Skynet Skynet - Router Firewall & Security Enhancements

[Zonkd]

Ofcoarse I get all the technical aspects correct and mess up on aesthetics Pushed a hotfix to correct that visually.

fantastic works now.

 

[Mutzli]

I've pushed v6.7.6

• Toggle for country lookups on stat data ( sh /jffs/scripts/firewall settings lookupcountry enable|disable )
  
  
• Show IOT blocks in "debug watch"
  
  
• Show if associated domains are also blocked in Diversion when using "stats search ip" and "stats search malware"

Thank you Adamm, that makes it so much easier to find a blocked site.

 

[Adamm]

does skynet work with LTS builds?

It should work as expected.

 

[BloodFX]

It should work as expected.

I have an n66u and it says ipset not supported I think when I try to install.

 

[Adamm]

I have an n66u and it says ipset not supported I think when I try to install.

Sorry I should have been more specific, only ARM/HND devices are supported (AC68U and newer)

 

[L&LD]

I have an n66u and it says ipset not supported I think when I try to install.

If I'm not mistaken, Skynet requires the latest RMerlin release to work. The RT-N66U is unfortunately past its due date by about a year.

 

[CaptainSTX]

I have an n66u and it says ipset not supported I think when I try to install.

Hopefully you backed up your settings before trying to install Skynet which as you found out won't work on an N66. If you have a backup for your N66 I would suggest that do a factory reset then reload your settings as the failed install of Skynet may have left behind some artifacts and if it did this will clean them out of the memory and any other place which might have been impacted.

 

[Adamm]

Hopefully you backed up your settings before trying to install Skynet which as you found out won't work on an N66. If you have a backup for your N66 I would suggest that do a factory reset then reload your settings as the failed install of Skynet may have left behind some artifacts and if it did this will clean them out of the memory and any other place which might have been impacted.

Skynet runs various compadibility checks before proceeding with the install. Rest assured there are no residual files beyond the installer its-self.

 

[CaptainSTX]

Skynet runs various compadibility checks before proceeding with the install. Rest assured there are no residual files beyond the installer its-self.

I wouldn't expect anything less with Skynet as it is very well designed and implemented, however being old school and having been bitten more than once during installs and upgrades I always make sure I have a fresh backup so if something goes wrong it isn't a big deal to get back to where I was.

 

[EmeraldDeer]

Is it possible that Skynet would remove a fake-hwclock cron entry?

 

[Adamm]

Is it possible that Skynet would remove a fake-hwclock cron entry?

Highly unlikely. Skynet handled crons based on an exact name basis;

Unload_Cron () {
        if [ -z "$1" ]; then set "all"; fi
        for cron in "$@"; do
         case "$cron" in
           save)
               cru d Skynet_save
           ;;
           banmalware)
               cru d Skynet_banmalware
           ;;
           autoupdate)
               cru d Skynet_autoupdate
           ;;
           checkupdate)
               cru d Skynet_checkupdate
           ;;
           all)
               cru d Skynet_save
               cru d Skynet_banmalware
               cru d Skynet_autoupdate
               cru d Skynet_checkupdate
           ;;
           *)
               echo "[*] Error - No Cron Specified To Unload"
           ;;
         esac
        done
}

Load_Cron () {
        if [ -z "$1" ]; then set "all"; fi
        for cron in "$@"; do
            case "$cron" in
              save)
                cru a Skynet_save "0 * * * * sh /jffs/scripts/firewall save"
              ;;
              banmalwaredaily)
                hour="$(date +%s | tail -c 2)"
                cru a Skynet_banmalware "25 $hour * * * sh /jffs/scripts/firewall banmalware"
              ;;
              banmalwareweekly)
                hour="$(date +%s | tail -c 2)"
                cru a Skynet_banmalware "25 $hour * * Mon sh /jffs/scripts/firewall banmalware"
              ;;
              autoupdate)
                cru a Skynet_autoupdate "25 1 * * Mon sh /jffs/scripts/firewall update"
              ;;
              checkupdate)
                cru a Skynet_checkupdate "25 1 * * Mon sh /jffs/scripts/firewall update check"
              ;;
              *)
                echo "[*] Error - No Cron Specified To Load"
              ;;
            esac
         done
}

 

[TripleRipple]

@Adamm I have the AiProtection - Two-Way IPS enabled on my router and I have Ban AiProtect enabled in Skynet.

