Skynet Skynet - Router Firewall & Security Enhancements

[Protik]

Is it recommended to reboot the router after any change in the firewall settings?

As a new user I am playing with the settings. After any change, I am getting the following in the firewall UI,

Lock File Detected (start debug banmalware autoupdate usb=/tmp/mnt/pdas001) (pid=5762)

Checking Skynet IPTable...                              [Failed]

This only goes away when I reboot the router.

 

[TheUntouchable]

Is it recommended to reboot the router after any change in the firewall settings?

As a new user I am playing with the settings. After any change, I am getting the following in the firewall UI,

Lock File Detected (start debug banmalware autoupdate usb=/tmp/mnt/pdas001) (pid=5762)

Checking Skynet IPTable...                              [Failed]

This only goes away when I reboot the router.

Had the same thing today. Then disappeared by itself at some point

 

[Butterfly Bones]

:    104.200.22.103 Is Not A Valid IP/Range

Nevermind, my cut and paste inserted some hidden characters it seems that padded before the IP.

 

[Adamm]

Is it recommended to reboot the router after any change in the firewall settings?

As a new user I am playing with the settings. After any change, I am getting the following in the firewall UI,

Lock File Detected (start debug banmalware autoupdate usb=/tmp/mnt/pdas001) (pid=5762)

Checking Skynet IPTable...                              [Failed]

This only goes away when I reboot the router.

As the error indicates, there is a lock file and it details the simultaneous running process. In this case Skynet hadn't fully booted up (this usually takes about 20-40s) at which point the error would disappear.

I will work on explaining this to the user better in future versions.

 

[Butterfly Bones]

I cannot get a list of whitelisted ips, using v.5.4.9

sh /jffs/scripts/firewall whitelist list ips

Or from the menu, it just saves and exists.

[1-13]: 4

Select Whitelist Option:
[1]  --> IP/Range
[2]  --> Domain
[3]  --> Port
[4]  --> Refresh VPN Whitelist
[5]  --> Remove Entries
[6]  --> Refresh Entries
[7]  --> List Entries

[1-7]: 7

Select Entries To List:
[1]  --> All
[2]  --> Manually Added IPs
[3]  --> Manually Added Domains

[1-3]: 2

Saving Changes

Skynet: [Complete] 147887 IPs / 3229 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 219 Inbound / 216 Outbound Connections Blocked! [20s]

edit -
In the menu, List all works but only shows "Shared Whitelist" entries, no manually added ips or domains.

I'm trying to check since I am getting outbound ips blocked that I am sure I already whitelisted.

edit 2 -after further investigation, seems I lost all my manually added IPs and domains. That is why nothing shows when I try to list them. Now to figure out why.....

 

[Adamm]

I cannot get a list of whitelisted ips, using v.5.4.9

sh /jffs/scripts/firewall whitelist list ips

Or from the menu, it just saves and exists.

[1-13]: 4

Select Whitelist Option:
[1]  --> IP/Range
[2]  --> Domain
[3]  --> Port
[4]  --> Refresh VPN Whitelist
[5]  --> Remove Entries
[6]  --> Refresh Entries
[7]  --> List Entries

[1-7]: 7

Select Entries To List:
[1]  --> All
[2]  --> Manually Added IPs
[3]  --> Manually Added Domains

[1-3]: 2

Saving Changes

Skynet: [Complete] 147887 IPs / 3229 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 219 Inbound / 216 Outbound Connections Blocked! [20s]

edit -
In the menu, List all works but only shows "Shared Whitelist" entries, no manually added ips or domains.

I'm trying to check since I am getting outbound ips blocked that I am sure I already whitelisted.

edit 2 -after further investigation, seems I lost all my manually added IPs and domains. That is why nothing shows when I try to list them. Now to figure out why.....

