Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

But I have already my own swap, it doesn't load correct after reboot, right now swap is active.
So when i did this - /jffs/scripts/firewall debug swap install - I've seen - [*] Skynet Can Not Modify Swap Partitions - Exiting!

Spoiler: free output

Mem: 255676 200692 54984 0 1332 13920
-/+ buffers/cache: 185440 70236
Swap: 1959892 662456 1297436

I highly recommend switching to using a swap file over a swap partition. They are significantly easier to manage/repair and supported by most of the scripts on this forum that also use my swap functions.

 

[Adamm]

Is it possible to install Skynet onto an AX56U? or the AX58U? The routers aren't currently supported by Merlin but Skynet is the only thing I'm currently using and I was just curious, thanks.

Unfortunately not at this time, IPSet which Skynet depends on is only included in Merlins firmware.

 

[truglodite]

With recent news of the Phillip's Hue vulnerability, is there a way skynet (or any router script for that matter) could stop such attacks... assuming the hub device needs to be able to talk to the lan and wan? The penetration occurs at the zigbee level.

 

[Mutzli]

With recent news of the Phillip's Hue vulnerability, is there a way skynet (or any router script for that matter) could stop such attacks... assuming the hub device needs to be able to talk to the lan and wan? The penetration occurs at the zigbee level.

You can enable IoT Blocking in Skynet settings to block certain IoT devices to have access to the internet:

 

[Sonyrolfy]

Small Q, When a VPN client is set with DNS Exclusive, is it common that Skynet blocks outbound IP’s for devices in VPN?

[BLOCKED - OUTBOUND] IN=br0 OUT= MAC=b0:6e:... SRC=(pc) 192.168.1.75 DST=216.21.13.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=46326 DF PROTO=TCP

 

[dave14305]

Small Q, When a VPN client is set with DNS Exclusive, is it common that Skynet blocks outbound IP’s for devices in VPN?

[BLOCKED - OUTBOUND] IN=br0 OUT= MAC=b0:6e:... SRC=(pc) 192.168.1.75 DST=216.21.13.10 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=46326 DF PROTO=TCP

It will block any remote IP in the blacklist.

sh /jffs/scripts/firewall stats search ip 216.21.13.10

216.21.13.10 is NOT in set Skynet-Whitelist.
216.21.13.10 is in set Skynet-Blacklist.
216.21.13.10 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: coinbl_ips.ipset"

 

[Sonyrolfy]

It will block any remote IP in the blacklist.

sh /jffs/scripts/firewall stats search ip 216.21.13.10

216.21.13.10 is NOT in set Skynet-Whitelist.
216.21.13.10 is in set Skynet-Blacklist.
216.21.13.10 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: coinbl_ips.ipset"

Perfect! I always thought when a VPN client is in exclusive, Skynet or scripts wont interfere in a tunnel. What do I know Thanks Dave.

 

[dave14305]

Perfect! I always thought when a VPN client is in exclusive, Skynet or scripts wont interfere in a tunnel. What do I know Thanks Dave.

I usually state that I know little about VPNs on Merlin since I don't use them. But since Skynet uses the raw iptables table, it tends to override anything else in terms of priority.

But what do I know?

 

[truglodite]

You can enable IoT Blocking in Skynet settings to block certain IoT devices to have access to the internet:
View attachment 21212

I already do that for my wifi iot stuff, but this vulnerability is with zigbee. The zigbee device gets hacked, and they use the hacked device to plant malware on the hub. All devices talk to the hub, and the hub can talk to the internet. Blocking the hub means many remote features won't work.

I don't think this is something that can be patched by router based on how it works... but figured I might ask in case there is some way I'm not thinking of that may work.

 

[truglodite]

Actually, maybe one way is making sure the hub can not access other clients on lan. However, atleast one client would need access to certain ports on the hub for maintenance.

The real threat of this exploit is the hub taking over a pc on the lan.

 

[RMerlin]

Which begs the question: why do lightbulbs require to be connected to the Internet?

 

[cmkelley]

Which begs raises the question: why do lightbulbs require to be connected to the Internet?

To more easily allow the creation of botnets, of course.

Also, FTFY, that's one of those things that's annoyed me ever since I learned what "begs the question" really means. Yes, I know it's a lost cause, I don't care.

 

[RMerlin]

To more easily allow the creation of botnets, of course.

Also, FTFY, that's one of those things that's annoyed me ever since I learned what "begs the question" really means. Yes, I know it's a lost cause, I don't care.

English isn't my primary language...

 

[cmkelley]

English isn't my primary language...

Oh yeah, forgot about that. Impossible to tell just from your writing. And even newspapers and other writers who one would expect to know better misuse "begs the question" more frequently than they use it properly, so it's understandable that even native speakers misuse it.

I've often wondered if other languages have crazy idioms like English does.

 

[ICDeadPpl]

Philips sent firmware updates for the Hue hub, the version number is 1935144040.
Mine got updated on 2020-01-22.
https://www.engadget.com/2020/02/05/philips-hue-signify-vulnerability/

 

[JacquesR]

Also, FTFY, that's one of those things that's annoyed me ever since I learned what "begs the question" really means. Yes, I know it's a lost cause, I don't care.

I'd wager it bugs me more than it bugs you! My evidence: I had to write a blog post explaining this, and at one point, even had a Twitter bot that replied to any use of the phrase with "are you sure you don't mean 'raises the question'", linking to an explanation. The bot was eventually banned - maybe it annoyed people?

What's most annoying comes via a friend who is the most pedantic person I know, who believes (with good reason) that the correct phrase (besides petitio principii, of course, which is how I learnt it in logic classes) is in fact "beggaring the question", i.e. making the question impoverished, devoid of value.

 

[Chrisgtl]

If I ban domain of bbc.co.uk via Skynet I am still able to visit bbc.co.uk

Is there something else I should be doing after I've added the domain to my ban list? Does it take sometime to become active? I've tried rebooting router, rebooting laptop, flushing DNS......I can still resolve bbc.co.uk

 

[dave14305]

If I ban domain of bbc.co.uk via Skynet I am still able to visit bbc.co.uk

Is there something else I should be doing after I've added the domain to my ban list? Does it take sometime to become active? I've tried rebooting router, rebooting laptop, flushing DNS......I can still resolve bbc.co.uk

You should block domain names using Diversion since there can be many rotating IP addresses behind a domain name.

 

[XIII]

I have blocked an IoT device both in the web interface and in SkyNet, but I still see DNS calls in the NextDNS logging.

Should DNS calls also be blocked?

 

[dave14305]

DNS calls are probably going to the router's DNS, which forwards to NextDNS on the router which goes out to nextdns.io. If the IOT is not trying to make its own external DNS request it probably can't be blocked by IOT rules, because it's LAN traffic.