Skynet Skynet - Router Firewall & Security Enhancements

[thelonelycoder]

... Just my 2¢
A while ago there were four players in the firewall/ipset field.
The fourth left in a huff after some disagreement.
Don't let history repeat itself.

 

[Adamm]

I don't want to turn this into a pissing contest, I do this in my free time for personal use and posted it publicly because "why not"

Firstly, this most definitely wasn't a case of lazy copy'n'paste - literally or should I post your original to prove it?

The implication here was, the script in question was in your own words a hacked version of Skynet. This is further evident by the fact a lot of my own coding flaws, bugs and overall functionality are present. This was not an insult, but really just a generalization.

Scripts using ipsets for the same purpose are availble to copy'n'paste from the web (published 2011), so perhaps that is where you copied the script/idea from?

I was campaigning for IPSet functionality on Asus firmware's as far back as march 2013 as an efficient solution to block constant portscans on my home connection. I only wish I had something to base my initial idea off, maybe then my original code wouldn't have been as terrible

However, as you can see, I duly gave full credit to you in your abscence.

https://github.com/MartineauUK/IPSET_Block/commit/60c5aad19526c252c4f5d9c16767131e8d374529

So quite why you would be so very snidely dismissive in public prompts me to respond and evidently this paints a different picture

I support all the scriptwriters in the community and do my best to work with them when possible. Frequently I have conversations with them on how to improve each-others scripts.

So I wonder where the unique idea for providing the reporting statistics

I think @thelonelycoder takes the credit on this one, AB has had stat reporting long before us. But with that being said it was a natural progression of the script. A user requested this functionality, and I thought I could implement it in a user friendly way. You could say I took inspiration sure, but functionality wise our implementations are completely different.

you blatently lifting my code/ideas without credit?

I give credit where credit is due throughout my github commit log and posts, even for minor things like pointing out bugs.

As @Mikiya states, the two scripts now have differing goals

I didn't even know your "version" was still being developed as the last changes I could see was over 4 months ago when I've committed 455 changes and counting since then.

Finally, I would like to believe that I have provided several original scripts that have benefited the forum, without the need to sarcastically whine about the scripting efforts of others who reuse my code.

Don't think I ever whined about this or any other scripts, my comments were very factual. After briefly examining the referenced code as per a users request, there was no additional functionality I could find which would lead to different behavior in the described situation.


That's about all I have to say on the matter. I don't get paid to work on this, I do it as a hobby and post it publicly for others who want this type of functionality.

 

[skeal]

Keep up the good work both of you!! Choice is always good, variety is the spice of life! Your hard work is appreciated by all of us!

 

[wyldstallyn]

Hi, where can I see the domains or anything I've manually white-listed?

I've looked in shared-skynet and shared-skynet2.

Sorry if this seems obvious or was already posted.

 

[Adamm]

Hi, where can I see the domains or anything I've manually white-listed?

I've looked in shared-skynet and shared-skynet2.

Sorry if this seems obvious or was already posted.

There's no way for Skynet to produce this information in a user friendly way (yet). I'll add something native in a future update. I am always looking for suggestions

For now you can use in SSH;

ipset -L Whitelist | grep ManualWlistD

 

[wyldstallyn]

There's no way for Skynet to produce this information in a user friendly way (yet). I'll add something native in a future update. I am always looking for suggestions

For now you can use in SSH;

ipset -L Whitelist | grep ManualWlistD

Thank you sir!

 

[thelonelycoder]

There's no way for Skynet to produce this information in a user friendly way (yet). I'll add something native in a future update. I am always looking for suggestions

For now you can use in SSH;

ipset -L Whitelist | grep ManualWlistD

But don‘t you add them to the shared2 whitelist?

 

[Adamm]

But don‘t you add them to the shared2 whitelist?

Good point, its also listed there too. You can tell its 2am

cat /jffs/shared-Skynet2-whitelist

This list contains a few hard-coded entries (8 to be exact) but all are there for Skynet/router functionality.

 

[wyldstallyn]

Good point, its also listed there too. You can tell its 2am

cat /jffs/shared-Skynet2-whitelist

This list contains a few hard-coded entries (8 to be exact) but all are there for Skynet/router functionality.

hmm, they don't seem to show in the shared2 whitelist, only the default 9 are there.

ipset -l whitelist... works perfectly however.

 

[Adamm]

hmm, they don't seem to show in the shared2 whitelist, only the default 9 are there.

ipset -l whitelist... works perfectly however.

The list is only refreshed when Skynet is started up (this happens during a firewall restart event) or the banmalware command is used.

Ideally I would update it every time you add a new domain to the whitelist, but the function takes around 37 seconds on my AC68U because nslookup is so slow going through each domain.

