Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

I've pushed v7.1.6

WebUI support for Johns fork (thanks @dave14305)
Improve private ip regex (thanks @wbartels)
Rename Ban AiProtect > Import AiProtect Data
Improve private wan ip output
Fix whitelist reasons showing up in stats

 

[dave14305]

I've pushed v7.1.6

WebUI support for Johns fork (thanks @dave14305)
Improve private ip regex (thanks @wbartels)
Rename Ban AiProtect > Import AiProtect Data
Improve private wan ip output
Fix whitelist reasons showing up in stats

Just a reminder for any fork users that you must install the dev 43D4 or the next public release for seamless integration. Thanks @john9527 for making the needed changes to allow easy add-on integration!

 

[dave14305]

Now that I'm enjoying Skynet UI on John's fork, I notice that the chart axes do not start at zero. I suppose it's a personal preference, but I find switching the charts to always start at 0 scale to be easier to observe low-volume stats, like outbound blocks.

Normally there would be no bar for the second IP address -- the chart would start at 1 with a thin sliver to represent the bar chart.

I know I can zoom out to get the zero to appear, I just discovered a touch of OCD when I was reviewing the charts.

I'm also keen to customize the cronjob timing for genstats to be at hours 06 and 18 instead of 00 and 12, like a start-of-day and end-of-day check.

 

[martinr]

Now that I'm enjoying Skynet UI on John's fork.......,.

You’ve gone rogue on us?

 

[dave14305]

You’ve gone rogue on us?

With an AC68U, I have the option to be "bi-firmware."

My intent is to badger as many script authors to expand support to the fork, including my own near-vaporware Unbound UI.

 

[nev39]

Good evening,
Could you please explain if i see this string in System Log - General Log few times per day

Apr 16 21:00:08 Skynet: [#] 200943 IPs (+0) -- 1794 Ranges Banned (+0) || 8846 Inbound -- 39 Outbound Connections Blocked! [save] [8s]

It means that Skynet was (unexpectedly) restarted and run up again or is it normal behavior?
I also see in log blocked inbound and outbound connections which are ok it means that Skinet is working But what about quoted string? I think it should appears in log only once - on start. No?

 

[dave14305]

Good evening,
Could you please explain if i see this string in System Log - General Log few times per day

It means that Skynet was (unexpectedly) restarted and run up again or is it normal behavior?
I also see in log blocked inbound and outbound connections which are ok it means that Skinet is working But what about quoted string? I think it should appears in log only once - on start. No?

It appears every hour as Skynet cleans up the system log of the block messages from the previous hour. It does this through a scheduled cron job every hour. Completely normal. Skynet is working, but you should check on the 39 outbound blocks to understand what machines on your network were attempting to reach banned IP addresses.

 

[nev39]

It appears every hour as Skynet cleans up the system log of the block messages from the previous hour. It does this through a scheduled cron job every hour. Completely normal. Skynet is working, but you should check on the 39 outbound blocks to understand what machines on your network were attempting to reach banned IP addresses.

Ok, noticed. Thanks!

It appears every hour as Skynet cleans up the system log of the block messages from the previous hour. It does this through a scheduled cron job every hour. Completely normal. Skynet is working, but you should check on the 39 outbound blocks to understand what machines on your network were attempting to reach banned IP addresses.

How can i do that? In Skyney (web-interface "Firewall" page) i can see only ip which was "called" but can't see from which ip in local network it was made. And some graphs from where i can see one PC which is more than others send "bad" outbound connections. What is your advice? To check that PC for viruses/malware?

 

[dave14305]

How can i do that? In Skyney (web-interface "Firewall" page) i can see only ip which was "called" but can't see from which ip in local network it was made. And some graphs from where i can see one PC which is more than others send "bad" outbound connections. What is your advice? To check that PC for viruses/malware?

Yes, it is the machine making outbound connections that needs to be checked. First to check if the banned IP is really harmful or not. You can run this command to see all the block data for a LAN device (replace IP with your device's IP):

/opt/bin/firewall stats search device 192.168.1.x

If your router is the source IP, use this command:

/opt/bin/firewall stats search device "$(nvram get wan_ipaddr)"

Look at the "Associated Domains" column on the right side of the output to see what name resolved to the blocked IP. Sometimes normal websites can get blocked if their IP is also shared by a known-malware site.

 

[Runcajsz]

A little help would appreciated. I've just installed Skynet on my RT-AC56U router with Merlin firmware v384.6. When I update or reset Banmalware I got this error:

Downloading filter.list | [1s]
Refreshing Whitelists | [8s]
Consolidating Blacklist | /opt/bin/curl: symbol lookup error: /opt/bin/curl: undefined symbol: curl_multi_poll
[2s]
[*] List Content Error Detected - Stopping Banmalware

Curl info: curl 7.69.0 (arm-openwrt-linux-gnu) libcurl/7.64.1 OpenSSL/1.1.1b zlib/1.2.11

Thanks in advance!

 

[Adamm]

A little help would appreciated. I've just installed Skynet on my RT-AC56U router with Merlin firmware v384.6. When I update or reset Banmalware I got this error:

Downloading filter.list | [1s]
Refreshing Whitelists | [8s]
Consolidating Blacklist | /opt/bin/curl: symbol lookup error: /opt/bin/curl: undefined symbol: curl_multi_poll
[2s]
[*] List Content Error Detected - Stopping Banmalware

Curl info: curl 7.69.0 (arm-openwrt-linux-gnu) libcurl/7.64.1 OpenSSL/1.1.1b zlib/1.2.11

Thanks in advance!

Looks like an entware issue, update your packages via amtm

 

[Runcajsz]

Looks like an entware issue, update your packages via amtm

Thanks for the quick help! Now working.

