Skynet Skynet - Router Firewall & Security Enhancements

[Butterfly Bones]

Skynet depends on NTP for accurate logging, so if you are having NTP issues Skynet will fail to function. After 5 minutes there is an error message, but it sounds like adding an earlier notification could help those who don't wait it out until then.

It was a dumb move from me, late at night, brain ready for bed, me ignoring the need.

See this post and some replies down to #558. It was something I took from the old Stubby Installer thread, and being the inveterate tinkerer that I am, got it me in trouble as it often does.

 

[davidlee93]

My router (RT-AC86U) which has DNS privacy enabled in the settings and skynet installed (default lists + ipdeny china) constantly reboots at different times of the day, possibly due to the router not being able to handle a flood of blocked IPs?

May  5 01:05:05 kernel: _ Reboot message ... _______________________________________________________
May  5 01:05:05 kernel: Kernel panic - not syncing: softlockup: hung tasksCPU: 1 PID: 210 Comm: bcmsw_rx Tainted: P           O L  4.1.27 #2Hardware name: Broadcom-v8A (DT)Call trace:[<ffffffc0000876d8>] dump_backtrace+0x0/0x150[<ffffffc00008783c>] show_stack+0x14/0x20[<ffffffc00050859c>] dump_stack+0x90/0xb0[<ffffffc00050642c>] panic+0xe0/0x228[<ffffffc0000f8038>] watchdog+0x0/0x48[<ffffffc0000dcf8c>] hrtimer_run_queues+0x8c/0x1c8[<ffffffc0000dc49c>] update_process_times+0x2c/0x70[<ffffffc0000ea434>]
May  5 01:05:05 kernel: 0007 00000000 00000001 00000000f600: 00395b80 ffffffc0 006e3980 ffffffc0 30303030 31303030 35333535 53455220f620: 3078303d 59532030 5255204e 303d5047 54504f20 32302820 35303430 34303442f640: 38303230 39304130 00728d7c ffffffc0 17085954 ffffffc0 14bf5160 ffffffc0f660: 80728d77 ffffffc0 00728c20 ffffffc0 00738000 ffffffc0 006f4000 ffffffc0f680: 00000140 00000000 00728d78 ffffffc0 00000001 00000000 00738b20 ffffffc0f6a0: 00000125 00000000 007299e4 ffffffc0 00000004 00000000 17b0f6f
May  5 01:05:05 kernel: 49b8>] nf_hook_slow+0xb0/0x160[<ffffffc00042b0fc>] ip_rcv+0x2c4/0x3b8[<ffffffc0003bb310>] __netif_receive_
May  5 01:05:05 kernel: usb 3-1: new high-speed USB device number 2 using ehci-platform
May  5 01:05:05 kernel: skb_core+0x628/0xa40[<ffffffc0003be31c>] __netif_receive_skb+0x2c/0x88[<ffffffc0003be3b8>] netif_receive_skb_internal+0x40/0xc0[<ffffffc0003be448>] netif_receive_skb_sk+0x10/0x18[<ffffffbffc3689e4>] bcm63xx_enet_rx_thread+0x7b4/0xce0 [bcm_enet][<ffffffc0000af6b0>] kthread+0xd8/0xf0CPU0: stoppingCPU: 0 PID: 0 Comm: swapper/0 Tainted: P           O L  4.1.27 #2Hardware name: Broadcom-v8A (DT)Call trace:[<ffffffc0000876d8>] dump_backtrace+0x0/0x150[<ffffffc00008783c>] show_stack+0x
May  5 01:05:05 kernel: ____________________________________________________________________________
May  5 01:05:05 kernel: ^[[0;33;41m[ERROR pktrunner] runnerUcast_inet6addr_event,202: Could not rdpa_ucast_ipv6_host_address_table_find^[[0m

 

[cmkelley]

My router (RT-AC86U) which has DNS privacy enabled in the settings and skynet installed (default lists + ipdeny china) constantly reboots at different times of the day, possibly due to the router not being able to handle a flood of blocked IPs?

