What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@Adamm

new user of your wonderful firewall script, Thankyou it's amazing especially worring, seeing how many intruders try to gain access to the routers ports, anyway i noticed i have a lot of outgoing blocked ip's for streaming etc and was wondering would whitelisting the device ip be enough to ensure the other connections get through?

 
@Adamm

new user of your wonderful firewall script, Thankyou it's amazing especially worring, seeing how many intruders try to gain access to the routers ports, anyway i noticed i have a lot of outgoing blocked ip's for streaming etc and was wondering would whitelisting the device ip be enough to ensure the other connections get through?


just curious, are you using the default list? Also what steaming services are being blocked? I haven’t had any trouble with YouTube, roku, Netflix, Hulu, amazon prime video or Disney+ using the default list.
 
just curious, are you using the default list? Also what steaming services are being blocked? I haven’t had any trouble with YouTube, roku, Netflix, Hulu and Disney+ using the default list.

using the default lists, BBC's not properly working at the moment have added the lan ip for the streamer, not tested it since doing that but my thinking as those ip's are originating from the streamer if I whitelist it that should allow the rest to flow through update: working once i added my ip to the whitelist
 
Last edited:
@Adamm

Love this script and have it working on incoming only, surprising seeing all those malware and virus ridden IP's being blocked :D

But I have a query. Running firewall to get the menu , then 11.

Whats 9 Fast User switching and where can I use this ?
 
@Adamm

new user of your wonderful firewall script, Thankyou it's amazing especially worring, seeing how many intruders try to gain access to the routers ports, anyway i noticed i have a lot of outgoing blocked ip's for streaming etc and was wondering would whitelisting the device ip be enough to ensure the other connections get through?


Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Logging
Code:
firewall settings logmode enable
2.) Open the blocked application/website and use the command;

Code:
firewall debug watch
Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;
Code:
DST=175.115.37.52
4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

Code:
https://otx.alienvault.com/indicator/ip/175.115.37.52/
5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

Code:
firewall whitelist ip 175.115.37.52


@Adamm

Love this script and have it working on incoming only, surprising seeing all those malware and virus ridden IP's being blocked :D

But I have a query. Running firewall to get the menu , then 11.

Whats 9 Fast User switching and where can I use this ?

That option is if you wish to set an alternate malware filter list that you can quickly swap between.
 
@Adamm, every day skype is blocked by one of the default lists, I have whitelisted the domain name dozens of times over. I don't understand why skynet does not automate this process after the first whitelist; can you to configure skynet to automatically parse whitelisted domains after each list update? or add an option to do that automatically. I guess the ip address changes regularly; also what does the * sign represent under ban reason?
 
I have just added Skynet to my configuration using the default settings and everything seems to be fine. I would like to understand the settings (option 11) but I fear reading all 356 pages will take me will take me a very long time.

In particular

I have not enabled AI protect on the router, so does option [7] have any effect?

I have Fast Switch, Alternate Blocking File set in diversion - do I also need to set Fast Switch list [9] here?

What are the benefits (if any) of changing the syslog(s) location [10]?

Thank you.
 
Last edited:
I put your script onto my Asus AC5300 I have the Skynet tab in router GUI but the boxes are empty. Any suggestions please. When I set it up I used all reccomemded settings. If I restart I get this.

[*] Lock File Detected (start skynetloc=/tmp/mnt/External/skynet) (pid=5549)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Ts

IPSets | [Failed]
IPTables Rules | [Failed]


upload_2020-5-25_15-56-36.png



-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
Profile.add Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 2 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]
Local WebUI Files | [Passed]
Mounted WebUI Files | [Passed]
MenuTree.js Entry | [Passed]

----------- | ----------
| Setting | | | Status |
---------- | ----------

Skynet Auto-Updates | [Enabled]
Malware List Auto-Updates | [Enabled]
Logging | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid Packets | [Disabled]
Import AiProtect Data | [Enabled]
Secure Mode | [Enabled]
Fast Switch List | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Enabled]
CDN Whitelisting | [Enabled]
Display WebUI | [Enabled]

17/17 Tests Sucessful

Rebooted router several times GUI has now populated some of the boxes....weird
 
Last edited:
Is there a hard limit on the number of IP's blocked in the firewall?
Both SSH and the webui are showing 500000 IP's banned. The list I am fetching has well in excess of this number of IP's.

I remember reading somewhere that a number of IP's were passed off to Diversion for better protection against false positives, or better blocking or something. Can someone please explain the interaction between Skynet and Diversion when they both have the ability to block the same IP from user lists? What are the negatives?
That smells like a question that's been asked before (probably more then once), sorry in advance if so.

I've spent the last week and a bit lurking this forum. New router finally arrived 2 days ago.
Thankyou to everyone. This forum is a pleasure to read.
 
If I restart I get this.

As per the message in yellow;

[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests

Rebooted router several times GUI has now populated some of the boxes....weird

That's because Skynet completed its startup process and you actually had logs that can be viewed.