 

[Deleted member 62525]

I have a question to the group. Is there a way for Skynet to block IP from a specific local host?

 

[Adamm]

I have a question to the group. Is there a way for Skynet to block IP from a specific local host?

Er, your question doesn't quite make sense. Are you asking if Skynet supports per-device blocking? If so the answer is no, Skynet bans affect the entire network.

 

[Deleted member 62525]

Er, your question doesn't quite make sense. Are you asking if Skynet supports per-device blocking? If so the answer is no, Skynet bans affect the entire network.

Yes, that was my question. Per device blocking. Is that something that you would consider in the future to add to Skynet?

 

[martinr]

Yes, that was my question. Per device blocking. Is that something that you would consider in the future to add to Skynet?

Does “Block Internet Access” for the relevant client device on the Network Map page of the router’s GUI not fulfil your needs? Or are you wanting to specify which devices use Skynet?

 

[Deleted member 62525]

Does “Block Internet Access” for the relevant client device on the Network Map page of the router’s GUI not fulfil your needs? Or are you wanting to specify which devices use Skynet?

No it does not since it will block all traffic to/from that devices. Let me give you an example. Few months back I have purchased legit (very known vendor) Photo editing software for my Mac. I explicitly uncheck a preference that I do not wish to send "diagnostic data". However I noticed some traffic every 2-5 seconds from my mac to that vendor site.

When I emailed the vendor why this is happening I go no answer. So I blocked it on my Mac with pf firewall. If they had provided me some reason I would have left it as is but since they did not I ban it. Unfortunately many of these vendors are not honest and spell out why they need it. Next, you may be experiencing the same scenario with your TV 3rd party apps. They are legit but you will notice some traffic say to Facebook but they would not disclose why and what is collected. Blocking this type of traffic is not hard if you run the app on a PC but you cannot block it on your IoT or say TV apps - it is impossible. You have to do it on the router FW, hence I was asking the question.

Hope this clarifies my question. SkyNet FW is great software and I use it for years. I think a feature that would allow us to block outbound traffic based on the LAN device would be nice to have. My experience is limited to say if this would be hard or easy to implement.

 

[dave14305]

No it does not since it will block all traffic to/from that devices. Let me give you an example. Few months back I have purchased legit (very known vendor) Photo editing software for my Mac. I explicitly uncheck a preference that I do not wish to send "diagnostic data". However I noticed some traffic every 2-5 seconds from my mac to that vendor site.

When I emailed the vendor why this is happening I go no answer. So I blocked it on my Mac with pf firewall. If they had provided me some reason I would have left it as is but since they did not I ban it. Unfortunately many of these vendors are not honest and spell out why they need it. Next, you may be experiencing the same scenario with your TV 3rd party apps. They are legit but you will notice some traffic say to Facebook but they would not disclose why and what is collected. Blocking this type of traffic is not hard if you run the app on a PC but you cannot block it on your IoT or say TV apps - it is impossible. You have to do it on the router FW, hence I was asking the question.

Hope this clarifies my question. SkyNet FW is great software and I use it for years. I think a feature that would allow us to block outbound traffic based on the LAN device would be nice to have. My experience is limited to say if this would be hard or easy to implement.

I think you can achieve what you want by assigning a reserved DHCP address to the Mac and using the built-in Network Services Filter in the Firewall to block source IP and destination IP. It might break the photo software, but then you can undo it if so.

 

[Adamm]

No it does not since it will block all traffic to/from that devices. Let me give you an example. Few months back I have purchased legit (very known vendor) Photo editing software for my Mac. I explicitly uncheck a preference that I do not wish to send "diagnostic data". However I noticed some traffic every 2-5 seconds from my mac to that vendor site.

When I emailed the vendor why this is happening I go no answer. So I blocked it on my Mac with pf firewall. If they had provided me some reason I would have left it as is but since they did not I ban it. Unfortunately many of these vendors are not honest and spell out why they need it. Next, you may be experiencing the same scenario with your TV 3rd party apps. They are legit but you will notice some traffic say to Facebook but they would not disclose why and what is collected. Blocking this type of traffic is not hard if you run the app on a PC but you cannot block it on your IoT or say TV apps - it is impossible. You have to do it on the router FW, hence I was asking the question.

Hope this clarifies my question. SkyNet FW is great software and I use it for years. I think a feature that would allow us to block outbound traffic based on the LAN device would be nice to have. My experience is limited to say if this would be hard or easy to implement.

Adding per device blocking lists would be a nightmare and unnecessarily over complicate so many functions, I don't see it happening any time soon. With that being said, is there any reason you can't just block this IP from all your devices?

 

[Deleted member 62525]

I think you can achieve what you want by assigning a reserved DHCP address to the Mac and using the built-in Network Services Filter in the Firewall to block source IP and destination IP. It might break the photo software, but then you can undo it if so.

Yup, that is exactly what I have done. Nice thing about MacOS is that it comes with PF firewall which is very efficient.
I created a special table (actually it a file that holds the offending IP's) and using PF I am banning that list (table) from outbound communication. Cool thing with PF (just as with FreeBSD PF) you can dynamically add new IP's to the table and it will start blocking.

The issue as I have mentioned is not so much with Mac or PC on the local LAN but rather IoT or TV apps. You cannot access these and control outbound traffic on these devices even if you assign them static IP.
You need a different way and this is were SkyNet could be handy and blocking specific outbound IP's based on LAN device IP. You could for example build a list like I did on my Mac using PF functionality, on Skynet and configure Skynet to watch specific LAN device (static IP) for these outbound traffic and block it. That would be cool and allow you to better control these offending apps/vendors and what they are doing.