What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Is this something Broadcom is aware of and plan to fix? Seems like a pretty significant flaw introduced.

I assume Asus discussed it with them already. I don't have any other info.
 
@Adamm sorry for bothering you again but I've seen a weird issue again.

I have ZyXEL NSA 325 for years and I'm also using Skynet for about 6 months there were no problems but since this morning my NAS couldn't get IP address from my router and I've figured out why;

Code:
Nov 25 10:42:21 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:c8:6c:87:6f:5b:b9:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=27749 PROTO=UDP SPT=68 DPT=67 LEN=556
Nov 25 10:42:25 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:c8:6c:87:6f:5b:b9:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=27750 PROTO=UDP SPT=68 DPT=67 LEN=556

Skynet only blocks the DHCP packets of NAS my other devices can get an IP address which seems weird :)

I've tried unbannig port 67 but didn't worked. Whey I disable Skynet NAS can get an IP address.

update: I've rebooted the router. some of my devices can get IP address some of can't. They all get IP address from router.

for example; my pc can access internet but on router DHCP releases page I can't see it.

update 2: I've fixed it with unbanning 255.255.255.255

Code:
Exact Matches;
https://iplists.firehol.org/files/hphosts_emd.ipset - 255.255.255.255

Banning broadcast address is really great idea.
 
Last edited:
@Adamm sorry for bothering you again but I've seen a weird issue again.

I have ZyXEL NSA 325 for years and I'm also using Skynet for about 6 months there were no problems but since this morning my NAS couldn't get IP address from my router and I've figured out why;

Code:
Nov 25 10:42:21 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:c8:6c:87:6f:5b:b9:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=27749 PROTO=UDP SPT=68 DPT=67 LEN=556
Nov 25 10:42:25 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:c8:6c:87:6f:5b:b9:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=27750 PROTO=UDP SPT=68 DPT=67 LEN=556

Skynet only blocks the DHCP packets of NAS my other devices can get an IP address which seems weird :)

I've tried unbannig port 67 but didn't worked. Whey I disable Skynet NAS can get an IP address.

update: I've rebooted the router. some of my devices can get IP address some of can't. They all get IP address from router.

for example; my pc can access internet but on router DHCP releases page I can't see it.

update 2: I've fixed it with unbanning 255.255.255.255

Code:
Exact Matches;
https://iplists.firehol.org/files/hphosts_emd.ipset - 255.255.255.255

Banning broadcast address is really great idea.

My internet connection is currently down, but once it's back up and running I will filter this address out automatically in the script (it was added by the new filter lists I added yesterday). Thanks for debugging it.
 
it seems this crashed my network last night as well.
Completely blocked access to my router from LAN and killed DHCP
Had to reboot without USB, unbanned 255.255.255.255 as well and all seems good again. I would had never found this myself.
 
it seems this crashed my network last night as well.
Completely blocked access to my router from LAN and killed DHCP
Had to reboot without USB, unbanned 255.255.255.255 as well and all seems good again. I would had never found this myself.

Sorry about that, I've reverted the filter.list changes until my internet is up and running again to push the new update.
 
I got bit last overnight as well. Woke up to no internet. Rebooted and ran firewall restart immediately and got it back before the new ban lists got me again. :D
Code:
Nov 25 02:00:08 Skynet: [Complete] 163786 IPs / 1990 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 1049 Inbound / 63 Outbound Connections Blocked! [8s]
Nov 25 02:25:50 Skynet: [Complete] 204875 IPs / 1914 Ranges Banned. 41089 New IPs / -76 New Ranges Banned. 1081 Inbound / 63 Outbound Connections Blocked! [49s]
Nov 25 07:40:48 Skynet: [Complete] 146677 IPs / 1919 Ranges Banned. -58199 New IPs / 5 New Ranges Banned. 1508 Inbound / 71 Outbound Connections Blocked! [42s]
 
I got bit last overnight as well. Woke up to no internet. Rebooted and ran firewall restart immediately and got it back before the new ban lists got me again. :D
Code:
Nov 25 02:00:08 Skynet: [Complete] 163786 IPs / 1990 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 1049 Inbound / 63 Outbound Connections Blocked! [8s]
Nov 25 02:25:50 Skynet: [Complete] 204875 IPs / 1914 Ranges Banned. 41089 New IPs / -76 New Ranges Banned. 1081 Inbound / 63 Outbound Connections Blocked! [49s]
Nov 25 07:40:48 Skynet: [Complete] 146677 IPs / 1919 Ranges Banned. -58199 New IPs / 5 New Ranges Banned. 1508 Inbound / 71 Outbound Connections Blocked! [42s]

Was affected by this here too. Woke up morning and found none of my devices cannot get to DNS. Luckily one of the devices connected to the router was not affected. So did a banmalware and everything was fixed in no time.
 