This is potentially another command I could add to force an update, will do some work in the morning.

 

[wyldstallyn]

The list is only refreshed when Skynet is started up (this happens during a firewall restart event) or the banmalware command is used.

Ideally I would update it every time you add a new domain to the whitelist, but the function takes around 37 seconds on my AC68U because nslookup is so slow going through each domain.

This is potentially another command I could add to force an update, will do some work in the morning.

Ahh, gotcha. Just ran banmalware and showing now in the shared2 list.

Thanks again!

 

[Butterfly Bones]

Thanks so very much for this tool! I've been slowly reading through it for the last few weeks making certain I understand it before install. (I know, I'm weird that way.)

Tonight while I am checking on some VPN issues, I watch these entries in my system log (note I change my VPN server IP to 101.101.101.101 intentionally):

Oct  3 20:35:08 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:443 ulen 37
Oct  3 20:36:26 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:465 ulen 37
Oct  3 20:37:33 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:636 ulen 37
Oct  3 20:38:45 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:992 ulen 37
Oct  3 20:40:06 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:993 ulen 37
Oct  3 20:41:09 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:995 ulen 37
Oct  3 20:42:00 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:21 ulen 37
Oct  3 20:42:46 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:22 ulen 37
Oct  3 20:43:42 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:23 ulen 37
Oct  3 20:44:23 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:25 ulen 37
Oct  3 20:45:11 kernel: UDP: bad checksum. From 60.191.29.20:9544 to 101.101.101.101:49 ulen 37

So I immediately ran the install and BOOM! that sucker got autobanned before I could even manually add it! How frickin' cool is that?

 

[Adamm]

@wyldstallyn As promised I improved the whitelist functionality. Here's the changes from the latest 5.2.2 update;

Use timestamp as comment if none specified for ban/whitelist commands

Added following commands;

sh /jffs/scripts/firewall whitelist remove ip xxx.xxx.xxx.xxx

sh /jffs/scripts/firewall whitelist remove comment "xxxxxxxxxx"

sh /jffs/scripts/firewall whitelist refresh

sh /jffs/scripts/firewall whitelist list

sh /jffs/scripts/firewall whitelist list domains

sh /jffs/scripts/firewall whitelist list ips

All should be pretty self-explanatory. Will update the documentation in the morning.

 

[skeal]

5.2.2 update installed. Running excellent as always. This is a rock solid no problems script man!!

 

[.TT.]

@Adamm Are you planning on supporting the ac86u?
Unable to install at the moment.
Skynet: [ERROR] IPSet Extensions Not Enabled - Please Update To 380.68 / V26E3 Or Newer Firmware

 

[Adamm]

@Adamm Are you planning on supporting the ac86u?
Unable to install at the moment.
Skynet: [ERROR] IPSet Extensions Not Enabled - Please Update To 380.68 / V26E3 Or Newer Firmware

Ideally yes, but getting a device in my hands to test with is another story. The error you pointed out is due to the new kernel version, which can easily be fixed on my end. Its other changes in the .382 codebase I'm unsure about.

What is the output of the following;

ls /lib/modules/

 

[.TT.]

4.1.27
And thank you for looking in to it =)

 

[Adamm]

4.1.27
And thank you for looking in to it =)

Its definitely been on my todo list, but getting in contact with Asus is harder then expected.

Can I also get the output of;

ls /lib/modules/4.1.27/kernel/net/netfilter/ipset/

 

[.TT.]

Sure thing:
ip_set.ko ip_set_hash_ipport.ko ip_set_hash_netnet.ko
ip_set_bitmap_ip.ko ip_set_hash_ipportip.ko ip_set_hash_netport.ko
ip_set_bitmap_ipmac.ko ip_set_hash_ipportnet.ko ip_set_hash_netportnet.ko
ip_set_bitmap_port.ko ip_set_hash_mac.ko ip_set_list_set.ko
ip_set_hash_ip.ko ip_set_hash_net.ko
ip_set_hash_ipmark.ko ip_set_hash_netiface.ko

 

[Adamm]

Sure thing:
ip_set.ko ip_set_hash_ipport.ko ip_set_hash_netnet.ko
ip_set_bitmap_ip.ko ip_set_hash_ipportip.ko ip_set_hash_netport.ko
ip_set_bitmap_ipmac.ko ip_set_hash_ipportnet.ko ip_set_hash_netportnet.ko
ip_set_bitmap_port.ko ip_set_hash_mac.ko ip_set_list_set.ko
ip_set_hash_ip.ko ip_set_hash_net.ko
ip_set_hash_ipmark.ko ip_set_hash_netiface.ko

Okay perfect just as expected. Try a force update and see if you run into any other issues.

sh /jffs/scripts/firewall update -f