Skynet Skynet - Router Firewall & Security Enhancements
Adamm
Part of the Furniture
Good to hear. Out of curiosity whats the runtime like on banmalware? The command acts as a nice CPU benchmark
john9527
Part of the Furniture
I generally try to keep things in sync to avoid this....which nvram?
Adamm
Part of the Furniture
Your fork uses the older values;
Code:
sshd_enable 0|1 = Enable SSH
sshd_wan 0|1 = Expose SSH to WANI believe the 380 update unified this to;
Code:
sshd_enable 0|1|2Adamm
Part of the Furniture
I can't reproduce this. Can you please make sure you are running the latest version of Skynet, restart the firewall and check again.
Adamm
Part of the Furniture
I've pushed v6.6.4
As promised, this update includes better IPTables rule validation to make sure Skynet is always running as expected. This is checked before most functions to ensure things always work as expected. It is also attached to the save cronjob, in this case if it detects an issue it will restart the firewall service to flush out the bad rules acting as a watchdog.
I have also changed the update system to be based on md5 hashes, this means I can push minor updates without version changes and users will recieve them as per usual (we can also then use this information to tell exactly which commit you are running).
Code:
Fix various spinner related issues
Fix settings on Johns fork being misinterperated
Improved IPTables / IPSet rule validation w/ watchdog
Base update system on md5 hash so minor updates are downloaded
Improved aestheticsAs promised, this update includes better IPTables rule validation to make sure Skynet is always running as expected. This is checked before most functions to ensure things always work as expected. It is also attached to the save cronjob, in this case if it detects an issue it will restart the firewall service to flush out the bad rules acting as a watchdog.
I have also changed the update system to be based on md5 hashes, this means I can push minor updates without version changes and users will recieve them as per usual (we can also then use this information to tell exactly which commit you are running).
Yes I am in latest version of skynet with Merlin 384.7_2.
Now, with 6.6.4 same issue, I have uninstalled and reinstalled many times
thanks @Adamm
Adamm
Part of the Furniture
Whats the output of the following commands;
Code:
sh /jffs/scripts/firewall debug info
sh -x /jffs/scripts/firewall saveFrom debug info:
Code:
Router Model; RT-AC68U
Skynet Version; v6.6.4 (25/11/2018) (a05b7db78155b8ffd2e55ba6e8792b85)
iptables v1.4.15 - (ppp0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.7_2 (Oct 21 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/entware/skynet (2.8G / 3.8G Space Available)
SWAP File; /tmp/mnt/entware/myswap.swp (512.5M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/entware/skynet
Banned Countries; af ax az bs bm br cn hr cu cz eg fj in id ir iq il jm kz kp kr kw kg la np pk pa ro ru sa sc sg si sk te hk za lkn
No Lock File Found
-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------
Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
SWAP | [Passed]
Cron Jobs | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
Inbound Filter Rules | [Passed]
Inbound Debug Rules | [Disabled]
Outbound Filter Rules | [Passed]
Outbound Debug Rules | [Disabled]
Whitelist IPSet | [Passed]
BlockedRanges IPSet | [Passed]
Blacklist IPSet | [Passed]
Skynet IPSet | [Passed]
Diversion Plus Content | [Passed]
----------- | ----------
| Setting | | | Status |
---------- | ----------
Autoupdate | [Disabled]
Auto-Banmalware Update | [Enabled]
Debug Mode | [Disabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid | [Disabled]
Ban AiProtect | [Enabled]
Secure Mode | [Disabled]
Fast Switch | [Disabled]
18/18 Tests Sucessful
=============================================================================================================
[#] 142452 IPs (+0) -- 42975 Ranges Banned (+0) || Inbound -- Outbound Connections Blocked! [debug] [4s]And save:
Code:
+ export LC_ALL=C
+ mkdir -p /tmp/skynet/lists
+ ntptimer=0
+ nvram get ntp_ready
+ [ 1 = 0 ]
+ [ 0 -ge 300 ]
+ date +%s
+ stime=1543137131
+ grep -ow skynetloc=.* # Skynet /jffs/scripts/firewall-start
