Skynet Skynet - Router Firewall & Security Enhancements

[skeal]

You must've developed a great deal of patience dealing with customers like this, who seem ungrateful and unappreciative of the generous help they're getting. I would've stopped responding long ago

I don't work here, I'm watching TV in my living room, chatting with you. LOL

 

[skeal]

umm i did say thanks

No worries glad we could help!

 

[a5m]

No one on this site is a customer, we are simply fellow firmware users sharing knowledge. If you like the items you use including the firmware, please donate to the appropriate author.

I don't work here, I'm watching TV in my living room, chatting with you. LOL

I quoted @L&LD who has customers

 

[skeal]

[RESOLVED]@Adamm It happened again I cold booted my router. Cold Boot = Remove power with power switch on, here is the debug log before I removed and reinstalled the script. In the system logs Skynet tries to start but never does.

:/tmp/home/root# /jffs/scripts/firewall debug info
#############################################################################################################
#                                                                                                           #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗                #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║                #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝                #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝                 #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║                  #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            12/01/2020 - v7.0.7                                            #
#############################################################################################################


=============================================================================================================


Router Model;
Skynet Version;  (12/01/2020) (2a888d1ff1c93a2454586a7e51012a64)
iptables v1.4.15 - (eth0 @ 192.168.50.1)
ipset v6.32, protocol version: 6
IP Address; (142.165.189.135)
FW Version; 384.15_alpha1-g95c8d4370f (Jan 14 2020) (4.1.51)
Install Dir; /tmp/mnt/tito/skynet (12.1G / 14.0G Space Available)
Syslog Location; () ()
Uptime; 0 days, 0 hours, 6 minutes.
Ram Available; (419M / 882M)


---------------                          | ------------     | ---------------      | ----------
| Device Name |                          | | Local IP |     | | MAC Address |      | | Status |
---------------                          | ------------     | ---------------      | ----------

Unknown                                  | 142.165.188.1    | 00:00:5e:00:01:09    | Online
Unknown                                  | 192.168.50.3     | d8:0d:17:aa:3f:a5    | Inactive
Unknown                                  | 192.168.50.4     | d8:0d:17:aa:3f:98    | Inactive
Unknown                                  | 192.168.50.5     | d8:0d:17:aa:3f:b0    | Inactive
Unknown                                  | 192.168.50.21    | b0:c5:54:02:18:b1    | Inactive
Unknown                                  | 192.168.50.23    | b0:c5:54:21:c4:a4    | Online
Unknown                                  | 192.168.50.24    | 20:91:48:8a:f7:6d    | Inactive
Unknown                                  | 192.168.50.26    | ec:f4:51:47:f1:9e    | Inactive
Unknown                                  | 192.168.50.27    | 60:6d:3c:14:8f:0a    | DELAY
Unknown                                  | 192.168.50.28    | 60:6d:3c:14:a3:26    | Online
Unknown                                  | 192.168.50.29    | ec:f4:51:47:df:ec    | Online
Chromecast-Ultra                         | 192.168.50.30    | 20:df:b9:0f:94:56    | Inactive
Google-Home-Mini                         | 192.168.50.31    | 30:fd:38:00:6d:b7    | Online
Google-Home                              | 192.168.50.32    | 48:d6:d5:5e:ce:6a    | Online
Unknown                                  | 192.168.50.34    | 2c:aa:8e:09:a0:ca    | Inactive
Unknown                                  | 192.168.50.35    | 48:ba:4e:18:de:7a    | Inactive
Unknown                                  | 192.168.50.39    | ac:f6:f7:ff:91:02    | Online
Unknown                                  | 192.168.50.44    | f8:0f:41:52:01:20    | Online
Unknown                                  | 192.168.50.51    | d0:c1:93:20:9f:a3    | Inactive
Unknown                                  | 192.168.50.52    | 00:02:d1:29:b3:d6    | Online
Unknown                                  | 192.168.50.53    | 00:02:d1:2c:89:2c    | Online
Unknown                                  | 192.168.50.54    | 00:02:d1:7a:fd:86    | Online


