Skynet Skynet - Router Firewall & Security Enhancements

[skeal]

I'm using the new Alpha 2 for my AX88U and noticed the DoH override in WAN settings. I have set it to no and am testing.

UPDATE: Seems to have slowed them down but still unsure why Skynet is blocking an outbound connection to cloudflare over port 853. Makes no sense to me.

UPDATE: It does appear that the new feature to block DoH when set to auto blocks some outbound traffic on port 853. I have tried all the options and still getting outbound blocks, not as many when set to "No" however.

 

[dave14305]

Ok help me out here I don't understand these results.

firewall stats search ip 204.83.124.135
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 06/10/2019 -                  Asus Firewall Addition By Adamm v6.8.8                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/stuff/skynet/skynet.log - 8.0K
[i] Monitoring From Oct 10 07:39:56 To Oct 10 07:42:56
[i] 20 Block Events Detected
[i] 10 Unique IPs
[i] 0 Manual Bans Issued

204.83.124.135 is NOT in set Skynet-Whitelist.
204.83.124.135 is NOT in set Skynet-Blacklist.
204.83.124.135 is NOT in set Skynet-BlockedRanges.


[i] IP Location - Canada (Saskatchewan Telecommunications / AS803)

[i] 204.83.124.135 First Tracked On Oct 10 07:39:56
[i] 204.83.124.135 Last Tracked On Oct 10 07:42:56
[i] 20 Blocks Total

Event Log Entries From 204.83.124.135;

First Block Tracked From 204.83.124.135;
Oct 10 07:39:56 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60785 DF PROTO=TCP SPT=34976 DPT=853 SEQ=2665827778 ACK=0 WINDOW=29200 RES=0x0

10 Most Recent Blocks From 204.83.124.135;
Oct 10 07:42:03 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:01:9b:20:00:00:5e:00:01:09:08:00 SRC=185.176.27.182 DST=204.83.124.135 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=64078 PROTO=TCP SPT=48845
Oct 10 07:42:05 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:01:9b:20:00:00:5e:00:01:09:08:00 SRC=92.119.160.103 DST=204.83.124.135 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=48836 PROTO=TCP SPT=41420
Oct 10 07:42:24 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:01:9b:20:00:00:5e:00:01:09:08:00 SRC=159.203.201.151 DST=204.83.124.135 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=4827
Oct 10 07:42:42 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:01:9b:20:00:00:5e:00:01:09:08:00 SRC=45.136.109.237 DST=204.83.124.135 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=22723 PROTO=TCP SPT=44179
Oct 10 07:42:45 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:01:9b:20:00:00:5e:00:01:09:08:00 SRC=185.176.27.182 DST=204.83.124.135 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=41990 PROTO=TCP SPT=48845
Oct 10 07:42:48 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=0c:9d:92:01:9b:20:00:00:5e:00:01:09:08:00 SRC=92.118.37.83 DST=204.83.124.135 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=38665 PROTO=TCP SPT=48465 D
Oct 10 07:42:51 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35951 DF PROTO=TCP SPT=35024 DPT=853 SEQ=2166603875 ACK=0 WINDOW=29200 RES=0x0
Oct 10 07:42:52 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35952 DF PROTO=TCP SPT=35024 DPT=853 SEQ=2166603875 ACK=0 WINDOW=29200 RES=0x0
Oct 10 07:42:55 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13524 DF PROTO=TCP SPT=35026 DPT=853 SEQ=2675601227 ACK=0 WINDOW=29200 RES=0x0
Oct 10 07:42:56 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13525 DF PROTO=TCP SPT=35026 DPT=853 SEQ=2675601227 ACK=0 WINDOW=29200 RES=0x0


Top 10 Targeted Ports From 204.83.124.135 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------



Top 10 Sourced Ports From 204.83.124.135 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------




=============================================================================================================


[#] 138678 IPs (+0) -- 1565 Ranges Banned (+0) || 12 Inbound -- 22 Outbound Connections Blocked! [stats] [6s]

Maybe it’s 1.1.1.1 that’s blocked. Search that one.

 

[skeal]

Maybe it’s 1.1.1.1 that’s blocked. Search that one.