+ awk {print $1}
+ grep -vE ^#
+ cut -c 11-
+ skynetloc=/tmp/mnt/entware/skynet
+ skynetcfg=/tmp/mnt/entware/skynet/skynet.cfg
+ skynetlog=/tmp/mnt/entware/skynet/skynet.log
+ skynetevents=/tmp/mnt/entware/skynet/events.log
+ skynetipset=/tmp/mnt/entware/skynet/skynet.ipset
+ [ -z /tmp/mnt/entware/skynet ]
+ [ ! -d /tmp/mnt/entware/skynet ]
+ nvram get wan0_proto
+ [ pppoe = pppoe ]
+ iface=ppp0
+ [ -z save ]
+ [ -n ]
+ trap Spinner_End EXIT
+ [ -f /tmp/mnt/entware/skynet/skynet.cfg ]
+ . /tmp/mnt/entware/skynet/skynet.cfg
+ model=RT-AC68U
+ localver=v6.6.4
+ autoupdate=disabled
+ banmalwareupdate=daily
+ forcebanmalwareupdate=
+ debugmode=disabled
+ filtertraffic=all
+ swaplocation=/tmp/mnt/entware/myswap.swp
+ swappartition=
+ blacklist1count=142452
+ blacklist2count=42975
+ customlisturl=
+ customlist2url=
+ countrylist=af ax az bs bm br cn hr cu cz eg fj in id ir iq il jm kz kp kr kw kg la np pk pa ro ru sa sc sg si sk te hk za lk tw n
+ excludelists=
+ unbanprivateip=enabled
+ loginvalid=disabled
+ banaiprotect=enabled
+ securemode=disabled
+ extendedstats=enabled
+ fastswitch=disabled
+ Display_Header 9
+ printf \n\n=============================================================================================================\n\n\n
=============================================================================================================
+ Check_Lock save
+ [ -f /tmp/skynet.lock ]
+ echo save
+ echo 16586
+ date +%s
+ lockskynet=true
+ Check_IPSets
+ ipset -L -n Skynet-Whitelist
+ ipset -L -n Skynet-Blacklist
+ ipset -L -n Skynet-BlockedRanges
+ ipset -L -n Skynet-Master
+ Check_IPTables
+ [ all = all ]
+ iptables -t raw -C PREROUTING -i ppp0 -m set ! --match-set Skynet-Whitelist src -m set --match-set Skynet-Master src -j DROP
+ [ all = all ]
+ iptables -t raw -C PREROUTING -i br0 -m set ! --match-set Skynet-Whitelist dst -m set --match-set Skynet-Master dst -j DROP
+ iptables -t raw -C OUTPUT -m set ! --match-set Skynet-Whitelist dst -m set --match-set Skynet-Master dst -j DROP
+ nvram get sshd_enable
+ [ 1 = 1 ]
+ nvram get sshd_bfp
+ [ 1 = 1 ]
+ uname -o
+ [ ASUSWRT-Merlin = ASUSWRT-Merlin ]
+ iptables -C SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j SET --add-set Skynet-Master src
+ return 1
+ logger -st Skynet [*] Rule Integrity Violation - Restarting Firewall
Skynet: [*] Rule Integrity Violation - Restarting Firewall
+ restartfirewall=1
+ nolog=2
+ nvram get http_username
+ sed -i \~USER admin pid .*/jffs/scripts/firewall ~d /tmp/syslog.log
+ Spinner_End
+ [ -f /tmp/skynet/spinstart ]
+ Display_Header 9
+ printf \n\n=============================================================================================================\n\n\n
=============================================================================================================
+ [ 2 != 2 ]
+ [ != 1 ]
+ Write_Config
+ printf %s\n ################################################
+ printf %s\n ## Generated By Skynet - Do Not Manually Edit ##
+ date +%b %d %T
+ printf %-45s %s\n\n ## Nov 25 10:12:12 ##
+ printf %s\n ## Installer ##
+ printf %s="%s"\n model RT-AC68U
+ printf %s="%s"\n localver v6.6.4
+ printf %s="%s"\n autoupdate disabled
+ printf %s="%s"\n banmalwareupdate daily
+ printf %s="%s"\n forcebanmalwareupdate
+ printf %s="%s"\n debugmode disabled
+ printf %s="%s"\n filtertraffic all
+ printf %s="%s"\n swaplocation /tmp/mnt/entware/myswap.swp
+ printf %s="%s"\n swappartition
+ printf \n%s\n ## Counters / Lists ##
+ printf %s="%s"\n blacklist1count 142452
+ printf %s="%s"\n blacklist2count 42975
+ printf %s="%s"\n customlisturl
+ printf %s="%s"\n customlist2url
+ printf %s="%s"\n countrylist af ax az bs bm br cn hr cu cz eg fj in id ir iq il jm kz kp kr kw kg la np pk pa ro ru sa sc sg si sn
+ printf %s="%s"\n excludelists
+ printf \n%s\n ## Settings ##
+ printf %s="%s"\n unbanprivateip enabled
+ printf %s="%s"\n loginvalid disabled
+ printf %s="%s"\n banaiprotect enabled
+ printf %s="%s"\n securemode disabled
+ printf %s="%s"\n extendedstats enabled
+ printf %s="%s"\n fastswitch disabled
+ printf \n%s\n ################################################
+ [ true = true ]
+ rm -rf /tmp/skynet.lock
+ [ 1 = 1 ]
+ service restart_firewall
Done.
