Skynet Skynet - Router Firewall & Security Enhancements

[RMerlin]

Now I really need that elusive piece from Asus to test AB4 on it. I'm poor and have no money to spare, donations are welcome...

Is it available in your country? How much is it?

 

[hervon]

With the above being said, I have pushed v5.7.1

I have whitelisted some CDN providers as per request (Akamai/Highwinds/Amazon). There should also be some massive speed improvements for the AC86U as the previous fork() issues don't seem to be apparent anymore. From personal testing banmalware takes around 14s and saving 2s which is about x3 faster then the AC68U.

AC86U users be warned:

AC86U IPSet is currently unstable and may lead to random reboots when using banmalware. I suggest turning off auto-banmalware updates until this is addressed in the firmware itsself.

5.7.1 keeps crashing my 86U even without auto-ban on the latest Merlin alpha. I'll keep investigating this evening.

 

[DonnyJohnny]

With the above being said, I have pushed v5.7.1

I have whitelisted some CDN providers as per request (Akamai/Highwinds/Amazon). There should also be some massive speed improvements for the AC86U as the previous fork() issues don't seem to be apparent anymore. From personal testing banmalware takes around 14s and saving 2s which is about x3 faster then the AC68U.

AC86U users be warned:

AC86U IPSet is currently unstable and may lead to random reboots when using banmalware. I suggest turning off auto-banmalware updates until this is addressed in the firmware itsself.

When I show whitelist All, I didn’t see those cdn provider ip in the whitelist?

 

[XIII]

As for their comments about wildcards, well clearly they aren't familiar with how Skynet works and that its only IP based blocking, not DNS. Skynet simply preforms a nslookup on the domain at the time of banning/unbanning/whitelisting and grabs the IP's that way.

That's what I thought. Thank you for confirming this (I'm still learning about all this).

 

[Adamm]

5.7.1 keeps crashing my 86U even without auto-ban on the latest Merlin alpha. I'll keep investigating this evening.

The most common cause of crashing is the banmalware feature, not autobanning. Unfortunately its completely out of my hands, so we will have to wait until a fix is out (fyi please dont bug merlin about this - guy has enough on his plate as is)

I personally found just not using banmalware was enough to keep things stable (IPSet's restore command seems to hate it and force a reboot). But for AC86U users who aren't so lucky and wish to downgrade to the previous release, you can do so via;

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/3aa950f26479345c474d14c11b26699f92d2ab8e/firewall.sh" -o "/jffs/scripts/firewall" && chmod +x /jffs/scripts/firewall

 

[Adamm]

When I show whitelist All, I didn’t see those cdn provider ip in the whitelist?

Running banmalware or restarting Skynet should trigger the whitelist refresh. You could also use the following command;

sh /jffs/scripts/firewall whitelist refresh

 

[DonnyJohnny]

Running banmalware or restarting Skynet should trigger the whitelist refresh. You could also use the following command;

sh /jffs/scripts/firewall whitelist refresh

Thx. That’s a Long list.. hehe.

 

[thelonelycoder]

Is it available in your country? How much is it?

It is, and Asus Switzerland declined a develper model. Price is about CHF 250.00.

 

[M@rco]

Is it available in your country? How much is it?

Lowest price I could find for @thelonelycoder is at alternate.ch, where it costs CHF 242,90 which is about USD 260.

 

[thelonelycoder]

Lowest price I could find for @thelonelycoder is at alternate.ch, where it costs CHF 242,90 which is about USD 260.

That one is new to me. Appears german based. Customs duty apply, we are not EU members.
I'd rather have a supplier here, for warranty reasons.

 

[XIII]

Just choose the list u like from iplists.firehol.org.
Take the link of the “local copy” and paste them to pastebin.
Use the raw link from pastebin and paste to the command below
(sh /jffs/scripts/firewall banmalware RawLinkHere) This Uses The Fitler List From The Specified URL

I did not know whether a custom list should contain URL's of other list (like you said), or URL's to block.

Learned something new! Thanks.

 

[DonnyJohnny]

I did not know whether a custom list should contain URL's of other list (like you said), or URL's to block.

Learned something new! Thanks.

A list of URLs

 

[hervon]

The most common cause of crashing is the banmalware feature, not autobanning. Unfortunately its completely out of my hands, so we will have to wait until a fix is out (fyi please dont bug merlin about this - guy has enough on his plate as is)

I personally found just not using banmalware was enough to keep things stable (IPSet's restore command seems to hate it and force a reboot). But for AC86U users who aren't so lucky and wish to downgrade to the previous release, you can do so via;

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/3aa950f26479345c474d14c11b26699f92d2ab8e/firewall.sh" -o "/jffs/scripts/firewall" && chmod +x /jffs/scripts/firewall

5.7.0 works fine. Thanks!

 

[M@rco]

That one is new to me. Appears german based. Customs duty apply, we are not EU members.
I'd rather have a supplier here, for warranty reasons.