--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
SWAP                                | [Passed]
Cron Jobs                           | [Failed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Failed]
IPTables Rules                      | [Failed]
Diversion Plus Content              | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Disabled]
Malware List Auto-Updates           | [Disabled]
Logging                             | [Disabled]
Filter Traffic                      | [Selective]
Unban PrivateIP                     | [Disabled]
Log Invalid Packets                 | [Disabled]
Ban AiProtect                       | [Disabled]
Secure Mode                         | [Disabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Custom]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Disabled]
CDN Whitelisting                    | [Disabled]
Display WebUI                       | [Disabled]

10/13 Tests Sucessful

[*] Rule Integrity Violation - [ #1 #2 #3 #4 #5 #11 ]


=============================================================================================================


[#] 156059 IPs (+156059) -- 25107 Ranges Banned (+25107) ||  Inbound --  Outbound Connections Blocked! [debug] [1s]

I found the issue. On my AX88U if the Primary Time Server on the Administration>System page is set to only "pool.ntp.org" Skynet after a cold boot fails to load due to time sync issues. I changed both Primary and secondary time servers on the administration>system page to 0ca.pool.ntp.org and 1ca.pool.ntp.org and tried the process again, everything worked. I have had issues with this before but @RMerlin could not replicate the issue. I don't know why I changed from "time.nrc.ca" but I did and to be sure if you ask, I did make the changes in the dnsmasq.conf.add file while testing. I also have the time server setting enabled and intercept turned on as well. LOL

 

[skeal]

What I'm unsure of is whether it all started when I enabled country block with these countries.

bg cn ir kp nl ru ua

I don't see a problem with them though.

 

[John Fitzgerald]

What I'm unsure of is whether it all started when I enabled country block with these countries.

bg cn ir kp nl ru ua

I don't see a problem with them though.

This list does not cause any problems:
ae af bg bh br cd cn cu ee eg et il iq ir it kp kw ky kz la lb lr ly md mx ng ni nl om pk ps qa ru rw sa sb sd so ss su sy tr tw ua ug ve vn ye zw

 

[martinr]

What I'm unsure of is whether it all started when I enabled country block with these countries.

bg cn ir kp nl ru ua

I don't see a problem with them though.

Now you know how to replicate the glitch, would it be worth going back to pool.ntp.org, and removing all country blocking and then seeing if the problem has disappeared? That might confirm if it did all start with country blocking.

 

[skeal]

Now you know how to replicate the glitch, would it be worth going back to pool.ntp.org, and removing all country blocking and then seeing if the problem has disappeared? That might confirm if it did all start with country blocking.

Give me a sec I'll run that test.

 

[skeal]

Now you know how to replicate the glitch, would it be worth going back to pool.ntp.org, and removing all country blocking and then seeing if the problem has disappeared? That might confirm if it did all start with country blocking.

Ok so it is the country blocks that I choose, that interfere with the NTP Server from syncing when using just pool.ntp.org after a cold boot. I know it's not the country block feature because to remove the list I had I substituted only "kp" so country block was running during the test.

 

[martinr]

Ok so it is the country blocks that I choose, that interfere with the NTP Server from syncing when using just pool.ntp.org after a cold boot. I know it's not the country block feature because to remove the list I had I substituted only "kp" so country block was running during the test.

I’ve just run traceroute on pool.ntp.org (using the Network Toolbox iOS app with results displayed on a world map). I must have run it around 30 times. My location is Manchester, UK, and it was interesting seeing final locations hopping around from the south of England, to Dublin, Belgium and even Kansas. I’ve no idea what it all means (if anything) but it’s a fascinating little exercise.

 

[skeal]

I’ve just run traceroute on pool.ntp.org (using the Network Toolbox iOS app with results displayed on a world map). I must have run it around 30 times. My location is Manchester, UK, and it was interesting seeing final locations hopping around from the south of England, to Dublin, Belgium and even Kansas. I’ve no idea what it all means but it’s a fascinating little exercise.

So now skynet has an issue with iptables.

--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
SWAP                                | [Passed]
Cron Jobs                           | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Failed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]
Diversion Plus Content              | [Passed]

 

[skeal]

So now skynet has an issue with iptables.

