Disabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid                         | [Disabled]
Ban AiProtect                       | [Enabled]
Secure Mode                         | [Disabled]
Fast Switch                         | [Disabled]

18/18 Tests Sucessful


=============================================================================================================


[#] 142452 IPs (+0) -- 42975 Ranges Banned (+0) ||  Inbound --  Outbound Connections Blocked! [debug] [4s]

And save:

Code:
+ export LC_ALL=C
+ mkdir -p /tmp/skynet/lists
+ ntptimer=0
+ nvram get ntp_ready
+ [ 1 = 0 ]
+ [ 0 -ge 300 ]
+ date +%s
+ stime=1543137131
+ grep -ow skynetloc=.* # Skynet /jffs/scripts/firewall-start
+ awk {print $1}
+ grep -vE ^#
+ cut -c 11-
+ skynetloc=/tmp/mnt/entware/skynet
+ skynetcfg=/tmp/mnt/entware/skynet/skynet.cfg
+ skynetlog=/tmp/mnt/entware/skynet/skynet.log
+ skynetevents=/tmp/mnt/entware/skynet/events.log
+ skynetipset=/tmp/mnt/entware/skynet/skynet.ipset
+ [ -z /tmp/mnt/entware/skynet ]
+ [ ! -d /tmp/mnt/entware/skynet ]
+ nvram get wan0_proto
+ [ pppoe = pppoe ]
+ iface=ppp0
+ [ -z save ]
+ [ -n  ]
+ trap Spinner_End EXIT
+ [ -f /tmp/mnt/entware/skynet/skynet.cfg ]
+ . /tmp/mnt/entware/skynet/skynet.cfg
+ model=RT-AC68U
+ localver=v6.6.4
+ autoupdate=disabled
+ banmalwareupdate=daily
+ forcebanmalwareupdate=
+ debugmode=disabled
+ filtertraffic=all
+ swaplocation=/tmp/mnt/entware/myswap.swp
+ swappartition=
+ blacklist1count=142452
+ blacklist2count=42975
+ customlisturl=
+ customlist2url=
+ countrylist=af ax az bs bm br cn hr cu cz eg fj in id ir iq il jm kz kp kr kw kg la np pk pa ro ru sa sc sg si sk te hk za lk tw n
+ excludelists=
+ unbanprivateip=enabled
+ loginvalid=disabled
+ banaiprotect=enabled
+ securemode=disabled
+ extendedstats=enabled
+ fastswitch=disabled
+ Display_Header 9
+ printf \n\n=============================================================================================================\n\n\n


=============================================================================================================


+ Check_Lock save
+ [ -f /tmp/skynet.lock ]
+ echo save
+ echo 16586
+ date +%s
+ lockskynet=true
+ Check_IPSets
+ ipset -L -n Skynet-Whitelist
+ ipset -L -n Skynet-Blacklist
+ ipset -L -n Skynet-BlockedRanges
+ ipset -L -n Skynet-Master
+ Check_IPTables
+ [ all = all ]
+ iptables -t raw -C PREROUTING -i ppp0 -m set ! --match-set Skynet-Whitelist src -m set --match-set Skynet-Master src -j DROP
+ [ all = all ]
+ iptables -t raw -C PREROUTING -i br0 -m set ! --match-set Skynet-Whitelist dst -m set --match-set Skynet-Master dst -j DROP
+ iptables -t raw -C OUTPUT -m set ! --match-set Skynet-Whitelist dst -m set --match-set Skynet-Master dst -j DROP
+ nvram get sshd_enable
+ [ 1 = 1 ]
+ nvram get sshd_bfp
+ [ 1 = 1 ]
+ uname -o
+ [ ASUSWRT-Merlin = ASUSWRT-Merlin ]
+ iptables -C SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j SET --add-set Skynet-Master src
+ return 1
+ logger -st Skynet [*] Rule Integrity Violation - Restarting Firewall
Skynet: [*] Rule Integrity Violation - Restarting Firewall
+ restartfirewall=1
+ nolog=2
+ nvram get http_username
+ sed -i \~USER admin pid .*/jffs/scripts/firewall ~d /tmp/syslog.log
+ Spinner_End
+ [ -f /tmp/skynet/spinstart ]
+ Display_Header 9
+ printf \n\n=============================================================================================================\n\n\n


=============================================================================================================