Is there a hard limit on the number of IP's blocked in the firewall?
Both SSH and the webui are showing 500000 IP's banned. The list I am fetching has well in excess of this number of IP's.

Yes there is a hard limit of 500,000 on the IPSet size, if you have any more entries then that you are using badly maintained lists and should stick to something similar to the default filter list. More is not always necessarily better.

I remember reading somewhere that a number of IP's were passed off to Diversion for better protection against false positives, or better blocking or something. Can someone please explain the interaction between Skynet and Diversion when they both have the ability to block the same IP from user lists? What are the negatives?
That smells like a question that's been asked before (probably more then once), sorry in advance if so.

Skynet used to use some lists maintained by hphosts which were domains that were pre-resolved to IP's. Due to the nature of shared hosting these lists contained quite a few false positives so we created a solution where Skynet would instead pass the DNS based versions of these lists to Diversion for more accurate blocking there instead (aka Diversion Plus Hosts). As these lists are no longer maintained this feature was removed a few months ago.
 
More is not always necessarily better.

Yes agreed, however...

if you have any more entries then that you are using badly maintained lists and should stick to

This smells like a personal opinion. What is better for one, or many, is not necessarily better for everyone. I understand the significant benefit of a robust default list (for you as a developer, and for the users), but given this entire section of the forums could be considered somewhat as a power user section, I would like a little more freedom to make my own mistakes (not being held back by personal opinions (edit: of course I can always have the freedom to code what I want myself without relying on others)).

firehol_level1 for instance states "The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs. The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions."
This single list contains over 500,000 entries.

If there's not some catastrophic consequences to allowing greater sized filter lists, I would appreciate if you found the time and inclination to make an adjustment.
This project is your baby, I happily accept your decisions. Cheers.

edit: This may come across as arrogant. That is not the intent, it stems from laziness.
 
Last edited:
I am looking for some help in tracking down why the stats on the Web page are not displaying correctly
If I run [13] stats [1] Display from the amtm>skynet menu i can get the stats as expected.
However if I look at the stats on the router web page then I can see
the Summary Stats
Top 10 Targeted Ports (inbound)
Top 10 Source Ports (inbound)
Last 10 Unique Connections Blocked (inbound)
Last 10 Unique Connections Blocked (outbound)
Top 10 Blocked Devices (outbound)

But each of these has No Data to Display

Last 10 Unique HTTP(s) Blocks (Outbound) *
Top 10 HTTP(s) Blocks (Outbound) *
Top 10 Blocks (inbound)
Top 10 Blocks (outbound)

(* no data at time of testing)

I have tried
restart Skynet
reboot router (soft)
reboot router (hard)
disabling scribe (installed after Skynet).
 
I am looking for some help in tracking down why the stats on the Web page are not displaying correctly
If I run [13] stats [1] Display from the amtm>skynet menu i can get the stats as expected.
However if I look at the stats on the router web page then I can see
the Summary Stats
Top 10 Targeted Ports (inbound)
Top 10 Source Ports (inbound)
Last 10 Unique Connections Blocked (inbound)
Last 10 Unique Connections Blocked (outbound)
Top 10 Blocked Devices (outbound)

But each of these has No Data to Display

Last 10 Unique HTTP(s) Blocks (Outbound) *
Top 10 HTTP(s) Blocks (Outbound) *
Top 10 Blocks (inbound)
Top 10 Blocks (outbound)

(* no data at time of testing)

I have tried
restart Skynet
reboot router (soft)
reboot router (hard)
disabling scribe (installed after Skynet).

What is the output of;

Code:
firewall debug info
 
My ISP put me into the CG-NAT pool and I've asked them to put me out but I'm confused a little because of Skynet. I don't care about the IP addresses so I won't change or delete them;

100.94.157.128 is currently my CG-NAT IP address that my ISP gave to me and skynet shows it as below;

Code:
admin@FaTiii:/tmp/home/root# firewall
#############################################################################################################
#                                                                                                           #
#                  -------¬--¬  --¬--¬   --¬---¬   --¬-------¬--------¬    --¬   --¬-------¬                #
#                  ---====---¦ ----L--¬ --------¬  --¦---====-L==---==-    --¦   --¦L====--¦                #
#                  -------¬-------  L------ -----¬ --¦-----¬     --¦       --¦   --¦    ----                #
#                  L====--¦---=--¬   L----  --¦L--¬--¦---==-     --¦       L--¬ ----   ----                 #
#                  -------¦--¦  --¬   --¦   --¦ L----¦-------¬   --¦        L------    --¦                  #
#                  L======-L=-  L=-   L=-   L=-  L===-L======-   L=-         L===-     L=-                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            24/05/2020 - v7.1.6                                            #
#############################################################################################################


=============================================================================================================


Router Model; RT-AC88U
Skynet Version; v7.1.6 (24/05/2020) (6c84f62a4a6d6d0c8c3bfe6e3db99dc7)
iptables v1.4.15 - (eth0 @ 172.24.5.1)
ipset v6.32, protocol version: 6
IP Address; (100.94.157.128) <---------------
FW Version; 384.17_0 (Apr 25 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/entware/skynet (12.5G / 14.7G Space Available)
SWAP File; /tmp/mnt/entware/myswap.swp (1.0G)

