Skynet Skynet - Router Firewall & Security Enhancements

[HardCat]

Sorry, by DNSIP I was implying each of the DNS IP's from the previous value.

Ah, I see... The command returns both DNSIP's in "wan_dns" and "wan0_dns" from "nvram show". There are no other hits.

This may be different in a dual wan environment.

 

[Adamm]

Ah, I see... The command returns both DNSIP's in "wan_dns" and "wan0_dns" from "nvram show". There are no other hits.

This may be different in a dual wan environment.

Okay thanks I've pushed v5.0.1 with this and some other minor changes to the script.

 

[MordredKLB]

I'm having some issues getting this to run. I installed it in debug mode on /jffs, and then immediately sh firewall debug info:

Router Model: RT-AC3100-B5C0
Skynet Version: v5.0.1 (29/06/2017)
iptables v1.4.14 - (eth0)
ipset v6.29, protocol version: 6
FW Version: 380.65_4 (Mar 29 2017)
Install Dir; /jffs (64.0M Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
Cronjobs Not Detected
Autobanning Disabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Not Detected
BlockedRanges IPTable Not Detected
Blacklist IPTable Not Detected
Whitelist IPSet Not Detected
BlockedRanges IPSet Not Detected
Blacklist IPSet Not Detected
Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [1s]

Running: sh firewall ban range 141.0.0.0/8
gives me:

Banning 141.0.0.0/8
ipset v6.29: The set with the given name does not exist
Saving Changes
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [0s]

Any help you can provide?

 

[Adamm]

I'm having some issues getting this to run. I installed it in debug mode on /jffs, and then immediately sh firewall debug info:

Router Model: RT-AC3100-B5C0
Skynet Version: v5.0.1 (29/06/2017)
iptables v1.4.14 - (eth0)
ipset v6.29, protocol version: 6
FW Version: 380.65_4 (Mar 29 2017)
Install Dir; /jffs (64.0M Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
Cronjobs Not Detected
Autobanning Disabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Not Detected
BlockedRanges IPTable Not Detected
Blacklist IPTable Not Detected
Whitelist IPSet Not Detected
BlockedRanges IPSet Not Detected
Blacklist IPSet Not Detected
Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [1s]

Running: sh firewall ban range 141.0.0.0/8
gives me:

Banning 141.0.0.0/8
ipset v6.29: The set with the given name does not exist
Saving Changes
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [0s]

Any help you can provide?

This indicates the script was not started properly (or it was manually disabled) so the IPTables rules and IPSets were not created, try running;

sh /jffs/scripts/firewall debug restart

Then banning the range you posted above

 

[MordredKLB]

Output of that command:

Saving Changes
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Restarting Firewall Service

Done.

 

[Adamm]

Output of that command:

Saving Changes
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
ipset v6.29: The set with the given name does not exist
Restarting Firewall Service

Done.

That is expected, I'll silence the save commands in a future update, that is just indicating when attempting to save the IPSets they didnt exist. If you run "firewall debug info" again does anything show in red?

 

[MordredKLB]

I had to manually run sh firewall-startup and now everything is working like a charm. Thanks for your help.

 

[Adamm]

I had to manually run sh firewall-startup and now everything is working like a charm. Thanks for your help.

That makes me think that you didn't have "Enable custom scripts on startup" enabled prior to installing Skynet, and as I don't change this setting during the install process Skynet was never started upon firewall restart. I'll also fix this for a future update, thanks!

 

[MordredKLB]

Well, I just checked and Enable Custom Scripts was already set. I never rebooted my router though. That might have sorted the problem on it's own.

 

[Alfsu]

Hi @Adamm,

What is the behavior expected from Skynet when using a client vpn connection ?
Do I need to whitelist the subnet where the vpn server resides (I do have legit traffic here) and/or the vpn server domain ?
It seems Skynet is banning my vpn server domain IP until after manually unbaning it. The vpn server has a dynamic IP which is updated by a DDNS system.
This only started happening about two weeks ago.