May  5 01:05:05 kernel: _ Reboot message ... _______________________________________________________
May  5 01:05:05 kernel: Kernel panic - not syncing: softlockup: hung tasksCPU: 1 PID: 210 Comm: bcmsw_rx Tainted: P           O L  4.1.27 #2Hardware name: Broadcom-v8A (DT)Call trace:[<ffffffc0000876d8>] dump_backtrace+0x0/0x150[<ffffffc00008783c>] show_stack+0x14/0x20[<ffffffc00050859c>] dump_stack+0x90/0xb0[<ffffffc00050642c>] panic+0xe0/0x228[<ffffffc0000f8038>] watchdog+0x0/0x48[<ffffffc0000dcf8c>] hrtimer_run_queues+0x8c/0x1c8[<ffffffc0000dc49c>] update_process_times+0x2c/0x70[<ffffffc0000ea434>]
May  5 01:05:05 kernel: 0007 00000000 00000001 00000000f600: 00395b80 ffffffc0 006e3980 ffffffc0 30303030 31303030 35333535 53455220f620: 3078303d 59532030 5255204e 303d5047 54504f20 32302820 35303430 34303442f640: 38303230 39304130 00728d7c ffffffc0 17085954 ffffffc0 14bf5160 ffffffc0f660: 80728d77 ffffffc0 00728c20 ffffffc0 00738000 ffffffc0 006f4000 ffffffc0f680: 00000140 00000000 00728d78 ffffffc0 00000001 00000000 00738b20 ffffffc0f6a0: 00000125 00000000 007299e4 ffffffc0 00000004 00000000 17b0f6f
May  5 01:05:05 kernel: 49b8>] nf_hook_slow+0xb0/0x160[<ffffffc00042b0fc>] ip_rcv+0x2c4/0x3b8[<ffffffc0003bb310>] __netif_receive_
May  5 01:05:05 kernel: usb 3-1: new high-speed USB device number 2 using ehci-platform
May  5 01:05:05 kernel: skb_core+0x628/0xa40[<ffffffc0003be31c>] __netif_receive_skb+0x2c/0x88[<ffffffc0003be3b8>] netif_receive_skb_internal+0x40/0xc0[<ffffffc0003be448>] netif_receive_skb_sk+0x10/0x18[<ffffffbffc3689e4>] bcm63xx_enet_rx_thread+0x7b4/0xce0 [bcm_enet][<ffffffc0000af6b0>] kthread+0xd8/0xf0CPU0: stoppingCPU: 0 PID: 0 Comm: swapper/0 Tainted: P           O L  4.1.27 #2Hardware name: Broadcom-v8A (DT)Call trace:[<ffffffc0000876d8>] dump_backtrace+0x0/0x150[<ffffffc00008783c>] show_stack+0x
May  5 01:05:05 kernel: ____________________________________________________________________________
May  5 01:05:05 kernel: ^[[0;33;41m[ERROR pktrunner] runnerUcast_inet6addr_event,202: Could not rdpa_ucast_ipv6_host_address_table_find^[[0m

Doubtful, I have DNS privacy (DoT) and Skynet with more countries blocked (bg br cn ir kp ro rs ru tr ua) and my 86U never reboots on its own. I'm not smart enough to tell you much beyond that.

 

[Adamm]

My router (RT-AC86U) which has DNS privacy enabled in the settings and skynet installed (default lists + ipdeny china) constantly reboots at different times of the day, possibly due to the router not being able to handle a flood of blocked IPs?

