Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Still, so far it only reproduces with SkyNet active - and almost immediately. After disabling SkyNet I also have to restart the dnsmasq service to get DNS working again.

Can't say I'm familiar with NextDNS, but I can say for certain that Skynet logs everything it blocks without exception. We also don't modify dnsmasq in any way which leads me to believe its unrelated.

 

[dave14305]

Can't say I'm familiar with NextDNS, but I can say for certain that Skynet logs everything it blocks without exception. We also don't modify dnsmasq in any way which leads me to believe its unrelated.

Don’t forget to mention that you also automatically whitelist the chosen DoT servers from the GUI.

 

[elorimer]

Did something change in 7.02 with the Purge_Logs function? On my 86U now, with scribe and the custom log set to /opt/var/log/skynet-0.log my hourly rollup is leaving the original log entries.

 

[dave14305]

That's what I thought.

Still, so far it only reproduces with SkyNet active - and almost immediately. After disabling SkyNet I also have to restart the dnsmasq service to get DNS working again.

I'm afraid I'll have to run without SkyNet for a while to see that the problem also reproduces without SkyNet.

To be sure, run these SkyNet commands:

sh /jffs/scripts/firewall stats search ip 45.90.28.0
sh /jffs/scripts/firewall stats search ip 45.90.30.0

 

[Butterfly Bones]

Did something change in 7.02 with the Purge_Logs function? On my 86U now, with scribe and the custom log set to /opt/var/log/skynet-0.log my hourly rollup is leaving the original log entries.

Welcome to the AC86U weird world, with a myriad of unexplained phenomenon.

usr_name@RT-AC86U-4608:/tmp/home/root# head -25 /opt/var/log/skynet-0.log
Dec 21 08:02:02 RT-AC86U-4608 Skynet: [%] New Version Detected - Updating To v7.0.2 (ae60c7d7b09eb787d550628609cbe1f3)
Dec 21 08:02:05 RT-AC86U-4608 Skynet: [%] Restarting Firewall Service
Dec 21 08:02:05 RT-AC86U-4608 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Dec 21 12:40:53 RT-AC86U-4608 Skynet: [%] Skynet Disabled
Dec 22 08:25:21 RT-AC86U-4608 Skynet: [%] New Version Detected - Updating To v7.0.2 (dd1d5c5d4c13aebe626a173365a7c21f)
Dec 22 08:25:24 RT-AC86U-4608 Skynet: [%] Restarting Firewall Service
Dec 22 08:25:24 RT-AC86U-4608 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Dec 23 01:25:00 RT-AC86U-4608 Skynet: [%] Skynet Up To Date - v7.0.2 (dd1d5c5d4c13aebe626a173365a7c21f)
Dec 29 07:33:52 RT-AC86U-4608 Skynet: [%] New Version Detected - Updating To v7.0.2 (9f2c2e9c59ed7e41d91720819a48d36c)
Dec 29 07:33:54 RT-AC86U-4608 Skynet: [%] Restarting Firewall Service
Dec 29 07:33:55 RT-AC86U-4608 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Dec 30 01:25:01 RT-AC86U-4608 Skynet: [%] Skynet Up To Date - v7.0.2 (9f2c2e9c59ed7e41d91720819a48d36c)
Dec 30 10:54:25 RT-AC86U-4608 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Dec 31 07:19:09 RT-AC86U-4608 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Dec 31 07:23:57 RT-AC86U-4608 Skynet: [%] Restarting Firewall Service
Dec 31 07:23:57 RT-AC86U-4608 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Jan  1 10:50:33 RT-AC86U-4608 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Jan  2 08:56:35 RT-AC86U-4608 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/SNB/skynet )
Jan  2 09:00:03 RT-AC86U-4608 Skynet: [#] 146429 IPs (+0) -- 1563 Ranges Banned (+0) || 5 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Jan  2 10:00:03 RT-AC86U-4608 Skynet: [#] 146429 IPs (+0) -- 1563 Ranges Banned (+0) || 133 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Jan  2 11:00:02 RT-AC86U-4608 Skynet: [#] 146429 IPs (+0) -- 1563 Ranges Banned (+0) || 264 Inbound -- 0 Outbound Connections Blocked! [save] [2s]
Jan  2 12:00:03 RT-AC86U-4608 Skynet: [#] 146429 IPs (+0) -- 1563 Ranges Banned (+0) || 401 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Jan  2 13:00:01 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=152.136.111.38  ........
Jan  2 13:00:03 RT-AC86U-4608 Skynet: [#] 146429 IPs (+0) -- 1563 Ranges Banned (+0) || 716 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Jan  2 13:00:08 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=37.49.231.163 .....

 

[elorimer]

Yours seems ok. The "[BLOCKED" line before your hourly stats just means a line was logged between the time the log was stripped and before the stats were written. I've got pages of old "[BLOCKED" messages that aren't being stripped.

 

[XIII]

Issue just reproduced without SkyNet.

Output looks OK, I think?

45.90.28.0 is in set Skynet-Whitelist.
45.90.28.0 is NOT in set Skynet-Blacklist.
45.90.28.0 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
 45.90.28.35 "nvram: wan0_dns1_x"
 45.90.28.0 "nvram: dnspriv_rulelist"

and

45.90.30.0 is in set Skynet-Whitelist.
45.90.30.0 is NOT in set Skynet-Blacklist.
45.90.30.0 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
 45.90.30.0 "nvram: dnspriv_rulelist"
 45.90.30.35 "nvram: wan0_dns2_x"

Will need to continue investigating tomorrow (the fact that SkyNet seemed to trigger the problem might speed up testing?).

 

[dave14305]

Issue just reproduced without SkyNet.

Output looks OK, I think?

