Skynet Skynet - Router Firewall & Security Enhancements

[skeal]

The new IoT blocking works awesome @Adamm !! Nice feature, good thinking man!

 

[XIII]

This version focuses on IOT security.

I have WeMo switches and Hue lightbulbs. As long as I don't require remote access I can "iot ban" them in Skynet?

 

[EmeraldDeer]

Err, that's unusual. The process on newer devices should only take ~20s. Would you mind giving me the output from manually running banmalware?

[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | [2s]
[i] Consolidating Blacklist         | [3s]
[i] Filtering IPv4 Addresses        | [2s]
[i] Filtering IPv4 Ranges           | [0s]
[i] Applying New Blacklist          | [3s]
[i] Refreshing AiProtect Bans       | [1s]
[i] Saving Changes                  | [2s]

[i] For Whitelisting Assistance -
[i] https://www.snbforums.com/threads/skynet-asus-firewall-addition.16798/#post-115872


=============================================================================================================


[#] 154012 IPs (+2141) -- 1657 Ranges Banned (+167) || 1101 Inbound -- 0 Outbound Connections Blocked! [banmalware] [14s]

Ha! Fourteen seconds now, and that is with a Twitch stream running.

 

[skeal]

I have WeMo switches and Hue lightbulbs. As long as I don't require remote access I can "iot ban" them in Skynet?

Not so much. This disables wan access too these devices, not local access.

 

[Adamm]

I have WeMo switches and Hue lightbulbs. As long as I don't require remote access I can "iot ban" them in Skynet?

I can't say I am directly familiar with these products, the IOT category is so wide its hard to give a definitive answer. But so long as you don't need WAN access to these devices you should be able to block them in theory.

Feel free to give it a test and report back.

Ha! Fourteen seconds now, and that is with a Twitch stream running.

So you went from one of the slowest reported banmalware times to the fastest I've ever seen I wish I had a logical answer to give you, but those results are quite conflicting as the manual run shows its working fine.

 

[Tekneek]

I have WeMo switches and Hue lightbulbs. As long as I don't require remote access I can "iot ban" them in Skynet?

For Hue, it is only the bridge that uses your network (bulbs communicate with it using Zigbee). You will be able to control everything locally without that. I am not sure if this breaks Alexa integration, though.

 

[skeal]

When I reboot this always happens and my firewall restarts just before the end of the reboot process. Any ideas why? What rule is being violated?

Jan 28 10:17:55 Skynet: [*] Rule Integrity Violation - Restarting Firewall [#1]

 

[XIII]

For Hue, it is only the bridge that uses your network (bulbs communicate with it using Zigbee). You will be able to control everything locally without that.

Yes, I know.

I don’t use Alexa, but I do use HomeKit automation.

 

[Adamm]

When I reboot this always happens and my firewall restarts just before the end of the reboot process. Any ideas why? What rule is being violated?

Jan 28 10:17:55 Skynet: [*] Rule Integrity Violation - Restarting Firewall [#1]

ipset -L -n Skynet-Whitelist >/dev/null 2>&1 || { fail="1"; return 1; }

So essentially the first check is failing as IPSet is getting nuked at some point. I can't reproduce this on a fresh install (nor have I seen any reports), do you have any custom edits that may be interfering?

 

[skeal]

ipset -L -n Skynet-Whitelist >/dev/null 2>&1 || { fail="1"; return 1; }

So essentially the first check is failing as IPSet is getting nuked at some point. I can't reproduce this on a fresh install (nor have I seen any reports), do you have any custom edits that may be interfering?

In regards to custom edits, I'm not sure what you mean. I have not messed with the install in any way and it's a fresh install on the new 384.9 beta1 last night.

 

[Adamm]

In regards to custom edits, I'm not sure what you mean. I have not messed with the install in any way and it's a fresh install on the new 384.9 beta1 last night.

So what is happening is that when services-stop is executed on reboot, Skynet issues a save command to dump everything from the ram to a hard copy. Theoretically Skynet should still be fully functional at this point.

For whatever reason, your IPSet has already been nuked from the ram at this point, so when Skynet issues the save command it notices a rule violation and triggers a restart_firewall event.

Which brings me back to the point that something out of the ordinary is happening around this time (that’s assuming this is a consistent issue and not a one off fluke).


edit; I noticed you were having other “unmounting” issues in the amtm thread. Perhaps the two are related.

 

[skeal]

So what is happening is that when services-stop is executed on reboot, Skynet issues a save command to dump everything from the ram to a hard copy. Theoretically Skynet should still be fully functional at this point.

For whatever reason, your IPSet has already been nuked from the ram at this point, so when Skynet issues the save command it notices a rule violation and triggers a restart_firewall event.

Which brings me back to the point that something out of the ordinary is happening around this time (that’s assuming this is a consistent issue and not a one off fluke).

The only scripts I have that involve ipset would be Skynet and FreshJR_QOS, unless something else is that I don't know about.