+ [ 2 != 2 ]
+ [  != 1 ]
+ Write_Config
+ printf %s\n ################################################
+ printf %s\n ## Generated By Skynet - Do Not Manually Edit ##
+ date +%b %d %T
+ printf %-45s %s\n\n ## Nov 25 10:12:12 ##
+ printf %s\n ## Installer ##
+ printf %s="%s"\n model RT-AC68U
+ printf %s="%s"\n localver v6.6.4
+ printf %s="%s"\n autoupdate disabled
+ printf %s="%s"\n banmalwareupdate daily
+ printf %s="%s"\n forcebanmalwareupdate
+ printf %s="%s"\n debugmode disabled
+ printf %s="%s"\n filtertraffic all
+ printf %s="%s"\n swaplocation /tmp/mnt/entware/myswap.swp
+ printf %s="%s"\n swappartition
+ printf \n%s\n ## Counters / Lists ##
+ printf %s="%s"\n blacklist1count 142452
+ printf %s="%s"\n blacklist2count 42975
+ printf %s="%s"\n customlisturl
+ printf %s="%s"\n customlist2url
+ printf %s="%s"\n countrylist af ax az bs bm br cn hr cu cz eg fj in id ir iq il jm kz kp kr kw kg la np pk pa ro ru sa sc sg si sn
+ printf %s="%s"\n excludelists
+ printf \n%s\n ## Settings ##
+ printf %s="%s"\n unbanprivateip enabled
+ printf %s="%s"\n loginvalid disabled
+ printf %s="%s"\n banaiprotect enabled
+ printf %s="%s"\n securemode disabled
+ printf %s="%s"\n extendedstats enabled
+ printf %s="%s"\n fastswitch disabled
+ printf \n%s\n ################################################
+ [ true = true ]
+ rm -rf /tmp/skynet.lock
+ [ 1 = 1 ]
+ service restart_firewall

Done.
+ echo

+ [ -n  ]
+ Spinner_End
+ [ -f /tmp/skynet/spinstart ]
 
And save:

Okay thanks that gives me a better idea of the issue. There seems to be some sort of issue with the BFD SSH rules that I can't replicate. Please also post the output of;

Code:
iptables -L
 
Code:
iptables -L

Yes Sir,
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
logdrop    icmp --  anywhere             anywhere             icmp echo-request
logdrop    icmp --  anywhere             anywhere             icmp echo-request
logdrop    icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     igmp --  anywhere             base-address.mcast.net/4
ACCEPT     udp  --  anywhere             base-address.mcast.net/4  udp dpt:!upnp
DROP       all  --  10.0.0.0/8           anywhere
DROP       all  --  172.16.0.0/-1        anywhere
ACCEPT     all  --  172.16.0.0/-1        anywhere
ACCEPT     all  --  X.X.X.X      anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
INPUT_ICMP  icmp --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             base-address.mcast.net/4
TCPMSS     tcp  --  anywhere             anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
other2wan  all  --  anywhere             anywhere
other2wan  all  --  anywhere             anywhere
other2wan  all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere

Chain OVPN (2 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (3 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain default_block (0 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (10 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain other2wan (4 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere
 
Yes Sir,
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
logdrop    icmp --  anywhere             anywhere             icmp echo-request
logdrop    icmp --  anywhere             anywhere             icmp echo-request
logdrop    icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     igmp --  anywhere             base-address.mcast.net/4
ACCEPT     udp  --  anywhere             base-address.mcast.net/4  udp dpt:!upnp
DROP       all  --  10.0.0.0/8           anywhere
DROP       all  --  172.16.0.0/-1        anywhere
ACCEPT     all  --  172.16.0.0/-1        anywhere
ACCEPT     all  --  X.X.X.X      anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
INPUT_ICMP  icmp --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             base-address.mcast.net/4
TCPMSS     tcp  --  anywhere             anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
other2wan  all  --  anywhere             anywhere
other2wan  all  --  anywhere             anywhere
other2wan  all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere

Chain OVPN (2 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (3 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain default_block (0 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (10 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain other2wan (4 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Okay this is very unusual. You are missing the "SSHBFP" chain entirely even though you have both the nvram prerequirements set.

https://github.com/RMerl/asuswrt-me...980621/release/src/router/rc/firewall.c#L3326

Code:
#ifdef RTCONFIG_SSH
        // Open ssh to WAN
        if (nvram_get_int("sshd_enable") == 1)
        {
            if (nvram_match("sshd_bfp", "1"))
            {
                fprintf(fp, "-N SSHBFP\n");
                fprintf(fp, "-A SSHBFP -m recent --set --name SSH --rsource\n");
                fprintf(fp, "-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j %s\n", logdrop);
                fprintf(fp, "-A SSHBFP -j %s\n", logaccept);
                fprintf(fp, "-A INPUT -p tcp --dport %d -m state --state NEW -j SSHBFP\n",
                        nvram_get_int("sshd_port") ? : 22);
#ifdef RTCONFIG_IPV6
                if (ipv6_enabled())
                {
                    fprintf(fp_ipv6, "-N SSHBFP\n");
                    fprintf(fp_ipv6, "-A SSHBFP -m recent --set --name SSH --rsource\n");
                    fprintf(fp_ipv6, "-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j %s\n", logdrop);
                    fprintf(fp_ipv6, "-A SSHBFP -j %s\n", logaccept);
                    fprintf(fp_ipv6, "-A INPUT -p tcp --dport %d -m state --state NEW -j SSHBFP\n",
                        nvram_get_int("sshd_port") ? : 22);
                }
#endif

@RMerlin is there some other prerequirement that this edge case is missing?
 

For the time being you can disable SSH bfp as its not working on your setup anyway. that should temporarily resolve the issue.
 
@RMerlin is there some other prerequirement that this edge case is missing?

Nothing that I can think of, unless either SSH or BFP were enabled over ssh and not through the webui, which means the firewall needs to be restarted to apply the new rules.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top