Done, and wtf I can't make any sense out of this, sorry. Remember this is a fresh install choosing the default parameters in setup.

 firewall stats search ip 1.1.1.1
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 06/10/2019 -                  Asus Firewall Addition By Adamm v6.8.8                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/stuff/skynet/skynet.log - 100.0K
[i] Monitoring From Oct 10 07:39:56 To Oct 10 07:58:49
[i] 371 Block Events Detected
[i] 58 Unique IPs
[i] 0 Manual Bans Issued

1.1.1.1 is NOT in set Skynet-Whitelist.
1.1.1.1 is in set Skynet-Blacklist.
1.1.1.1 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: coinbl_hosts_browser.ipset"


Associated Domain(s);
prod.imgur.map.fastlylb.net
clarium.global.ssl.fastly.net
vimeo.map.fastly.net
p2.shared.global.fastly.net
brightcove.map.fastly.net
github.map.fastly.net
vimeo-video.map.fastly.net
dualstack.f3.shared.global.fastly.net
beta.spotify.map.fastly.net
askubuntu.com
sp-bootstrap.global.ssl.fastly.net
browser.sentry-cdn.com
superuser.com
dualstack.osff.map.fastly.net
pin.ownlocal.map.fastly.net
d.global-ssl.fastly.net
imgur.com
f.shared.global.fastly.net
jwplayer.map.fastly.net
jwplayer-4.map.fastly.net
prod.disqus.map.fastlylb.net
disqus.com
l2.shared.us-eu.fastly.net
twimg.twitter.map.fastly.net
fir-auth-gms.firebaseapp.com
platform.twitter.map.fastly.net
dotdash.map.fastly.net
video.twitter.map.fastly.net
livestream.map.fastly.net
w2.shared.us-eu.fastly.net
lastfm.freetls.fastly.net
dictionary.map.fastly.net
reddit.map.fastly.net
bloomberg.map.fastly.net
d2.shared.global.fastly.net
polyfill.io
dualstack.brightcove.map.fastly.net
cdn.ravenjs.com
rebelmouse.map.fastly.net
giphy.com
limited-prod.giphy.map.fastly.net
k.global-ssl.fastly.net
www-imdb-com.amazon.map.fastly.net


[i] IP Location - Australia (Cloudflare, Inc. / AS13335)

[i] 1.1.1.1 First Tracked On Oct 10 07:39:56
[i] 1.1.1.1 Last Tracked On Oct 10 07:58:27
[i] 77 Blocks Total

Event Log Entries From 1.1.1.1;

First Block Tracked From 1.1.1.1;
Oct 10 07:39:56 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60785 DF PROTO=TCP SPT=34976 DPT=853 SEQ=2665827778 ACK=0 WINDOW=29200 RES=0x00

10 Most Recent Blocks From 1.1.1.1;
Oct 10 07:56:21 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45655 DF PROTO=TCP SPT=35308 DPT=853 SEQ=1080171227 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:22 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45656 DF PROTO=TCP SPT=35308 DPT=853 SEQ=1080171227 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:56 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3963 DF PROTO=TCP SPT=35319 DPT=853 SEQ=1818967681 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:57 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3964 DF PROTO=TCP SPT=35319 DPT=853 SEQ=1818967681 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:58 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41398 DF PROTO=TCP SPT=35320 DPT=853 SEQ=2902038873 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:59 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41399 DF PROTO=TCP SPT=35320 DPT=853 SEQ=2902038873 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:58:16 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45343 DF PROTO=TCP SPT=35339 DPT=853 SEQ=134666306 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:58:17 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45344 DF PROTO=TCP SPT=35339 DPT=853 SEQ=134666306 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:58:26 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65516 DF PROTO=TCP SPT=35342 DPT=853 SEQ=1201827820 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:58:27 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65517 DF PROTO=TCP SPT=35342 DPT=853 SEQ=1201827820 ACK=0 WINDOW=29200 RES=0x00


Top 10 Targeted Ports From 1.1.1.1 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------



Top 10 Sourced Ports From 1.1.1.1 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------




=============================================================================================================


[#] 138678 IPs (+0) -- 1565 Ranges Banned (+0) || 28 Inbound -- 27 Outbound Connections Blocked! [stats] [23s]

 

[skeal]

Blacklist Reason; "BanMalware: coinbl_hosts_browser.ipset"

What does this mean?