Are you sure the IP's were whiteisted and not just unbanned (or you haven't flushed the list since doing so). If it doesn't show up when using the list all function, then the whitelist entry doesn't exist. I can confirm when adding an IP it definitely shows up.

admin@192:/tmp/home/root# firewall whitelist ip 8.8.8.8
#!/bin/sh
#############################################################################################################
#                    _____ _                     _           _____                     #
#                   / ____| |                   | |         | ____|                    #
#                  | (___ | | ___   _ _ __   ___| |_  __   _| |__                      #
#                   \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \                     #
#                   ____) |   <| |_| | | | |  __/ |_   \ V / ___) |                    #
#                  |_____/|_|\_\\__, |_| |_|\___|\__|   \_/ |____/                     #
#                                __/ |                                                 #
#                               |___/                                                  #
#                                                        #
## - 5/11/2017 -           Asus Firewall Addition By Adamm v5.4.9                    #
##                   https://github.com/Adamm00/IPSet_ASUS                    #
#############################################################################################################


Whitelisting 8.8.8.8
Saving Changes

Skynet: [Complete] 152738 IPs / 3248 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1333 Inbound / 156 Outbound Connections Blocked! [6s]

admin@192:/tmp/home/root# firewall whitelist list ips
#!/bin/sh
#############################################################################################################
#                    _____ _                     _           _____                     #
#                   / ____| |                   | |         | ____|                    #
#                  | (___ | | ___   _ _ __   ___| |_  __   _| |__                      #
#                   \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \                     #
#                   ____) |   <| |_| | | | |  __/ |_   \ V / ___) |                    #
#                  |_____/|_|\_\\__, |_| |_|\___|\__|   \_/ |____/                     #
#                                __/ |                                                 #
#                               |___/                                                  #
#                                                        #
## - 5/11/2017 -           Asus Firewall Addition By Adamm v5.4.9                    #
##                   https://github.com/Adamm00/IPSet_ASUS                    #
#############################################################################################################


8.8.8.8 comment "ManualWlist: Nov 06 16:02:41"
Saving Changes

Skynet: [Complete] 152738 IPs / 3248 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1333 Inbound / 156 Outbound Connections Blocked! [8s]

 

[Butterfly Bones]

Are you sure the IP's were whiteisted and not just unbanned (or you haven't flushed the list since doing so). If it doesn't show up when using the list all function, then the whitelist entry doesn't exist. I can confirm when adding an IP it definitely shows up.

Yes, I kept a backup document with all the IPs listed and just re-added them and now they show. I just did not keep a doc of the whitelisted domains, I can remember one, and I only had 3-4, so they will show as blocked again and I will re-add them.

Just wondering how I deleted them all. I tend to use the CLI entries from the GitHub readme as my primary technique to manage the list, and not the menu.

 

[Protik]

Sorry for keep spamming.

I just found that in the status page of Skynet it says 0 Ranges Banned. for a while.

Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/pdas001

73699 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 362 Inbound / 12 Outbound Connections Blocked!

I found the last log entry for which the ranges are not zero. The log entries are,

Nov  5 11:17:55 Skynet: [Complete] 156110 IPs / 3466 Ranges Banned. 156110 New IPs / 3466 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [6s]
Nov  5 11:18:00 rc_service: udhcpc 679:notify_rc start_firewall
Nov  5 11:18:00 dhcp_client: bound [MY IP] via [MY IP] during 600 seconds.
Nov  5 11:18:04 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Nov  5 11:18:04 Skynet: [Complete] 73699 IPs / 0 Ranges Banned. -82411 New IPs / -3466 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [10s]

After this all ranges are zero. How can I troubleshoot this?

Thanks.

 

[Adamm]

Sorry for keep spamming.

I just found that in the status page of Skynet it says 0 Ranges Banned. for a while.

Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/pdas001

73699 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 362 Inbound / 12 Outbound Connections Blocked!

I found the last log entry for which the ranges are not zero. The log entries are,

Nov  5 11:17:55 Skynet: [Complete] 156110 IPs / 3466 Ranges Banned. 156110 New IPs / 3466 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [6s]
Nov  5 11:18:00 rc_service: udhcpc 679:notify_rc start_firewall
Nov  5 11:18:00 dhcp_client: bound [MY IP] via [MY IP] during 600 seconds.
Nov  5 11:18:04 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Nov  5 11:18:04 Skynet: [Complete] 73699 IPs / 0 Ranges Banned. -82411 New IPs / -3466 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [10s]

After this all ranges are zero. How can I troubleshoot this?

Thanks.