+ echo
+ [ -n ]
+ Spinner_End
+ [ -f /tmp/skynet/spinstart ]Adamm
Part of the Furniture
Okay thanks that gives me a better idea of the issue. There seems to be some sort of issue with the BFD SSH rules that I can't replicate. Please also post the output of;
Code:
iptables -LYes Sir,
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
logdrop icmp -- anywhere anywhere icmp echo-request
logdrop icmp -- anywhere anywhere icmp echo-request
logdrop icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere state INVALID
PTCSRVWAN all -- anywhere anywhere
PTCSRVLAN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
OVPN all -- anywhere anywhere state NEW
ACCEPT igmp -- anywhere base-address.mcast.net/4
ACCEPT udp -- anywhere base-address.mcast.net/4 udp dpt:!upnp
DROP all -- 10.0.0.0/8 anywhere
DROP all -- 172.16.0.0/-1 anywhere
ACCEPT all -- 172.16.0.0/-1 anywhere
ACCEPT all -- X.X.X.X anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
INPUT_ICMP icmp -- anywhere anywhere
logdrop all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere base-address.mcast.net/4
TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
other2wan all -- anywhere anywhere
other2wan all -- anywhere anywhere
other2wan all -- anywhere anywhere
other2wan all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
SECURITY all -- anywhere anywhere
SECURITY all -- anywhere anywhere
SECURITY all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
OVPN all -- anywhere anywhere state NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ACCESS_RESTRICTION (0 references)
target prot opt source destination
Chain FUPNP (0 references)
target prot opt source destination
Chain INPUT_ICMP (1 references)
target prot opt source destination
RETURN icmp -- anywhere anywhere icmp echo-request
RETURN icmp -- anywhere anywhere icmp timestamp-request
ACCEPT icmp -- anywhere anywhere
Chain OVPN (2 references)
target prot opt source destination
Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain PTCSRVLAN (1 references)
target prot opt source destination
Chain PTCSRVWAN (1 references)
target prot opt source destination
Chain SECURITY (3 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
logdrop icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere
Chain default_block (0 references)
target prot opt source destination
Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT all -- anywhere anywhere
Chain logdrop (10 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain other2wan (4 references)
target prot opt source destination
RETURN all -- anywhere anywhere
logdrop all -- anywhere anywhereAdamm
Part of the Furniture
Okay this is very unusual. You are missing the "SSHBFP" chain entirely even though you have both the nvram prerequirements set.
https://github.com/RMerl/asuswrt-me...980621/release/src/router/rc/firewall.c#L3326
Code:
#ifdef RTCONFIG_SSH
// Open ssh to WAN
if (nvram_get_int("sshd_enable") == 1)
{
if (nvram_match("sshd_bfp", "1"))
{
fprintf(fp, "-N SSHBFP\n");
fprintf(fp, "-A SSHBFP -m recent --set --name SSH --rsource\n");
fprintf(fp, "-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j %s\n", logdrop);
fprintf(fp, "-A SSHBFP -j %s\n", logaccept);
fprintf(fp, "-A INPUT -p tcp --dport %d -m state --state NEW -j SSHBFP\n",
nvram_get_int("sshd_port") ? : 22);
#ifdef RTCONFIG_IPV6
if (ipv6_enabled())
{
fprintf(fp_ipv6, "-N SSHBFP\n");
fprintf(fp_ipv6, "-A SSHBFP -m recent --set --name SSH --rsource\n");
fprintf(fp_ipv6, "-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j %s\n", logdrop);
fprintf(fp_ipv6, "-A SSHBFP -j %s\n", logaccept);
fprintf(fp_ipv6, "-A INPUT -p tcp --dport %d -m state --state NEW -j SSHBFP\n",
nvram_get_int("sshd_port") ? : 22);
}
#endif@RMerlin is there some other prerequirement that this edge case is missing?
Adamm
Part of the Furniture
For the time being you can disable SSH bfp as its not working on your setup anyway. that should temporarily resolve the issue.
ok. thanks. I will do it.....
Nothing that I can think of, unless either SSH or BFP were enabled over ssh and not through the webui, which means the firewall needs to be restarted to apply the new rules.
I understand but it's not my case..
dave14305
Part of the Furniture
Shouldn’t you just add an extra check for sshd_wan per John’s BFP logic?
https://github.com/john9527/asuswrt...update/release/src/router/rc/firewall.c#L2506
Not trying to be pushy...just learning my way through source code.
Similar threads
Similar threads
Similar threads
-
-
Skynet Skynet showing router itself making calls to China?
- Started by Skywise
- Replies: 26
-
Skynet Skynet - Blocked outbounds coming from the router itself?
- Started by JuanGF
- Replies: 12
-
Skynet Installing Skynet causes router to crash and reboot
- Started by ovancantfort
- Replies: 26
-
Skynet I have installed the skynet firewall how do I configure it if the security of iot devices is important?
- Started by lenovomen
- Replies: 2
-
Skynet Message on SKYNET I havent seen before- Started by Davidncali001
- Replies: 1
-
-
-
Skynet SkyNet/Firewall blocking all ping requests, including outbound
- Started by nearlyheadlessarvie
- Replies: 6
-
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
- Started by WRobertE
- Replies: 10
Latest threads
-
-
-
2G connection keeps randomly disappearing, 5G works ok
- Started by meruserasus
- Replies: 0
-
Diversion AMTM / Diversion stopped working (USB Drive?)
- Started by Dancing Lemur
- Replies: 1
-
Another weird AX86U issue - but not Malware?
- Started by ahab
- Replies: 9
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!