Alternate has shops and online warehouses throughout Europe, so they might just ship from within Switzerland (not sure, didn't look further), but if I order something from alternate.nl they just ship from within the Netherlands. An alternative, based in Geneva, for (basically) the same price: https://www.1000ordi.ch/asus-rt-ac86u-90ig0401-bm3000-105968.html?lang=EN

Edit: seems you're right about Alternate.ch. Found some old (dated back in 2013) messages that Alternate...

jetzt immer noch kein Lager / Versandcenter in der Schweiz

So warranty might be an issue. About custom duties, I don't know, as they do have a Swiss online store and I think they're obligated to advertise with the total price. But warranty is definitely a dealbreaker.

 

[king006]

I installed it but get during a test:

Router Model; RT-AC68U
Skynet Version; v5.7.1 (27/01/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_alpha2-g5b8da38 (Jan 25 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ESD-USB/skynet (5.9G / 7.4G Space Available)
SWAP File; /tmp/mnt/ESD-USB/myswap.swp (1.0G)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/ESD-USB
Lock File Detected (start debug banmalware autoupdate usb=/tmp/mnt/ESD-USB) (pid=17496)
Locked Processes Generally Take 20-60s To Complete And May Result In Temporarily "Failed" Tests

Checking Skynet IPTable... [Failed]
Checking Whitelist IPSet... [Failed]
Checking BlockedRanges IPSet... [Failed]
Checking Blacklist IPSet... [Failed]
Checking Skynet IPSet... [Failed]

What goes wrong?

With ps, I see:

17495 USERNAME 1452 S {firewall-start} /bin/sh /jffs/scripts/firewall-start eth0
17496 USERNAME 1748 S sh /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/ESD-USB
17575 USERNAME 3260 D /usr/bin/find /jffs /tmp/mnt
17576 USERNAME 1508 S grep -qE (IPSet_Block.sh|malware-filter|privacy-filter|ipBLOCKer.sh|ya-malware-block.sh|iblocklist-loader.sh|firewall-reinstate.sh)$

 

[Adamm]

I installed it but get during a test:

Router Model; RT-AC68U
Skynet Version; v5.7.1 (27/01/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_alpha2-g5b8da38 (Jan 25 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ESD-USB/skynet (5.9G / 7.4G Space Available)
SWAP File; /tmp/mnt/ESD-USB/myswap.swp (1.0G)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/ESD-USB
Lock File Detected (start debug banmalware autoupdate usb=/tmp/mnt/ESD-USB) (pid=17496)
Locked Processes Generally Take 20-60s To Complete And May Result In Temporarily "Failed" Tests

Checking Skynet IPTable... [Failed]
Checking Whitelist IPSet... [Failed]
Checking BlockedRanges IPSet... [Failed]
Checking Blacklist IPSet... [Failed]
Checking Skynet IPSet... [Failed]

What goes wrong?

With ps, I see:

17495 USERNAME 1452 S {firewall-start} /bin/sh /jffs/scripts/firewall-start eth0
17496 USERNAME 1748 S sh /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/ESD-USB
17575 USERNAME 3260 D /usr/bin/find /jffs /tmp/mnt
17576 USERNAME 1508 S grep -qE (IPSet_Block.sh|malware-filter|privacy-filter|ipBLOCKer.sh|ya-malware-block.sh|iblocklist-loader.sh|firewall-reinstate.sh)$

Locked Processes Generally Take 20-60s To Complete And May Result In Temporarily "Failed" Tests

 

[king006]

Oops! Now, I see:


Router Model; RT-AC68U
Skynet Version; v5.7.1 (27/01/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_alpha2-g5b8da38 (Jan 25 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ESD-USB/skynet (5.9G / 7.4G Space Available)
SWAP File; /tmp/mnt/ESD-USB/myswap.swp (1.0G)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate usb=/tmp/mnt/ESD-USB

Jan 27 14:34:59 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jan 27 14:34:59 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate usb=/tmp/mnt/ESD-USB )
Jan 27 14:37:39 Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [160s]

It didn't work, but why?

 

[XIII]

I suggest turning off auto-banmalware updates until this is addressed in the firmware itsself.

I have turned it off on my AC86U, but how can I check whether it is fixed in future firmware updates?

 

[Adamm]

Oops! Now, I see:


Router Model; RT-AC68U
Skynet Version; v5.7.1 (27/01/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_alpha2-g5b8da38 (Jan 25 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ESD-USB/skynet (5.9G / 7.4G Space Available)
SWAP File; /tmp/mnt/ESD-USB/myswap.swp (1.0G)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate usb=/tmp/mnt/ESD-USB

Jan 27 14:34:59 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jan 27 14:34:59 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate usb=/tmp/mnt/ESD-USB )
Jan 27 14:37:39 Skynet: [Complete] 0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [160s]

It didn't work, but why?

What’s not working? Everything looks fine

I have turned it off on my AC86U, but how can I check whether it is fixed in future firmware updates?

I’ll be sure to announce it, Im also sure Merlin will do the same in the changelog.

 

[thelonelycoder]

Found a (cosmetic) woopsie -

Select Debug Option:
[1]  --> Temporarily Disable Debug Output
[2]  --> Show Debug Entries As They Appear
[3]  --> Print Debug Info
[4]  --> Cleanup Syslog Entries
[5]  --> SWAP File Management

[1-4]:

Too few / many number?

I also battle with that all the time. You copy over some code and modify it as a new function with everything working only to be ridiculed by that single oversight
I just found TWO while going through some additions I did yesterday. Always glad users pay attention!