May  5 01:05:05 kernel: _ Reboot message ... _______________________________________________________
May  5 01:05:05 kernel: Kernel panic - not syncing: softlockup: hung tasksCPU: 1 PID: 210 Comm: bcmsw_rx Tainted: P           O L  4.1.27 #2Hardware name: Broadcom-v8A (DT)Call trace:[<ffffffc0000876d8>] dump_backtrace+0x0/0x150[<ffffffc00008783c>] show_stack+0x14/0x20[<ffffffc00050859c>] dump_stack+0x90/0xb0[<ffffffc00050642c>] panic+0xe0/0x228[<ffffffc0000f8038>] watchdog+0x0/0x48[<ffffffc0000dcf8c>] hrtimer_run_queues+0x8c/0x1c8[<ffffffc0000dc49c>] update_process_times+0x2c/0x70[<ffffffc0000ea434>]
May  5 01:05:05 kernel: 0007 00000000 00000001 00000000f600: 00395b80 ffffffc0 006e3980 ffffffc0 30303030 31303030 35333535 53455220f620: 3078303d 59532030 5255204e 303d5047 54504f20 32302820 35303430 34303442f640: 38303230 39304130 00728d7c ffffffc0 17085954 ffffffc0 14bf5160 ffffffc0f660: 80728d77 ffffffc0 00728c20 ffffffc0 00738000 ffffffc0 006f4000 ffffffc0f680: 00000140 00000000 00728d78 ffffffc0 00000001 00000000 00738b20 ffffffc0f6a0: 00000125 00000000 007299e4 ffffffc0 00000004 00000000 17b0f6f
May  5 01:05:05 kernel: 49b8>] nf_hook_slow+0xb0/0x160[<ffffffc00042b0fc>] ip_rcv+0x2c4/0x3b8[<ffffffc0003bb310>] __netif_receive_
May  5 01:05:05 kernel: usb 3-1: new high-speed USB device number 2 using ehci-platform
May  5 01:05:05 kernel: skb_core+0x628/0xa40[<ffffffc0003be31c>] __netif_receive_skb+0x2c/0x88[<ffffffc0003be3b8>] netif_receive_skb_internal+0x40/0xc0[<ffffffc0003be448>] netif_receive_skb_sk+0x10/0x18[<ffffffbffc3689e4>] bcm63xx_enet_rx_thread+0x7b4/0xce0 [bcm_enet][<ffffffc0000af6b0>] kthread+0xd8/0xf0CPU0: stoppingCPU: 0 PID: 0 Comm: swapper/0 Tainted: P           O L  4.1.27 #2Hardware name: Broadcom-v8A (DT)Call trace:[<ffffffc0000876d8>] dump_backtrace+0x0/0x150[<ffffffc00008783c>] show_stack+0x
May  5 01:05:05 kernel: ____________________________________________________________________________
May  5 01:05:05 kernel: ^[[0;33;41m[ERROR pktrunner] runnerUcast_inet6addr_event,202: Could not rdpa_ucast_ipv6_host_address_table_find^[[0m

This crash is unrelated to Skynet, a quick google search shows references dating back to January 2018 on the AC86U

 

[Adamm]

I've pushed a minor update (no version change).

A slight update to the diversion flagged domain regex to support the new blacklist format in the latest version. Apologies for the lack of posts lately, I'm back studying full time so my free time is pretty limited

 

[martinr]

I've pushed a minor update (no version change).

A slight update to the diversion flagged domain regex to support the new blacklist format in the latest version. Apologies for the lack of posts lately, I'm back studying full time so my free time is pretty limited

Studying? What could you be possibly studying?

 

[JemTheWire]

He has his priorities all wrong. [emoji3][emoji3]

 

[skeal]

@Adamm Does Skynet have anything to do with the new firewall setting in the ovpn client?

 

[Adamm]

Studying? What could you be possibly studying?

Electrotechnology, not really IT related as many would expect

@Adamm Does Skynet have anything to do with the new firewall setting in the ovpn client?

Nope, the setting has no correlation to Skynet

 

[Quoc Huynh]

All the best with your study, Adamm maybe it can help you develop Skynet for quantum computers

 

[Adamm]

AI-Protection is calling home every few seconds like crazy data mining. Asuswrt-Merlin offers zero protection to it's user's on this front....

The topic has been beaten like a dead horse if you do a quick search, if you don't wan't AiProtection calling home just disable the feature within the WebUI.

 

[Adamm]

Skynet reports back 20000 inbound hits within 10 hours per AsusWRTPurity list that's with AI Protection disabled and I've seen said post and all the problems when this topic comes up...