--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
SWAP                                | [Passed]
Cron Jobs                           | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Failed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]
Diversion Plus Content              | [Passed]

[*] Rule Integrity Violation - [ #11 #14 #20 ]

 

[skeal]

And now it's all ok again. I did nothing. The time servers did have to be changed to get a cold boot working. My 1st server is time.nrc.ca and my second is 0ca.poot.ntp.org I'm not playing with this anymore because it's a little unclear to me why this is happening. I do feel that somehow the delay in Skynet's startup is causing me issues. I seems after awhile Skynet restarts and the iptable problem is fixed. Yet if I had tried that from the menu it would have made no difference. I am confused still so don't take what i say as the gospel.

 

[martinr]

And now it's all ok again. I did nothing. The time servers did have to be changed to get a cold boot working. My 1st server is time.nrc.ca and my second is 0ca.poot.ntp.org I'm not playing with this anymore because it's a little unclear to me why this is happening. I do feel that somehow the delay in Skynet's startup is causing me issues. I seems after awhile Skynet restarts and the iptable problem is fixed. Yet if I had tried that from the menu it would have made no difference. I am confused still so don't take what i say as the gospel.

One thing I never thought to check on these traceroutes were the time difference between say Kansas and the south of England; however, I expect these are several orders of magnitude faster than the timescales causing your problem during boot up.

 

[skeal]

One thing I never thought to check on these traceroutes were the time difference between say Kansas and the south of England; however, I expect these are several orders of magnitude faster than the timescales causing your problem during boot up.

There is some link between pool.ntp.org, while using the built in NTP Server, and country block in Skynet that creates a race condition issue, after a cold boot though.

 

[EmeraldDeer]

And now it's all ok again. I did nothing. The time servers did have to be changed to get a cold boot working. My 1st server is time.nrc.ca and my second is 0ca.poot.ntp.org I'm not playing with this anymore because it's a little unclear to me why this is happening. I do feel that somehow the delay in Skynet's startup is causing me issues. I seems after awhile Skynet restarts and the iptable problem is fixed. Yet if I had tried that from the menu it would have made no difference. I am confused still so don't take what i say as the gospel.

Hypothetically, anyone globally can use pool.ntp.org because the DNS lookups feature geolocation. However, I had noticed that it usually works but sometimes does not. Occasionally I would get an NTP server in Asia with a time distance over 200 ms.

So the use of country blocks could explain the behavior you are seeing.

Using a Canadian pool ca.pool.ntp.org will reduce the likelihood of the issue but not eliminate it because the pool allows NTP servers from anywhere to be in the regional pools.

 

[skeal]

Hypothetically, anyone globally can use pool.ntp.org because the DNS lookups feature geolocation. However, I had noticed that it usually works but sometimes does not. Occasionally I would get an NTP server in Asia with a time distance over 200 ms.

So the use of country blocks could explain the behavior you are seeing.

Using a Canadian pool ca.pool.ntp.org will reduce the likelihood of the issue but not eliminate it because the pool allows NTP servers from anywhere to be in the regional pools.

It seems any derivative of pool.ntp.org has the same issue for me. I am now using, time.nrc.ca and time.google.com and all is well.

 

[martinr]

It seems any derivative of pool.ntp.org has the same issue for me. I am now using, time.nrc.ca and time.google.com and all is well.

Playing around with traceroute, I see that pool.ntp.org can take 60ms when the destination is London (from Manchester) and 130ms when Kansas is the end point. When I run a traceroute on time.google.com I invariably end up in Oklahoma via Kansas (and often San Fancisco) and a time span of some 600ms, an order of magnitude longer, for me, than the shortest time on ntp.pool.org.

 

[Mutzli]

It seems any derivative of pool.ntp.org has the same issue for me. I am now using, time.nrc.ca and time.google.com and all is well.

That's why I switch to time.cloudflare.com a while ago. Always had issues like that with pool.ntp.org

 

[skeal]

Why does Skynet take 2 minutes and thirty seconds to start?

Edit: Reinstalled and rebooted now it loads in about 30 seconds.