Thanks,

 

[Adamm]

Hi @Adamm,

What is the behavior expected from Skynet when using a client vpn connection ?
Do I need to whitelist the subnet where the vpn server resides (I do have legit traffic here) and/or the vpn server domain ?
It seems Skynet is banning my vpn server domain IP until after manually unbaning it. The vpn server has a dynamic IP which is updated by a DDNS system.
This only started happening about two weeks ago.

Thanks,

I don't personally have a VPN to use to test with, but one would assume invalid packets get sent at some point which leads to the VPN IP getting blocked. The easiest way around this would be to as you said whitelist the VPN providers subnet (hopfully this information is available to you).

Beyond this I can try look into somewhat of an automated solution of whitelisting VPN server IP's, but I'm not sure how reliable this would be as it would only check/whitelist every time the firewall is restarted, not when the VPN server IP is updated specifically. If you were to post the nvram values which your VPN IP stored in that would be a big help. You can do so via;

nvram show | grep IPHERE

Feel free to xxx out the IP as I am only interested in the nvram value itsself. Thanks

 

[Alfsu]

If you were to post the nvram values which your VPN IP stored in that would be a big help. You can do so via;

nvram show | grep IPHERE

Feel free to xxx out the IP as I am only interested in the nvram value itsself. Thanks

The client vpn is directed to a domain name:

nvram show | grep xxx.dns2.us

output:

vpn_client_addr=xxx.dns2.us
vpn_client1_addr=xxx.dns2.us

now remember there could be up to 5 clients running on the router. I do have a second on client 3:

nvram show | grep vpn_client3_addr

output:

vpn_client3_addr=xxx.serverlocation.co

of course the IP addresses of these servers may be dynamic and may change in time.

 

[Alfsu]

I can think of a possible solution by whitelisting the content of vpn_clientX_addr upon an openvpn-event or using the client vpn custom configuration command up, may be!

Oh and one more thing, I think there is conflict between the UI instructions and the following command,

sh firewall whitelist range xxx.xxx.xxx.xxx/24

Looking at the code, it appears that 'range' is not an evaluating option under 'whitelist', therefore returning "Command Not Recognised, Please Try Again"

Cheers!

 

[Adamm]

I can think of a possible solution by whitelisting the content of vpn_clientX_addr upon an openvpn-event or using the client vpn custom configuration command up, may be!

Oh and one more thing, I think there is conflict between the UI instructions and the following command,

sh firewall whitelist range xxx.xxx.xxx.xxx/24

Looking at the code, it appears that 'range' is not an evaluating option under 'whitelist', therefore returning "Command Not Recognised, Please Try Again"

Cheers!

For whitelisting the command is just "firewall whitelist xxxxxxx/24" as you can see in the help section on the OP. The info in the script itsself is more just an idea of what can be done. In a future update I will make a dummy command so the usage is in line with the ban/unban commands.

 

[Bamsefar]

A few questions that I somehow have not been able to find:

1) Does Skynet provide TOR node blocking? If so - how?
2) Any chance to include DNSCrypt into this? Maybe borderline firewall - however a more secure way of name resolution?
3) Will there be any integration to the WEB gui, like the NTP daemon code by kvic: https://www.snbforums.com/threads/ntp-daemon-for-asuswrt-merlin.28041/

 

[eclp]

After (error-free) installation, router restart, the following output in syslog:
(RT-AC87U, 380.67b2, AB-Solution, dnscrypt-Installer)