 

[dave14305]

Done, and wtf I can't make any sense out of this, sorry. Remember this is a fresh install choosing the default parameters in setup.

 firewall stats search ip 1.1.1.1
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 06/10/2019 -                  Asus Firewall Addition By Adamm v6.8.8                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/stuff/skynet/skynet.log - 100.0K
[i] Monitoring From Oct 10 07:39:56 To Oct 10 07:58:49
[i] 371 Block Events Detected
[i] 58 Unique IPs
[i] 0 Manual Bans Issued

1.1.1.1 is NOT in set Skynet-Whitelist.
1.1.1.1 is in set Skynet-Blacklist.
1.1.1.1 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: coinbl_hosts_browser.ipset"


Associated Domain(s);
prod.imgur.map.fastlylb.net
clarium.global.ssl.fastly.net
vimeo.map.fastly.net
p2.shared.global.fastly.net
brightcove.map.fastly.net
github.map.fastly.net
vimeo-video.map.fastly.net
dualstack.f3.shared.global.fastly.net
beta.spotify.map.fastly.net
askubuntu.com
sp-bootstrap.global.ssl.fastly.net
browser.sentry-cdn.com
superuser.com
dualstack.osff.map.fastly.net
pin.ownlocal.map.fastly.net
d.global-ssl.fastly.net
imgur.com
f.shared.global.fastly.net
jwplayer.map.fastly.net
jwplayer-4.map.fastly.net
prod.disqus.map.fastlylb.net
disqus.com
l2.shared.us-eu.fastly.net
twimg.twitter.map.fastly.net
fir-auth-gms.firebaseapp.com
platform.twitter.map.fastly.net
dotdash.map.fastly.net
video.twitter.map.fastly.net
livestream.map.fastly.net
w2.shared.us-eu.fastly.net
lastfm.freetls.fastly.net
dictionary.map.fastly.net
reddit.map.fastly.net
bloomberg.map.fastly.net
d2.shared.global.fastly.net
polyfill.io
dualstack.brightcove.map.fastly.net
cdn.ravenjs.com
rebelmouse.map.fastly.net
giphy.com
limited-prod.giphy.map.fastly.net
k.global-ssl.fastly.net
www-imdb-com.amazon.map.fastly.net


[i] IP Location - Australia (Cloudflare, Inc. / AS13335)

[i] 1.1.1.1 First Tracked On Oct 10 07:39:56
[i] 1.1.1.1 Last Tracked On Oct 10 07:58:27
[i] 77 Blocks Total

Event Log Entries From 1.1.1.1;

First Block Tracked From 1.1.1.1;
Oct 10 07:39:56 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60785 DF PROTO=TCP SPT=34976 DPT=853 SEQ=2665827778 ACK=0 WINDOW=29200 RES=0x00

10 Most Recent Blocks From 1.1.1.1;
Oct 10 07:56:21 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45655 DF PROTO=TCP SPT=35308 DPT=853 SEQ=1080171227 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:22 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45656 DF PROTO=TCP SPT=35308 DPT=853 SEQ=1080171227 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:56 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3963 DF PROTO=TCP SPT=35319 DPT=853 SEQ=1818967681 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:57 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3964 DF PROTO=TCP SPT=35319 DPT=853 SEQ=1818967681 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:58 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41398 DF PROTO=TCP SPT=35320 DPT=853 SEQ=2902038873 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:56:59 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41399 DF PROTO=TCP SPT=35320 DPT=853 SEQ=2902038873 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:58:16 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45343 DF PROTO=TCP SPT=35339 DPT=853 SEQ=134666306 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:58:17 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45344 DF PROTO=TCP SPT=35339 DPT=853 SEQ=134666306 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:58:26 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65516 DF PROTO=TCP SPT=35342 DPT=853 SEQ=1201827820 ACK=0 WINDOW=29200 RES=0x00
Oct 10 07:58:27 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65517 DF PROTO=TCP SPT=35342 DPT=853 SEQ=1201827820 ACK=0 WINDOW=29200 RES=0x00


Top 10 Targeted Ports From 1.1.1.1 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------



Top 10 Sourced Ports From 1.1.1.1 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------




=============================================================================================================


[#] 138678 IPs (+0) -- 1565 Ranges Banned (+0) || 28 Inbound -- 27 Outbound Connections Blocked! [stats] [23s]

One of the list maintainers must have added it to their blacklist for bitcoin mining? Just whitelist it now.