 

[skeal]

As far as I can tell, this is stopping the usb drive from being umounted.

 

[XIII]

Feel free to give it a test and report back.

Banned the WeMo switches (as a test) and the WeMo App could immediately no longer see them, even though my iPhone was on the same local network...

(Homekit/homebridge still could communicate with them though)

 

[Tekneek]

Banned the WeMo switches (as a test) and the WeMo App could immediately no longer see them, even though my iPhone was on the same local network...

(Homekit/homebridge still could communicate with them though)

That is awesome news. I presume that is also true for the Hue integration w/ Homekit?

Sounds like the WeMo app is poorly designed. The same is true for ecobee thermostats. You cannot use the ecobee app without the thermostat being able to reach the Internet, but you can use Homekit just fine.

 

[unsynaps]

Is there a command line way of doing the temp disable option? And in turn a way to re-enable?

I would like to use plink.exe to send commands to the router to temp disable/enable skynet if I need to from my windows machine.

 

[XIII]

That is awesome news. I presume that is also true for the Hue integration w/ Homekit?.

Did not test.

“Too much” Hue stuff in the house... (don’t want to break that)

 

[djtech2k]

I am very new to skynet but have a couple questions. I did do some searching in this thread but there are almost 190 pages of posts, its a lot to search to find something. And yes, I did use the search function, since I know there are some search nazis around.

1) Is there a way to show the country in the stats? Specifically, I try to block countries and not IP's whenever possible. I use the country function to block, but when I look at stats to see what things have been blocked, it shows the IP and the link to alienvault, but it would be great if it showed the country. That way I could just add that country to the list and move on.

2) Is there a way to tell skynet to block ALL countries except x? So basically a country whitelist? In my case, that would make it easier.

3) When I installed skynet, it asked if I wanted to block incoming, outgoing, or both. I chose only incoming because I know it will likely not break anything. Is it possible to add outgoing later? I have not seen that but again I am new to it. I may never do it because I do not really want to have to deal with all the failures of all the services in my house, but just wondering.

4) Since I am new to skynet, are there anything I should definitely do or avoid? Just thinking any gotchas or must-haves that you guys may have learned along the way.

Thanks for this stuff BTW. So far, it looks very good.

Also, what do you guys think about the Network Protection stuff thats built-in? Is it any good or ignore it? I like more security, but I also do not want to put a heavy burden on the router or cause a bunch of headaches of stuff getting blocked that shouldn't.

 

[dave14305]

I am very new to skynet but have a couple questions. I did do some searching in this thread but there are almost 190 pages of posts, its a lot to search to find something. And yes, I did use the search function, since I know there are some search nazis around.

1) Is there a way to show the country in the stats? Specifically, I try to block countries and not IP's whenever possible. I use the country function to block, but when I look at stats to see what things have been blocked, it shows the IP and the link to alienvault, but it would be great if it showed the country. That way I could just add that country to the list and move on.

2) Is there a way to tell skynet to block ALL countries except x? So basically a country whitelist? In my case, that would make it easier.

3) When I installed skynet, it asked if I wanted to block incoming, outgoing, or both. I chose only incoming because I know it will likely not break anything. Is it possible to add outgoing later? I have not seen that but again I am new to it. I may never do it because I do not really want to have to deal with all the failures of all the services in my house, but just wondering.

4) Since I am new to skynet, are there anything I should definitely do or avoid? Just thinking any gotchas or must-haves that you guys may have learned along the way.

Thanks for this stuff BTW. So far, it looks very good.

Also, what do you guys think about the Network Protection stuff thats built-in? Is it any good or ignore it? I like more security, but I also do not want to put a heavy burden on the router or cause a bunch of headaches of stuff getting blocked that shouldn't.

When you run “firewall” to invoke Skynet, go into Settings and there is a Filter option for inbound, outbound or all. If you also enable BanAIProtect in settings, Skynet will automatically block the unique dynamic IPs that AiProtect detects hitting your own router.

I find most of the benefit of Skynet to be in outbound protection since I do not have anything open to the internet on my network. Only a few obscure websites have been blocked outbound by Skynet’s protection (which uses publicly available block lists). I don’t think you’re looking at much work as compared to Diversion adblocking breaking a site or app.

 

[djtech2k]

When you run “firewall” to invoke Skynet, go into Settings and there is a Filter option for inbound, outbound or all. If you also enable BanAIProtect in settings, Skynet will automatically block the unique dynamic IPs that AiProtect detects hitting your own router.

I find most of the benefit of Skynet to be in outbound protection since I do not have anything open to the internet on my network. Only a few obscure websites have been blocked outbound by Skynet’s protection (which uses publicly available block lists). I don’t think you’re looking at much work as compared to Diversion adblocking breaking a site or app.

So if you enable outbound blocking in skynet, does it only block sites that are listed in the "bad sites" list? I assumed it blocked everything and you have to open what you want. I have enabled the malware ban feature with the default list also.