Jul  1 18:06:37 Skynet: [INFO] Lock File Detected (pid=1118) - Exiting
Jul  1 18:06:39 Skynet: [Complete]  IPs /  Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [15s]
Jul  1 18:06:39 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080a:0000:0000:0000:2003 DST=2003:00da:4bda:3840:19b4:222b:685f:6f6b LEN=123 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=53127 SEQ=2465390380 ACK=472127784 WINDOW=465 RES=0x00 ACK PSH URGP=0
Jul  1 18:06:46 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080a:0000:0000:0000:200a DST=2003:00da:4bda:3840:5096:d33d:cda0:5140 LEN=135 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=51822 SEQ=687950655 ACK=2988097974 WINDOW=228 RES=0x00 ACK PSH URGP=0 OPT (0101080ABDC67B3F2F90DAF9)
Jul  1 18:06:47 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080a:0000:0000:0000:2003 DST=2003:00da:4bda:3840:19b4:222b:685f:6f6b LEN=123 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=53127 SEQ=2465390380 ACK=472127784 WINDOW=465 RES=0x00 ACK PSH URGP=0
Jul  1 18:06:54 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080c:0000:0000:0000:2004 DST=2003:00da:4bda:3840:19b4:222b:685f:6f6b LEN=123 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=53131 SEQ=2284344419 ACK=3283067652 WINDOW=238 RES=0x00 ACK PSH URGP=0
Jul  1 18:07:04 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080a:0000:0000:0000:2003 DST=2003:00da:4bda:3840:19b4:222b:685f:6f6b LEN=123 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=53127 SEQ=2465390380 ACK=472127784 WINDOW=465 RES=0x00 ACK PSH URGP=0

Please help ...

 

[thelonelycoder]

A few questions that I somehow have not been able to find:
3) Will there be any integration to the WEB gui, like the NTP daemon code by kvic: https://www.snbforums.com/threads/ntp-daemon-for-asuswrt-merlin.28041/

In my opinion this is unlikely as it gets complicated if the UI version for NTP is already installed.

 

[thelonelycoder]

After (error-free) installation, router restart, the following output in syslog:
(RT-AC87U, 380.67b2, AB-Solution, dnscrypt-Installer)

Jul  1 18:06:37 Skynet: [INFO] Lock File Detected (pid=1118) - Exiting
Jul  1 18:06:39 Skynet: [Complete]  IPs /  Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [15s]
Jul  1 18:06:39 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080a:0000:0000:0000:2003 DST=2003:00da:4bda:3840:19b4:222b:685f:6f6b LEN=123 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=53127 SEQ=2465390380 ACK=472127784 WINDOW=465 RES=0x00 ACK PSH URGP=0
Jul  1 18:06:46 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080a:0000:0000:0000:200a DST=2003:00da:4bda:3840:5096:d33d:cda0:5140 LEN=135 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=51822 SEQ=687950655 ACK=2988097974 WINDOW=228 RES=0x00 ACK PSH URGP=0 OPT (0101080ABDC67B3F2F90DAF9)
Jul  1 18:06:47 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080a:0000:0000:0000:2003 DST=2003:00da:4bda:3840:19b4:222b:685f:6f6b LEN=123 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=53127 SEQ=2465390380 ACK=472127784 WINDOW=465 RES=0x00 ACK PSH URGP=0
Jul  1 18:06:54 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080c:0000:0000:0000:2004 DST=2003:00da:4bda:3840:19b4:222b:685f:6f6b LEN=123 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=53131 SEQ=2284344419 ACK=3283067652 WINDOW=238 RES=0x00 ACK PSH URGP=0
Jul  1 18:07:04 kernel: DROP IN=eth0 OUT=br0 SRC=2a00:1450:4016:080a:0000:0000:0000:2003 DST=2003:00da:4bda:3840:19b4:222b:685f:6f6b LEN=123 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=443 DPT=53127 SEQ=2465390380 ACK=472127784 WINDOW=465 RES=0x00 ACK PSH URGP=0

Please help ...

It's active, see the lockfile entry.

 

[eclp]

And how can this "spam" be turned off, even after deinstallation?