 

[skeal]

One of the list maintainers must have added it to their blacklist for bitcoin mining? Just whitelist it now.

Yup that seems to have fixed the issues so far, thanks @dave14305 !!

 

[skeal]

One of the list maintainers must have added it to their blacklist for bitcoin mining? Just whitelist it now.

Ok here we go again after a reboot! Help @dave14305 !

 firewall stats search ip 216.239.34.21
#############################################################################################################
#                                _____ _                     _             __                               #
#                               / ____| |                   | |           / /                               #
#                              | (___ | | ___   _ _ __   ___| |_  __   __/ /_                               #
#                               \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                              #
#                               ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                             #
#                              |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                              #
#                                            __/ |                                                          #
#                                           |___/                                                           #
#                                                                                                           #
## - 06/10/2019 -                  Asus Firewall Addition By Adamm v6.8.8                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/stuff/skynet/skynet.log - 40.0K
[i] Monitoring From Oct 10 08:09:34 To Oct 10 08:17:06
[i] 146 Block Events Detected
[i] 24 Unique IPs
[i] 0 Manual Bans Issued

216.239.34.21 is NOT in set Skynet-Whitelist.
216.239.34.21 is in set Skynet-Blacklist.
216.239.34.21 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: coinbl_hosts_browser.ipset"


[i] IP Location - United States (Google LLC / AS15169)

[i] 216.239.34.21 First Tracked On Oct 10 08:15:55
[i] 216.239.34.21 Last Tracked On Oct 10 08:17:02
[i] 42 Blocks Total

Event Log Entries From 216.239.34.21;

First Block Tracked From 216.239.34.21;
Oct 10 08:15:55 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20499 DF PROTO=TCP SPT=38761 DPT=443 SEQ=3281240422 ACK=0 WINDOW=29200 R

10 Most Recent Blocks From 216.239.34.21;
Oct 10 08:16:43 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27348 DF PROTO=TCP SPT=38793 DPT=443 SEQ=3041273874 ACK=0 WINDOW=29200 R
Oct 10 08:16:46 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=0c:9d:92:01:9b:20:f8:0f:41:52:01:20:08:00 SRC=192.168.50.44 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31447 DF PROTO=TCP SPT=44768
Oct 10 08:16:46 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=0c:9d:92:01:9b:20:f8:0f:41:52:01:20:08:00 SRC=192.168.50.44 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16452 DF PROTO=TCP SPT=44770
Oct 10 08:16:46 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=0c:9d:92:01:9b:20:f8:0f:41:52:01:20:08:00 SRC=192.168.50.44 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37627 DF PROTO=TCP SPT=44772
Oct 10 08:16:47 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63475 DF PROTO=TCP SPT=38791 DPT=443 SEQ=1349301648 ACK=0 WINDOW=29200 R
Oct 10 08:16:47 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47006 DF PROTO=TCP SPT=38792 DPT=443 SEQ=1802040635 ACK=0 WINDOW=29200 R
Oct 10 08:16:47 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=204.83.124.135 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27349 DF PROTO=TCP SPT=38793 DPT=443 SEQ=3041273874 ACK=0 WINDOW=29200 R
Oct 10 08:17:02 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=0c:9d:92:01:9b:20:f8:0f:41:52:01:20:08:00 SRC=192.168.50.44 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16453 DF PROTO=TCP SPT=44770
Oct 10 08:17:02 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=0c:9d:92:01:9b:20:f8:0f:41:52:01:20:08:00 SRC=192.168.50.44 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31448 DF PROTO=TCP SPT=44768
Oct 10 08:17:02 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=0c:9d:92:01:9b:20:f8:0f:41:52:01:20:08:00 SRC=192.168.50.44 DST=216.239.34.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37628 DF PROTO=TCP SPT=44772


Top 10 Targeted Ports From 216.239.34.21 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------



Top 10 Sourced Ports From 216.239.34.21 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------




=============================================================================================================


[#] 138677 IPs (+0) -- 1565 Ranges Banned (+0) || 4 Inbound -- 3 Outbound Connections Blocked! [stats] [8s]

 

[skeal]

I whitelisted the above IP and it seems quiet again at this point. Thanks @dave14305 !