I have a feeling this may be due to curl timeouts. I've just pushed a version so that curl will attempt to download everything 3 times before moving on and considering the download failed.

Let me know if this works, to apply the change issue a forced update;

sh /jffs/scripts/firewall update -f

Wait around 60s for Skynet to reboot, then re-run banmalware and the missing entries should reappear;

sh /jffs/scripts/firewall banmalware

 

[Protik]

I have a feeling this may be due to curl timeouts. I've just pushed a version so that curl will attempt to download everything 3 times before moving on and considering the download failed.

Let me know if this works, to apply the change issue a forced update;

sh /jffs/scripts/firewall update -f

Wait around 60s for Skynet to reboot, then re-run banmalware and the missing entries should reappear;

sh /jffs/scripts/firewall banmalware

Thanks! The ranges reappeared.

Nov  5 23:35:45 Skynet: [INFO] Forcing Update
Nov  5 23:35:45 Skynet: [INFO] New Version Detected - Updating To v5.4.9... ... ...
Nov  5 23:35:51 Skynet: [INFO] Skynet Sucessfully Updated - Restarting Firewall
Nov  5 23:35:51 rc_service: service 21117:notify_rc restart_firewall
Nov  5 23:35:52 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Nov  5 23:35:52 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Nov  5 23:35:53 Skynet: [INFO] Startup Initiated... ( debug banmalware autoupdate usb=/tmp/mnt/pdas001 )
Nov  5 23:36:15 Skynet: [Complete] 73699 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [22s]
Nov  5 23:39:49 Skynet: [Complete] 147015 IPs / 3409 Ranges Banned. 73316 New IPs / 3409 New Ranges Banned. 1 Inbound / 0 Outbound Connections Blocked! [47s]

I will keep an eye on it and let you know if anything goes wrong.

 

[2992]

since v.5.4.9, after each router reboot, I get the following message:
0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked!
and then I have to manually run [3] Banmalware for to get the firewall working properly:
Skynet: [Complete] 143130 IPs / 3407 Ranges Banned. 143130 New IPs / 3407 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [68s]

 

[Protik]

since v.5.4.9, after each router reboot, I get the following message:
0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked!
and then I have to manually run [3] Banmalware for to get the firewall working properly:
Skynet: [Complete] 143130 IPs / 3407 Ranges Banned. 143130 New IPs / 3407 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [68s]

Kind of same issue here. In my case, the number of IPs are non zero, but the Ranges go zero after restart.

Nov  6 11:00:05 Skynet: [Complete] 80938 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 86 Inbound / 0 Outbound Connections Blocked! [5s]

Running manually [3] banmalware brings back the ranges.

Nov  6 12:45:59 Skynet: [Complete] 136239 IPs / 3219 Ranges Banned. 55301 New IPs / 3219 New Ranges Banned. 136 Inbound / 0 Outbound Connections Blocked! [42s]

 

[Adamm]

since v.5.4.9, after each router reboot, I get the following message:
0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked!
and then I have to manually run [3] Banmalware for to get the firewall working properly:
Skynet: [Complete] 143130 IPs / 3407 Ranges Banned. 143130 New IPs / 3407 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [68s]

Kind of same issue here. In my case, the number of IPs are non zero, but the Ranges go zero after restart.

Nov  6 11:00:05 Skynet: [Complete] 80938 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 86 Inbound / 0 Outbound Connections Blocked! [5s]

Running manually [3] banmalware brings back the ranges.

Nov  6 12:45:59 Skynet: [Complete] 136239 IPs / 3219 Ranges Banned. 55301 New IPs / 3219 New Ranges Banned. 136 Inbound / 0 Outbound Connections Blocked! [42s]

I can't reproduce either of these issues. When banmalware runs (or any commands that add/remove entries) they save the ipset data to a file. A reboot shouldn't have any effect on this process simply because the local copy should be almost identical to whats stored in the ram.

Can you both post the output of;

sh /jffs/scripts/firewall debug info

And do either of you have any other scripts install / things a typical default setup wouldn't?

