Adamm
Part of the Furniture
None manually
Okay please run the unban all command now we have debug mode enabled so we can properly track this from the beginning.
Code:
sh /jffs/scripts/firewall unban all
None manually
sh /jffs/scripts/firewall unban all
Watching Logs For Debug Entries (ctrl +c) To Stop
Jun 3 19:51:16 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=2043 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643035 ACK=1080016831 WINDOW=65535 RES=0x00 ACK SYN URGP=0 OPT (020405B40103030001010402)
Jun 3 19:51:18 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=61 TOS=0x00 PREC=0x00 TTL=51 ID=2339 PROTO=UDP SPT=64225 DPT=25871 LEN=41
Jun 3 19:51:19 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=2461 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643035 ACK=1080016831 WINDOW=65535 RES=0x00 ACK SYN URGP=0 OPT (020405B40103030001010402)
Jun 3 19:51:19 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=2463 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643036 ACK=1080016831 WINDOW=65535 RES=0x00 ACK URGP=0
Jun 3 19:51:19 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=2464 PROTO=UDP SPT=64225 DPT=25871 LEN=28 MARK=0x81850003
Jun 3 19:51:19 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=58 TOS=0x00 PREC=0x00 TTL=51 ID=2530 PROTO=UDP SPT=64225 DPT=25871 LEN=38
Jun 3 19:51:25 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=3038 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643035 ACK=1080016831 WINDOW=65535 RES=0x00 ACK SYN URGP=0 OPT (020405B40103030001010402)
Jun 3 19:51:25 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=3063 DF PROTO=TCP SPT=33869 DPT=49208 SEQ=709643036 ACK=1080016831 WINDOW=65535 RES=0x00 ACK URGP=0
Jun 3 19:51:25 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=3084 PROTO=UDP SPT=64225 DPT=25871 LEN=28
Jun 3 19:51:25 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=d0:17:c2:b2:e3:98:60:73:5c:72:3e:d9:08:00 SRC=87.116.180.110 DST=188.2.97.133 LEN=58 TOS=0x00 PREC=0x00 TTL=51 ID=3155 PROTO=UDP SPT=64225 DPT=25871 LEN=38 MARK=0x4193005e
^C
None of them are asuswebstorage all are my provader IPs, but app not working.
Does this script block ms telemetry, shodan, etc, in a s similar way to https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/?
/usr/sbin/wget https://raw.githubusercontent.com/shounak-de/misc-scripts/master/telemetry_and_scanners.txt -qO- | grep -E '^[0-9,\.]*$' | while IFS= read -r ip
do
ipset -q -A Blacklist $ip
done
Hi guys, Thanks Adamm for all your work, long time user here of your old one,
im having anissue with the update script, all my new bans are populated with 0.0.0.0 ip as the source, as such:
Jun 4 16:26:37 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:7f:f3:f3:c6:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=144 TOS=0x00 PREC=0x00 TTL=255 ID=24208 PROTO=UDP SPT=514 DPT=4944 LEN=124
Anyone knows whats going on?
thanks.
rt-ac87u
merlin 380.66_4
sh /jffs/scripts/firewall whitelist 0.0.0.0
Hi Adamm.
First I'd like to say this is an awesome script. Thanks a lot for working on this. Just a small thing, is there a way to change the location of where the ipset.txt and malwarelist.txt are located? They're currently sitting in /jffs/scripts and are taking up 7MB and 3MB respectively of storage. If possible I'd like to move it to a USB location.
Hi Adamm, i have tracked down the issue.Thanks. Hard to say exactly whats causing it without further debugging, but with an IP like that you should be safe to whitelist 0.0.0.0
Code:sh /jffs/scripts/firewall whitelist 0.0.0.0
"PPPoE and log messages 0.0.0.0 => 255.255.255.255 Port 4944
MARCH 9, 2017 WERNER MAIER COMMENT ON
For some installations, the WatchGuard displays the following log messages (Deny) on the external interface in conjunction with PPPoE modems:
Source: 0.0.0.0
Destination: 255.255.255.255
Port 4944
Protocol: udp
Cause: These are management broadcasts from the modem to the router behind it. If the modem has "too much intelligence" and wants to inform the router (here: WatchGuard) by broadcasting the status of the DSL line, this package will occur.
Last seen in connection with a Draytek Vigor 130 as a PPPoE modem on a VDSL-100/40 line.
Remedy: The management broadcast can often be switched off in the router. The Draytek under:
System Maintenance => Management => Device Management => [] Broadband DSL to LAN in LAN
Hi Adamm, i have tracked down the issue.
It was cause by my Draytek 150 dsl modem, what gave it away was that when i rebooted the modem the log got flooded with above log entries, then after some research i came across this here
Many thanks.
Hi Adamm.
First I'd like to say this is an awesome script. Thanks a lot for working on this. Just a small thing, is there a way to change the location of where the ipset.txt and malwarelist.txt are located? They're currently sitting in /jffs/scripts and are taking up 7MB and 3MB respectively of storage. If possible I'd like to move it to a USB location.
Updated and I can see the "skynet" folder being created in the USB stick. Thanks!As of v4.7.0 Skynet now supports full USB installation. To switch over, update and run the installer again. This will preserve your current installation (and you can move back to JFFS the same way).
As of v4.7.0 Skynet now supports full USB installation. To switch over, update and run the installer again. This will preserve your current installation (and you can move back to JFFS the same way).
Hey, thanks alot for this! Small problem. After selecting option 1 for USB install this is the returning message
"USB Installation Selected
USB Mode Selected But sda1 Not Found - Exiting Installation"
Strange as Sda1 is active. It's how I have my absolutions installed.
ls /tmp/mnt
nvram get usb_path_sda1_label
Would You Like To Install Skynet To USB? (sda1)
Skynet By Default Is Installed To JFFS
1. Yes
2. No
Please Select Option (Number)
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!