45.90.28.0 is in set Skynet-Whitelist.
45.90.28.0 is NOT in set Skynet-Blacklist.
45.90.28.0 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
 45.90.28.35 "nvram: wan0_dns1_x"
 45.90.28.0 "nvram: dnspriv_rulelist"

and

45.90.30.0 is in set Skynet-Whitelist.
45.90.30.0 is NOT in set Skynet-Blacklist.
45.90.30.0 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
 45.90.30.0 "nvram: dnspriv_rulelist"
 45.90.30.35 "nvram: wan0_dns2_x"

Will need to continue investigating tomorrow (the fact that SkyNet seemed to trigger the problem might speed up testing?).

What actually happens? How do you confirm it’s a DNS issue? Post some specifics tomorrow (e.g. lookups from a client, lookups from router, etc.). dnsmasq logging would be useful).

I’ve disabled DNSSEC and DNS Rebind protection on the router when using NextDNS.

 

[Butterfly Bones]

Yours seems ok. The "[BLOCKED" line before your hourly stats just means a line was logged between the time the log was stripped and before the stats were written. I've got pages of old "[BLOCKED" messages that aren't being stripped.

I understand that. I misunderstood what you were stating, reading your message again, now I understand.

 

[EmeraldDeer]

What actually happens? How do you confirm it’s a DNS issue? Post some specifics tomorrow (e.g. lookups from a client, lookups from router, etc.). dnsmasq logging would be useful).

I’ve disabled DNSSEC and DNS Rebind protection on the router when using NextDNS.

I used to enable stubby logging when it was not integrated with Asuswrt-Merlin by editing the startup script with the following line:

ARGS="-g -v 7 -C /opt/etc/stubby/stubby.yml > /opt/var/log/stubby.log 2>&1"

However, I am not sure if it is possible to do that with integrated stubby. I looked through github but find how it starts elusive.

 

[dave14305]

I used to enable stubby logging when it was not integrated with Asuswrt-Merlin by editing the startup script with the following line:

ARGS="-g -v 7 -C /opt/etc/stubby/stubby.yml > /opt/var/log/stubby.log 2>&1"

However, I am not sure if it is possible to do that with integrated stubby. I looked through github but find how it starts elusive.

nvram set stubby_debug=1
service restart_stubby
tail -F /tmp/stubby.log

Undo it with

nvram unset stubby_debug
service restart_stubby

 

[Rhialto]

I had to redo my USB key and installed Diversion just fine then Skynet but it's not working. Before I was able to enter the menu by typing firewall only, just like I do with diversion. Now I need to type sh /jffs/scripts/firewall.

Then I see this:

FW Version; 384.14_2 (Dec 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sdc5/skynet (3.0G / 3.7G Space Available)
SWAP File; /tmp/mnt/sdc5/myswap.swp (512.5M)

Cron Jobs | [Failed]
IPSets | [Failed]
IPTables Rules | [Failed]

I press 8 to restart but always same result.

 

[Adamm]

I had to redo my USB key and installed Diversion just fine then Skynet but it's not working. Before I was able to enter the menu by typing firewall only, just like I do with diversion. Now I need to type sh /jffs/scripts/firewall.

Then I see this:

FW Version; 384.14_2 (Dec 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sdc5/skynet (3.0G / 3.7G Space Available)
SWAP File; /tmp/mnt/sdc5/myswap.swp (512.5M)

Cron Jobs | [Failed]
IPSets | [Failed]
IPTables Rules | [Failed]

I press 8 to restart but always same result.

Your install directory probably changed, re-run the install command.

 

[Adamm]

Did something change in 7.02 with the Purge_Logs function? On my 86U now, with scribe and the custom log set to /opt/var/log/skynet-0.log my hourly rollup is leaving the original log entries.

Nope. Last time anything changed there was adding a SIGHUP for scribe in v6.9.2

 

[XIII]

What actually happens? How do you confirm it’s a DNS issue? Post some specifics tomorrow (e.g. lookups from a client, lookups from router, etc.). dnsmasq logging would be useful).

I’ve disabled DNSSEC and DNS Rebind protection on the router when using NextDNS.

nslookup fails until I restart the dnsmasq service.

I probably have time to debug this issue this afternoon, but might have to go full nuclear if there’s no quick fix, since several IoT devices are not working properly now...

I’ll follow up in the 384.14 topic, as it seems I was wrong in thinking it was SkyNet related. Sorry!

 

[Adamm]

I've pushed v7.0.3

May I finally introduce the long overdue, Skynet Statistics WebUI!

With support for multiple chart types, sorting by IP/country, on-the-fly disabling/enabling this is just another tool to help you analyze Skynet's various forms of data. This feature is the first script to utilize the new addon API in firmware version 384.15, so updating will be required.

Big thanks to @Jack Yaz for his collaboration on the web development side of things.


Note; You will be required to run a forced update after the initial update procedure to download the new WebUI files.

sh /jffs/scripts/firewall update -f

Enjoy!

 

[martinr]

I've pushed v7.0.3

May I finally introduce the long overdue, Skynet Statistics WebUI!

With support for multiple chart types, sorting by IP/country, on-the-fly disabling/enabling this is just another tool to help you analyze Skynet's various forms of data. This feature is the first script to utilize the new addon API in firmware version 384.15, so updating will be required.

Big thanks to @Jack Yaz for his collaboration on the web development side of things.


Note; You will be required to run a forced update after the initial update procedure to download the new WebUI files.

sh /jffs/scripts/firewall update -f

Enjoy!

What a lovely way to start a new year. Thank you, Adam and Jack!

 

[Treadler]

What a lovely way to start a new year. Thank you, Adam.

Just superb!

 

[Smokey613]

Does this work on a RT-AC68U ?

 

[Adamm]

Does this work on a RT-AC68U ?

It works on any device supporting firmware 384.15