Does Importing an IP List add that list to the filter.list, so it's also updated when the banmalware gets updated?
 
Does Importing an IP List add that list to the filter.list, so it's also updated when the banmalware gets updated?

No, this feature is independent and will only be updated each time you execute it
 
When I play with the Skynet menus nearly all menu's log out after completing function, instead of going back into the main menu? can that be changed so that after doing "something" you end up back in the main main instead of your telnet cursor?

By now I can also envision a new app called "SNB Menu" pulling all this stuff together, putting all the scripts and installers in one place, which would save a lot of notes and separate sessions, something like:
----------------------------------------------------------------------
Welcome to the SNBforum Merlin firmware addition menu, what would you like to do today?

1. Download and install Skynet
2. Download and install ab-solution
3. Open Skynet
4. Open ab-solution
5. Update pixelserv
6. Update this menu
7. Exit

Please select input: (1-7)
----------------------------------------------------------------------
 
Last edited:
When I play with the Skynet menus nearly all menu's log out after completing function, instead of going back into the main menu? can that be changed so that after doing "something" you end up back in the main main instead of your telnet cursor?

By now I can also envision a new app called "SNB Menu" pulling all this stuff together, putting all the scripts and installers in one place, which would save a lot of notes and separate sessions, something like:
----------------------------------------------------------------------
Welcome to the SNBforum Merlin firmware addition menu, what would you like to do today?

1. Download and install Skynet
2. Download and install ab-solution
3. Open Skynet
4. Open ab-solution
5. Update pixelserv
6. Update this menu
7. Exit

Please select input: (1-7)
----------------------------------------------------------------------
Piece of cake.
I'll get to it later, hosted on GitHub so all can contribute.
 
When I play with the Skynet menus nearly all menu's log out after completing function, instead of going back into the main menu? can that be changed so that after doing "something" you end up back in the main main instead of your telnet cursor?

By now I can also envision a new app called "SNB Menu" pulling all this stuff together, putting all the scripts and installers in one place, which would save a lot of notes and separate sessions, something like:
----------------------------------------------------------------------
Welcome to the SNBforum Merlin firmware addition menu, what would you like to do today?

1. Download and install Skynet
2. Download and install ab-solution
3. Open Skynet
4. Open ab-solution
5. Update pixelserv
6. Update this menu
7. Exit

Please select input: (1-7)
----------------------------------------------------------------------

I've added your first suggestion about the Skynet menu, it won't go live though until my internet is running again (36 hour suburb wide outage and counting )

The second suggestion seems simple enough, I'll leave it to @thelonelycoder for the time being due to my situation and push commits to it if/when nessesary.
 
great
just to clarify the pixelserv script is the @kvic script for updating to or reverting from latest beta

Code:
sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/install-beta.sh)"
 
great
just to clarify the pixelserv script is the @kvic script for updating to or reverting from latest beta

Code:
sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/install-beta.sh)"
It might be that pulling a beta is a bad idea if someone needs a menu to get this far.
 
@Raphie I've pushed v5.5.5 with your suggestion amung some other small changes.

Convert lineendings on all downloaded files
Add missing dns whitelist entries
Only report failed on autoban and debug mode if feature enabled
Improve PrivateIP Filtering
Improve NTP Check
Reload Menu When Completing Operation

As for the issue we had with the broadcast IP being blocked from the newly added lists yesterday, I've hardcoded a fix so this never occurs again, and am also working with @thelonelycoder on a better solution for these DNS based security lists that when converted to IP's were causing false positives due to shared hosting servers etc. No eta but expect to hear more about this in future resulting in both less false positives and more integration with his great script.
 
@Raphie I've pushed v5.5.5 with your suggestion amung some other small changes.



As for the issue we had with the broadcast IP being blocked from the newly added lists yesterday, I've hardcoded a fix so this never occurs again, and am also working with @thelonelycoder on a better solution for these DNS based security lists that when converted to IP's were causing false positives due to shared hosting servers etc. No eta but expect to hear more about this in future resulting in both less false positives and more integration with his great script.
@Adamm

I think your menu refresh is happening too quickly. When I check Debug Options / Print Debug Info - it flashes by too quickly and returns to the menu. If I do it again it just exits to the prompt. :(
 
@Adamm

I think your menu refresh is happening too quickly. When I check Debug Options / Print Debug Info - it flashes by too quickly and returns to the menu. If I do it again it just exits to the prompt. :(
Ha! I was just coming to report the same thing! It needs a pause after the screen info is printed.
 
@Adamm

I think your menu refresh is happening too quickly. When I check Debug Options / Print Debug Info - it flashes by too quickly and returns to the menu. If I do it again it just exits to the prompt. :(

Thanks for pointing out that flaw, damn you guys :p

For the time being on the first attempt you can just scroll up to see the result, I'll work on a real fix shortly.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top