 

[Protik]

Yes, a typical default setup.

admin@RT-AC68U-DF28:/tmp/mnt/pdas001/entware/etc/lighttpd# sh /jffs/scripts/firewall debug info
#!/bin/sh
#############################################################################################################
#                               _____ _                     _           _____                               #
#                              / ____| |                   | |         | ____|                              #
#                             | (___ | | ___   _ _ __   ___| |_  __   _| |__                                #
#                              \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \                               #
#                              ____) |   <| |_| | | | |  __/ |_   \ V / ___) |                              #
#                             |_____/|_|\_\\__, |_| |_|\___|\__|   \_/ |____/                               #
#                                           __/ |                                                           #
#                                          |___/                                                            #
#                                                                                                           #
## - 5/11/2017 -                   Asus Firewall Addition By Adamm v5.4.9                                   #
##                                 https://github.com/Adamm00/IPSet_ASUS                                    #
#############################################################################################################


Router Model; RT-AC68U
Skynet Version; v5.4.9 (5/11/2017)
iptables v1.4.14 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
FW Version; 380.68_4 (Oct 4 2017) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/pdas001/skynet (1.3G / 1.8G Space Available)
SWAP File; /tmp/mnt/pdas001/ptkswap.swp (256.3M)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/pdas001
No Lock File Found

Checking Install Directory Write Permissions...         [Passed]
Checking Firewall-Start Entry...                        [Passed]
Checking OpenVPN-Event Entry...                         [Passed]
Checking CronJobs...                                    [Passed]
Checking IPSet Comment Support...                       [Passed]
Checking Log Level 5 Settings...                        [Passed]
Checking Autobanning Status...                          [Passed]
Checking Debug Mode Status...                           [Passed]
Checking For Duplicate Rules In RAW...                  [Passed]
Checking For Duplicate Rules In Filter...               [Passed]
Checking Skynet IPTable...                              [Passed]
Checking Whitelist IPSet...                             [Passed]
Checking BlockedRanges IPSet...                         [Passed]
Checking Blacklist IPSet...                             [Passed]
Checking Skynet IPSet...                                [Passed]

Skynet: [Complete] 136240 IPs / 3219 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 770 Inbound / 23 Outbound Connections Blocked! [4s]

 

[Adamm]

Yes, a typical default setup.

Does this issue happen after every reboot / can you reproduce it?

 

[2992]

Does this issue happen after every reboot / can you reproduce it?

yes, it happens after each reboot (I have my router set to reboot every night.)
Skynet+ABSolution+DNSCrypt.
It happens only with this version, it didn't happened before.
This is how it looks right after reboot (was rebooted couple of hours ago):

#!/bin/sh
#############################################################################################################
#                    _____ _                     _           _____                     #
#                   / ____| |                   | |         | ____|                    #
#                  | (___ | | ___   _ _ __   ___| |_  __   _| |__                      #
#                   \___ \| |/ / | | | '_ \ / _ \ __| \ \ / /___ \                     #
#                   ____) |   <| |_| | | | |  __/ |_   \ V / ___) |                    #
#                  |_____/|_|\_\\__, |_| |_|\___|\__|   \_/ |____/                     #
#                                __/ |                                                 #
#                               |___/                                                  #
#                                                        #
## - 5/11/2017 -           Asus Firewall Addition By Adamm v5.4.9                    #
##                   https://github.com/Adamm00/IPSet_ASUS                    #
#############################################################################################################


Router Model; R7000
Skynet Version; v5.4.9 (5/11/2017)
iptables v1.4.14 - (vlan2 @ 192.168.3.1)
ipset v6.32, protocol version: 6
FW Version; 380.68_4 (Oct 10 2017) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/abs/skynet (1.7G / 1.8G Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate usb=/tmp/mnt/abs
No Lock File Found

Checking Install Directory Write Permissions...        [Passed]
Checking Firewall-Start Entry...            [Passed]
Checking OpenVPN-Event Entry...                [Passed]
Checking CronJobs...                    [Passed]
Checking IPSet Comment Support...            [Passed]
Checking Log Level 5 Settings...            [Passed]
Checking Autobanning Status...                [Passed]
Checking Debug Mode Status...                [Failed]
Checking For Duplicate Rules In RAW...            [Passed]
Checking For Duplicate Rules In Filter...        [Passed]
Checking Skynet IPTable...                [Passed]
Checking Whitelist IPSet...                [Passed]
Checking BlockedRanges IPSet...                [Passed]
Checking Blacklist IPSet...                [Passed]
Checking Skynet IPSet...                [Passed]

Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [1s]

and then I ran Banmalware:

[1-2]: 1

Downloading filter.list     [0s]
Whitelisting Shared Domains     [20s]
Consolidating Blacklist     [9s]
Saving Changes             [0s]
Removing Previous Malware Bans  [0s]
Filtering IPv4 Addresses     [4s]
Filtering IPv4 Ranges         [1s]
Applying Blacklists         [9s]

For False Positive Website Bans Use; ( sh /opt/bin/firewall whitelist domain URL )

Skynet: [Complete] 145320 IPs / 3179 Ranges Banned. 145320 New IPs / 3179 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [54s]

 

[Adamm]

yes, it happens after each reboot (I have my router set to reboot every night.)

What time do you have it set to reboot? Skynet forces a save at the top of every hour. So you could possibly rebooting as this is happening and corrupting the ipset.txt file

Can you also test if this happens when you manually reboot

 

[2992]

What time do you have it set to reboot? Skynet forces a save at the top of every hour. So you could possibly rebooting as this is happening and corrupting the ipset.txt file

Can you also test if this happens when you manually reboot

around 5:00 am, but that makes no difference, as when I manually reboot the router at anytime, I encounter that issue.

 

[Adamm]

around 5:00 am, but that makes no difference, as when I manually reboot the router at anytime, I encounter that issue.

What does the following output (after there are IP's actively being blocked via running banmalware or whatnot);

wc -l /tmp/mnt/abs/skynet/scripts/ipset.txt

and

{ ipset save Whitelist; ipset save Blacklist; ipset save BlockedRanges; ipset save Skynet; } | wc -l

 

[2992]

What does the following output (after there are IP's actively being blocked via running banmalware or whatnot);

wc -l /tmp/mnt/abs/skynet/scripts/ipset.txt

and

{ ipset save Whitelist; ipset save Blacklist; ipset save BlockedRanges; ipset save Skynet; } | wc -l

I think what happens is that Banmalware doesn't run anymore right after reboot, as before this Skynet version, I could see in the log the Skynet message every hour (assuming the router rebooted 5am, the skynet was starting fine and the message was every hour, 6am, 7am, etc), but now, after reboot, I cannot see that message anymore, for example, the router reboots at 5, then there is no message anymore until I manually run the Banmalware. After that, the message is back there every hour... until next reboot.

(PS: besides DNSCrypt, Skynet and ABS, I also have OpenVPN client set to run at boot.)

Anyways, this is 10 minutes after I've manually rebooted the router:
- in the router log I've seen:

Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [61s]

- then I run the codes you've posted, and:

wc -l /tmp/mnt/abs/skynet/scripts/ipset.txt
47 /tmp/mnt/abs/skynet/scripts/ipset.txt

- and

{ ipset save Whitelist; ipset save Blacklist; ipset save BlockedRanges; ipset save Skynet; } | wc -l
47

Then I run Banmalware manually (I ran it twice, as after first run I've only got few IPs reported:"Skynet: [Complete] 313 IPs / 0 Ranges Banned. 313 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [39s]"), and after couple of minutes:
- in the router log

Skynet: [Complete] 148431 IPs / 3373 Ranges Banned. 148118 New IPs / 3373 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [60s]
Skynet: [Complete] 148431 IPs / 3373 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [7s]

- and

wc -l /tmp/mnt/abs/skynet/scripts/ipset.txt
151844 /tmp/mnt/abs/skynet/scripts/ipset.txt

- and

{ ipset save Whitelist; ipset save Blacklist; ipset save BlockedRanges; ipset save Skynet; } | wc -l
151844

Note/Bonus: after last Skynet update, my Dropbox client on computer doesn't want to connect/sync anymore, but I am not 100% sure whether it's because of Skynet or not, even if I did no other changes to my network or computer since before last Skynet update. However, Dropbox client can connect & sync perfectly fine on my other WiFi network/router, so that's a good enough workaround for now.