I highly advise against using anything from that user. Not only does he steal and republish code, but he is clueless and clearly misinformed when it comes to anything security related. He was banned off these forums on multiple accounts for good reason.

 

[Teymur]

Hello guys

Can't seem to find a solution to my Problem with Skynet. Here is the thing. Whenever I use YazFi to create a guest wifi network with separate subnet all clients connected to it are blocked by Skynet, which reports that [BLOCKED - INVALID] for all packets coming from that guest wifi interface. How can I fix this?

Regards

Teymur

 

[Adamm]

why is when I use his IP block list I get tons upon tons of inbound blocks not only that articles are available on the subject https://www.computerworld.com/article/3194843/asus-router-warnings-on-privacy-and-security.html I would have to disable *AiProtection*Traffic Analyzer*Apps analyzer*Adaptive QoS*Game boost*Game IPS*Webhistory to accomplish this same goal bud.

That's because all these features use Trend Micros DPI engine to identify traffic. Without collecting data its impossible for them to keep their database relevant and provide these services.

Can't seem to find a solution to my Problem with Skynet. Here is the thing. Whenever I use YazFi to create a guest wifi network with separate subnet all clients connected to it are blocked by Skynet, which reports that [BLOCKED - INVALID] for all packets coming from that guest wifi interface. How can I fix this?

Sounds like a YazFi issue, I don't personally use the script so I can't go too much into detail. But the INVALID blocks you are seeing are generated by the SPI firewall and would be present on a stock configuration without Skynet, we merely just add logging.

 

[Teymur]

That's because all these features use Trend Micros DPI engine to identify traffic. Without collecting data its impossible for them to keep their database relevant and provide these services.



Sounds like a YazFi issue, I don't personally use the script so I can't go too much into detail. But the INVALID blocks you are seeing are generated by the SPI firewall and would be present on a stock configuration without Skynet, we merely just add logging.

Weel, I thought of that as one of the possible reasons, but after disabling Skynet Temporarily and seeing all traffic going through without any problems makes me now think that it could be Skynet related.

Teymur

 

[Adamm]

Weel, I thought of that as one of the possible reasons, but after disabling Skynet Temporarily and seeing all traffic going through without any problems makes me now think that it could be Skynet related.

Teymur

I can assure you Skynet keeps the default rule, the only difference is we rename the logging output;

iptables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null

iptables -I logdrop -m state --state NEW -j LOG --log-prefix "[BLOCKED - INVALID] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null

 

[Teymur]

I can assure you Skynet keeps the default rule, the only difference is we rename the logging output;

iptables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null

iptables -I logdrop -m state --state NEW -j LOG --log-prefix "[BLOCKED - INVALID] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null

Hi Adamm,

Thanks for your reply, appreciate that.

I was thinking how does that work then once Skynet is disabled... But don't seem to understand... Anyways the only hope is that if someone is seeing the same and have figured it out already.

Regards

Teymur

 

[Adamm]

Hi Adamm,

Thanks for your reply, appreciate that.

I was thinking how does that work then once Skynet is disabled... But don't seem to understand... Anyways the only hope is that if someone is seeing the same and have figured it out already.

Regards

Teymur

Once Skynet is disabled we don't re-add the default logging rule, so invalid packets are still being dropped but we just aren't logging them anymore.

 

[nakti]

Hi,
Is it normal to have many blocked Inbounds with skynet?
Like Russian IP is being blocked all the time every 5-10 seconds

 

[cmkelley]

Hi,
Is it normal to have many blocked Inbounds with skynet?
Like Russian IP is being blocked all the time every 5-10 seconds

Yes.

If you don't want to see them, run Skynet, select 11 (settings), then 3 (debug mode). This will stop the blocked messages, at the expense of Skynet not being able to collect statistics.

Or, install scribe ... (https://www.snbforums.com/threads/scribe-syslog-ng-and-logrotate-installer.55853/) which will shuffle them off to their own file for Skynet to use for statistics.