I went into stats in Skynet and did a search for entries "from specific IP" and of course verified all the entries in the web management for AiProtection - Two-Way IPS in the log of the router are indeed in Skynet and now blocked.

My question is if I delete the log in web management of the router for AiProtection - Two-Way IPS would it remove those entries in Skynet as well?

I would assume no but I thought I would check as the log is a few pages now in the web management so I would like to clean it up and delete it. Should the web management log be maintained/left alone or deleted?

Also, how often does Skynet check AiProtection - Two-Way IPS logs and add them to SkyNet?

 

[Marin]

Love the inclusion of various commands under the Help section. Would highly recommend them to anyone who has Skynet installed.

https://github.com/Adamm00/IPSet_ASUS

Thank you @Adamm!

 

[martinr]

Love the inclusion of various commands under the Help section. Would highly recommend them to anyone who has Skynet installed.

https://github.com/Adamm00/IPSet_ASUS

Thank you @Adamm!

Great post, Marin. I’d been trying to keep track of such commands as and when I saw one listed in the forum. My collection stands at a miserable 6, now replaced with the link you posted to Adam’s comprehensive list. I know that many are available through the gui, but it’s still nice to see them listed as examples.
Many thanks.

 

[Adamm]

Love the inclusion of various commands under the Help section. Would highly recommend them to anyone who has Skynet installed.

https://github.com/Adamm00/IPSet_ASUS

Thank you @Adamm!

Great post, Marin. I’d been trying to keep track of such commands as and when I saw one listed in the forum. My collection stands at a miserable 6, now replaced with the link you posted to Adam’s comprehensive list. I know that many are available through the gui, but it’s still nice to see them listed as examples.
Many thanks.

You can also find these commands on the second post of this thread for quick reference. Plus whenever you use the menu, it will show you the CLI equivalent before displaying the output.

 

[skeal]

@Adamm Is there a way to list the ports you have allowed in the IoT settings? Is there a way to remove a port without wiping the list of ports you have? Thanks for the help in advance sir!

 

[skeal]

@Adamm Is there a way to list the ports you have allowed in the IoT settings? Is there a way to remove a port without wiping the list of ports you have? Thanks for the help in advance sir!

Second question, I use YazFi and want to add a device to the IoT list, that is routed by YazFi. When I add it to the block list, I can still access the device from the WAN side. I have removed all allowed ports, so it should block but doesn't. So the device I want blocked is on another subnet. Example: 192.168.1.0/24 and 192.168.2.0/24

 

[Adamm]

@Adamm Is there a way to list the ports you have allowed in the IoT settings?

sh /jffs/scripts/firewall debug info extended

Is there a way to remove a port without wiping the list of ports you have?

No, you will need to copy/paste the previous list.

 

[Jack Yaz]

Second question, I use YazFi and want to add a device to the IoT list, that is routed by YazFi. When I add it to the block list, I can still access the device from the WAN side. I have removed all allowed ports, so it should block but doesn't. So the device I want blocked is on another subnet. Example: 192.168.1.0/24 and 192.168.2.0/24

Skynet's rule uses br0 whereas YazFi establishes wl0.1 (example) as its own interface. Technically speaking, wl0.1 is still part of br0 (I don't un-bridge things currently because that meant playing around with eapd for wireless auth)

The rules you'd need are along the lines of:

-A FORWARD -i wl0.1 ! -o tun2+ -m set --match-set Skynet-IOT src -j LOG --log-prefix "[BLOCKED - IOT] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A FORWARD -i wl0.1 ! -o tun2+ -m set --match-set Skynet-IOT src -j DROP

@Adamm a question. Does tun+ allow outbound communications using OpenVPN clients which use tun1X, or only from tun2X OpenVPN servers?

 

[Adamm]

@Adamm a question. Does tun+ allow outbound communications using OpenVPN clients which use tun1X, or only from tun2X OpenVPN servers?

+ is a wildcard in IPTables so it should cover all tun interfaces.