275937 IPs (+0) -- 1620 Ranges Banned (+0) || 285 Inbound -- 9 Outbound Connections Blocked!

My current IP address is 46.196.73.216 (which I've checked via https://whatismyipaddress.com/) but I can see below logs from Skynet;

Code:
kernel [BLOCKED - INBOUND] IN=eth0 OUT= MAC=50:46:5d:6f:51:47:00:01:5c:ac:04:46:08:00 SRC=185.175.93.23 DST=176.240.110.132 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=5597 PROTO=TCP SPT=57579 DPT=5970 SEQ=1013410827 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

Destination IP; 176.240.110.132 is my older IP address; before my ISP put me into the CG-NAT pool. So any idea what's going on? :D I guess 176.240.110.132 is still me, but also I'm 46.196.73.216 with the other guys in the CG-NAT pool? o_O
 
What is the output of;

Code:
firewall debug info

Code:
outer Model; RT-AX88U
Skynet Version; v7.1.6 (24/05/2020) (6c84f62a4a6d6d0c8c3bfe6e3db99dc7)
iptables v1.4.15 - (eth0 @ 10.25.00.1)
ipset v6.32, protocol version: 6
IP Address; (xxx.xx.xx.xx) - (2a02:c7f:c04e:9c00::/56)
FW Version; 384.17_0 (Apr 26 2020) (4.1.51)
Install Dir; .../Router/skynet (51.2G / 56.3G Space Available)
SWAP File; .../Router/myswap.swp (2.0G)
Syslog Location; (/opt/var/log/skynet-0.log) (/tmp/syslog.log-1)
Uptime; 0 days, 3 hours, 5 minutes.
Ram Available; (463M / 882M)

(where ... = /tmp/mnt)


---------------                          | ------------     | ---------------      | ----------
| Device Name |                          | | Local IP |     | | MAC Address |      | | Status |
---------------                          | ------------     | ---------------      | ----------

Unknown                                  | 10.0.0.1         | Unknown              | Offline
Unknown                                  | 10.0.1.53        | Unknown              | Offline
Canon-MG5450                             | 10.25.00.67      | f4:81:39:1a:3c:ce    | Inactive
NVIDIA                                   | 10.25.00.75      | 00:04:4b:eb:62:53    | Inactive
Samsung_UE49NU7500_WiFi                  | 10.25.00.81      | 70:2a:d5:75:ec:e9    | Inactive
EPSON_WF-2830                            | 10.25.00.87      | 38:1a:52:10:b5:ad    | Inactive
Squeezebox                               | 10.25.00.90      | 00:04:20:06:72:f8    | Inactive
SkyHD_Down_WiFi                          | 10.25.00.106     | 60:02:b4:22:4d:e9    | Inactive
SkyHD_Top                                | 10.25.00.110     | a8:54:b2:9a:e6:dd    | Inactive
IGOR-8                                   | 10.25.00.115     | 1c:87:2c:42:1f:38    | Online
Dancing-Bear                             | 10.25.00.116     | 50:46:5d:64:21:02    | Inactive
Pino_Work                                | 10.25.00.118     | 68:ec:c5:a2:05:3f    | Online
Pino_Phone                               | 10.25.00.119     | a8:3e:0e:ca:e8:16    | Inactive
Sophie-Phone                             | 10.25.00.132     | 30:07:4d:9d:15:f9    | Inactive
Sophie-Ipad                              | 10.25.00.133     | 60:8b:0e:83:dd:16    | Inactive
Sophie_Work                              | 10.25.00.134     | 60:f8:1d:bb:fc:2a    | Online
Vito                                     | 10.25.00.135     | bc:ee:7b:5d:84:ad    | Inactive
Ales-Phone                               | 10.25.00.136     | b0:72:bf:cb:ed:c0    | Inactive
Pere-Ubu                                 | 10.25.00.150     | 00:15:5d:3f:73:08    | Online
Unknown                                  | 10.25.00.160     | a8:5e:45:63:70:f0    | Online
snom821-4587B6                           | 10.25.00.202     | 00:04:13:45:87:b6    | Inactive
YSP-2700-WiFi                            | 10.25.00.215     | 50:8c:b1:49:6c:a2    | Inactive
HarmonyHub                               | 10.25.00.230     | c8:db:26:0d:07:83    | DELAY
Unknown                                  | 151.224.16.1     | a0:f3:e4:80:ea:30    | DELAY


--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
Profile.add Entry                   | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Passed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Import AiProtect Data               | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Custom]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

17/17 Tests Sucessful

 
Last edited:
Hey @Adamm my stats on the web page of the firmware are incomplete. The bottom four graphs don't show anything. There should be stats there according to my other data. Any ideas how to fix? I uninstalled and re-installed and that didn't help. I updated firmware to the new alpha and that didn't help. Anything you can add?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top