Jul  1 19:24:00 kernel: DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:04:02:1f:f7:b5:16:08:00 SRC=192.168.2.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Jul  1 19:26:05 kernel: DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:04:02:1f:f7:b5:16:08:00 SRC=192.168.2.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Jul  1 19:27:50 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:04:02:1f:f7:b5:16:08:00 SRC=192.168.2.1 DST=192.168.2.255 LEN=229 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=209
Jul  1 19:27:50 kernel: DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:04:02:1f:f7:b5:16:08:00 SRC=192.168.2.1 DST=192.168.2.255 LEN=238 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=218
Jul  1 19:28:10 kernel: DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:04:02:1f:f7:b5:16:08:00 SRC=192.168.2.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Jul  1 19:30:15 kernel: DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:04:02:1f:f7:b5:16:08:00 SRC=192.168.2.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Jul  1 19:30:16 kernel: DROP IN=eth0 OUT= MAC=14:dd:a9:cb:0d:f0:04:02:1f:f7:b5:16:08:00 SRC=216.243.31.2 DST=192.168.2.100 LEN=44 TOS=0x08 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=43882 DPT=443 SEQ=3765659362 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02040578)
Jul  1 19:32:20 kernel: DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:04:02:1f:f7:b5:16:08:00 SRC=192.168.2.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2
Jul  1 19:33:49 kernel: DROP IN=eth0 OUT= MAC=14:dd:a9:cb:0d:f0:04:02:1f:f7:b5:16:08:00 SRC=216.243.31.2 DST=192.168.2.100 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=47344 DPT=443 SEQ=3813891352 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02040578)
Jul  1 19:34:25 kernel: DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:04:02:1f:f7:b5:16:08:00 SRC=192.168.2.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2

Done. Firewall logging disabled ...

Edit -->
sh /jffs/scripts/firewall start

Skynet: [INFO] Startup Initiated...
ipset v6.32: Cannot open /tmp/mnt/sda1/skynet/scripts/ipset.txt for reading: No such file or directory
Skynet: [Complete] IPs / Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [1s]

 

[MarCoMLXXV]

@eclp Looks like an inproper uninstall, as Skynet is still being started when /jffs/scripts/firewall is being called during startup... Did you use the 'uninstall' switch when uninstalling Skynet?

# "uninstall" # <-- Uninstall All Traces Of Skynet

sh /jffs/scripts/firewall uninstall

... should remove all traces of Skynet. I can't imagine why, but maybe a reboot will fix it?

@Adamm, I frequently see

Jul 01 22:19:01 dMP17 rc_service: waitting "start_firewall" via udhcpc ...
Jul 01 22:19:09 dMP17 script: Running /jffs/scripts/firewall-start (args: eth0)
Jul 01 22:19:16 dMP17 Skynet: [INFO] USB Not Found - Sleeping For 10 Seconds ( Attempt #1 )
Jul 01 22:19:22 dMP17 rc_service: udhcpc 618:notify_rc start_firewall
Jul 01 22:19:26 dMP17 Skynet: [INFO] Startup Initiated...
Jul 01 22:19:27 dMP17 rc_service: waitting "start_firewall" via ...
Jul 01 22:19:27 dMP17 script: Running /jffs/scripts/firewall-start (args: eth0)
Jul 01 22:19:28 dMP17 Skynet: [INFO] Lock File Detected (pid=1158) - Exiting
Jul 01 22:19:48 dMP17 Skynet: [Complete] 108497 IPs / 4142 Ranges Banned. 108497 New IPs / 4142 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [31s]
Jul 01 22:22:55 dMP17 Skynet: [Complete] 108497 IPs / 4142 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 4 Inbound / 23 Outbound Connections Blocked! [14s]
Jul 01 22:45:42 dMP17 Skynet: [Complete] 108497 IPs / 4142 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 17 Inbound / 23 Outbound Connections Blocked! [1s]

Skynet appears to be waiting for the USB-drive to be mounted, as previously discussed, then starts at a second attempt, to exit immediately after finding a lock file. How can it find a lock file if it wasn't running and I did I clean reboot through the WebUI. Isn't the lock file removed on shutdown/reboot?
Second, after exiting I don't see it iniating again, yet it does say [Complete] xxxx IPs / xxxx ranges banned... How come?
And last but not least, could you add a line to the startup script to have logger writing to syslog which switches are being used? I've put it in debug mode, total forgot about it, so it would be a nice-to-have if the switches used when the script is invoked are showing in syslog.[/code]