 

[dave14305]

I whitelisted the above IP and it seems quiet again at this point. Thanks @dave14305 !

Whitelisting isn't always the best response, unless you're confident you can trust the IP 216.239.34.21. Someone added it to their list for a reason, and maybe it's just collateral damage that you browsed another site that shares the IP with a bad site.

This is where I would check my dnsmasq logs (via Diversion) to see what hostname I requested that resolved to 216.239.34.21. If it was an important site to me, I would whitelist it. If I don't recognize the name, I would be assume it was "malware" and be happy it was blocked. Then I would figure out why my device was trying to access it.

 

[skeal]

216.239.34.21 is Google LLC USA so I whitelisted it. Was this not a good thing to do or? I searched "whois" for the IP.

 

[skeal]

I manually searched dnsmasq logs for that IP and cannot find it. Am I doing something wrong here @dave14305 ?

 

[Adamm]

216.239.34.21 is Google LLC USA so I whitelisted it. Was this not a good thing to do or? I searched "whois" for the IP.

I manually searched dnsmasq logs for that IP and cannot find it. Am I doing something wrong here @dave14305 ?

The log indicates whatever website (Port 443 = HTTPS) you were visiting at 8:16am from your local device IP 192.168.50.44 was the one being blocked. Weather or not it was a false positive is for you to decide with the information available (as you can see from the example earlier false positives occasionally slip into these lists briefly).

 

[skeal]

Ok I'm fairly certain it is a Google address (216.239.34.21) as 216 seems to be used by google play and so on.

 

[skeal]

The log indicates whatever website (Port 443 = HTTPS) you were visiting at 8:16am from your local device IP 192.168.50.44 was the one being blocked. Weather or not it was a false positive is for you to decide with the information available (as you can see from the example earlier false positives occasionally slip into these lists briefly).

I did exactly as you noted above and cannot find any corresponding entry to the time stamps from the Skynet logs. It's as if those exact ones are missing. Question: If I whitelisted the address does it remove it from the logs?

 

[bluepoint]

You're not alone, skynet has cloudflare Australia blocked.

[$] /opt/bin/firewall stats search ip 1.1.1.1 20


===========================================================================================================


[i] Logging Data Detected in /tmp/mnt/bluestar/skynet/skynet.log - 552.0K
[i] Monitoring From Oct 10 01:54:12 To Oct 10 11:16:28
[i] 1988 Block Events Detected
[i] 505 Unique IPs
[i] 0 Manual Bans Issued

1.1.1.1 is NOT in set Skynet-Whitelist.
1.1.1.1 is in set Skynet-Blacklist.
1.1.1.1 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: coinbl_hosts_browser.ipset"


Associated Domain(s);
zd.map.fastly.net
speedtest.net
yelp-com.map.fastly.net
d2.shared.global.fastly.net
prod.weather.map.fastly.net
clarium.global.ssl.fastly.net
advancelocal.map.fastly.net
prod.appnexus.map.fastly.net
dualstack.f3.shared.global.fastly.net
prod.disqus.map.fastlylb.net
disqus.com
l2.shared.us-eu.fastly.net
dualstack.f6.shared.global.fastly.net
github.map.fastly.net
prod.imgur.map.fastlylb.net
quora.map.fastly.net
dualstack.brightcove.map.fastly.net
imgur.com
cartodb-basemaps-a.freetls.fastly.net
k.global-ssl.fastly.net
origin-auth.hulu.com.akadns.net
config2.mparticle.com
mobile-collector.newrelic.com
hulu.map.fastly.net
prod.grubhub2.map.fastlylb.net
developer.spotify.map.fastly.net
mparticle.map.fastly.net
http2.slack.map.fastly.net
dualstack.shopify.map.fastly.net
wheelio-a62f3.firebaseapp.com
tasty.co
buzzfeed2.map.fastly.net
f2.taboola.map.fastly.net
prod.outbrain.map.fastlylb.net
dualstack.com.imgix.map.fastly.net
medallia.map.fastly.net


[i] IP Location - Australia (Cloudflare, Inc. / AS13335)

[i] 1.1.1.1 First Tracked On Oct 10 02:29:15
[i] 1.1.1.1 Last Tracked On Oct 10 11:02:02
[i] 180 Blocks Total

 

[skeal]

Ok the IP 216.239.38.21 is used by Google Calendar. Once the IP doesn't respond it seems to go to another IP from Google Calendar and completes just fine. After this there are no more blocked outbound to the above IP.

 

[Twiglets]

I just got kyboshed by the 1.1.1.1 address being blocked !!!???

Not the first thing I would look for

 

[Adamm]

You're not alone, skynet has cloudflare Australia blocked.

[$] /opt/bin/firewall stats search ip 1.1.1.1 20


===========================================================================================================


[i] Logging Data Detected in /tmp/mnt/bluestar/skynet/skynet.log - 552.0K
[i] Monitoring From Oct 10 01:54:12 To Oct 10 11:16:28
[i] 1988 Block Events Detected
[i] 505 Unique IPs
[i] 0 Manual Bans Issued

1.1.1.1 is NOT in set Skynet-Whitelist.
1.1.1.1 is in set Skynet-Blacklist.
1.1.1.1 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: coinbl_hosts_browser.ipset"


Associated Domain(s);
zd.map.fastly.net
speedtest.net
yelp-com.map.fastly.net
d2.shared.global.fastly.net
prod.weather.map.fastly.net
clarium.global.ssl.fastly.net
advancelocal.map.fastly.net
prod.appnexus.map.fastly.net
dualstack.f3.shared.global.fastly.net
prod.disqus.map.fastlylb.net
disqus.com
l2.shared.us-eu.fastly.net
dualstack.f6.shared.global.fastly.net
github.map.fastly.net
prod.imgur.map.fastlylb.net
quora.map.fastly.net
dualstack.brightcove.map.fastly.net
imgur.com
cartodb-basemaps-a.freetls.fastly.net
k.global-ssl.fastly.net
origin-auth.hulu.com.akadns.net
config2.mparticle.com
mobile-collector.newrelic.com
hulu.map.fastly.net
prod.grubhub2.map.fastlylb.net
developer.spotify.map.fastly.net
mparticle.map.fastly.net
http2.slack.map.fastly.net
dualstack.shopify.map.fastly.net
wheelio-a62f3.firebaseapp.com
tasty.co
buzzfeed2.map.fastly.net
f2.taboola.map.fastly.net
prod.outbrain.map.fastlylb.net
dualstack.com.imgix.map.fastly.net
medallia.map.fastly.net


[i] IP Location - Australia (Cloudflare, Inc. / AS13335)

[i] 1.1.1.1 First Tracked On Oct 10 02:29:15
[i] 1.1.1.1 Last Tracked On Oct 10 11:02:02
[i] 180 Blocks Total

I just got kyboshed by the 1.1.1.1 address being blocked !!!???

Not the first thing I would look for

I've temporarily removed coinbl_hosts_browser.ipset until they remove the false positives before this turns into a bigger headache

 

[andresmorago]

1.1.1.1 seems to be blocked in my case too

Oct 10 11:02:44 RT-AC3100-0548 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=4c:ed:fb:ac:05:48:dc:8b:28:5b:09:32:08:00 SRC=10.0.0.62 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=11302 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=5
Oct 10 11:02:49 RT-AC3100-0548 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=4c:ed:fb:ac:05:48:dc:8b:28:5b:09:32:08:00 SRC=10.0.0.62 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=11303 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=6

 

[Adamm]

1.1.1.1 seems to be blocked in my case too

Oct 10 11:02:44 RT-AC3100-0548 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=4c:ed:fb:ac:05:48:dc:8b:28:5b:09:32:08:00 SRC=10.0.0.62 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=11302 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=5
Oct 10 11:02:49 RT-AC3100-0548 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=4c:ed:fb:ac:05:48:dc:8b:28:5b:09:32:08:00 SRC=10.0.0.62 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=11303 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=6

Just run banmalware again or manually whitelist 1.1.1.1 to resolve the issue.