Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Firehol now hosts the lists locally and I updated the filter list accordingly.

 

[Mikiya]

Hello
Maybe i use it the wrong way, but when i want to use a custom url to get lists (i selected some lists from Firehol), it parse it without errors, but i can find all urls from my list in /jffs/shared-Skynet-whitelist... Lists selected are to be banned, not whitelist :/
Thanks

 

[thelonelycoder]

Hello
Maybe i use it the wrong way, but when i want to use a custom url to get lists (i selected some lists from Firehol), it parse it without errors, but i can find all urls from my list in /jffs/shared-Skynet-whitelist... Lists selected are to be banned, not whitelist :/
Thanks

All shared-*-whitelist are created to share the domains that the script uses with other scripts so they don't accidentally block each other from downloading content they need to run.
I introduced this method a little while ago and @Adamm picked it up right away.
These whitelists are only used by other scripts, never by itself.
The discussion we had is here:
https://www.snbforums.com/threads/what-blocking-scripts-to-install.40087/

 

[thelonelycoder]

Lists selected are to be banned, not whitelist :/

To add to the above post:
The shared-Skynet-whitelist are domains used by Skynet to be whitelisted by other scripts.
The shared-Skynet2-whitelist are user-added domains to be whitelisted by other scripts.

 

[Mikiya]

Thanks for the explanations !
Ok so it's not a problem. The other point of "concern" is the port scanning... I used IP_BLOCK.sh before and it efficiently blocks port scanning, but with Skynet, online tools and nmap are not blocked, is it normal ?

 

[Adamm]

Hello
Maybe i use it the wrong way, but when i want to use a custom url to get lists (i selected some lists from Firehol), it parse it without errors, but i can find all urls from my list in /jffs/shared-Skynet-whitelist... Lists selected are to be banned, not whitelist :/
Thanks

I assume you want to create your own banmalware filter list, in which case you would use the following command replacing the URL at the end;

sh /jffs/scripts/firewall banmalware google.com/filter.list

Please also make sure your list is in the same format as the original here.

EDIT; Just re-read your post. As @thelonleycoder mentioned, the Skynet whitelist files are generated automatically for other scripts to use.

 

[Mikiya]

Yes i use the same format.
Your tool looks great, thanks for your big work !
Do you know why port scans are not blocked ?

 

[Adamm]

Do you know why port scans are not blocked ?

The SPI firewall is working on my end, every port scanning tool I could find came back with expected results. Not only this but Skynet doesn't modify the default SPI rules, it just makes the bans permanent.

 

[Mikiya]

By "SPI firewall", do you mean Trendnet DPI engine ? I have Firewall and DOS protection enabled and do not see any other options to enable.
By expected results, do you mean "all filtered" ? (even port actually opened ?)

 

[Adamm]

By "SPI firewall", do you mean Trendnet DPI engine ?

The SPI firewall is what gets turned on when you enable the firewall option, if you read the wiki article linked above it will explain what it does in greater detail.

The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall. Stateful packet inspection (SPI), also referred to as dynamic packet filtering, is a security feature often included in business networks.

By expected results, do you mean

Yes the probes are blocked which is the behavior you would expect.

 

[Mikiya]

I don't know why port scanning tool can scan and find my open ports without being blocked and banned
With IPSET_Block.sh it was ok but now without this script (in conflict with yours so i removed it) it's not protected...

 

[Adamm]

I don't know why port scanning tool can scan and find my open ports without being blocked and banned
With IPSET_Block.sh it was ok but now without this script (in conflict with yours so i removed it) it's not protected...

Can you give me an example of output you are getting before and after (and what you are using to preform these tests).

The other script you are referring to is literally just another user "rewriting" a 6 month old version of Skynet, there is no additional functionality.

 

[Mikiya]

For example, on http://www.inoculer.com/scannerdeports.php , with 80 and 443 opened :
Before (with IPSET_Block.sh) i get all ports "filtered"
After (with Skynet) i get all filtered except ports 80 and 443 "opened"

 

[Adamm]

For example, on http://www.inoculer.com/scannerdeports.php , with 80 and 443 opened :
Before (with IPSET_Block.sh) i get all ports "filtered"
After (with Skynet) i get all filtered except ports 80 and 443 "opened"

Are you sure you don't have some other IPTables rules interfering with this? I just ran the exact same test on a fresh install and all ports were shown as hidden.

 

[Mikiya]

Arg ! The only rule i added manually in firewall-start is a rule to block imcp type 13, nothing else...
Do you have NAT rules for ports 443 and 80 ?
These ports are opened and routed to my internal server, so thery are really opened, and they have NAT rules for them. But i think IPSET_Block.sh bans IPs if they try to use ports not opened (so here before testing 80 or 443), i don't know if Skynet do the same.
Thanks for your help

 

[Mikiya]

PS : i confirm the algo of IPSET_BLOCK that blocks IPs when they tried to use closed port :

"Dynamically block unsolicited access attempts using IPSETs. Useful if you have opened ports >1024 as hopefully hackers will start their attempts at the more common ports e.g. 22,23 etc. so will be banned BEFORE they reach your port!"

Does Skynet do the same ? or does it rely on list only ?

 

[Adamm]

Does Skynet do the same ? or does it rely on list only ?

That script is literally a copy and paste of a 6 month old version of Skynet with some modifications, non really changing overall functionality.

Skynet simply piggybacks off the existing IPTables firewall implementation and modifys it to work in conjunction with IPSet.

 

[Mikiya]

Ok so i do not understand the differences ... I will try to uninstall Skynet and delete all "boot" scripts to restart from scratch to see if i can get the same behavior, i love the idea of banning IPs if they try to reach a closed port.

 

[Mikiya]

I give up... I reinstall Skynet from scratch and reboot to have a clean session, but scan ports are still not banned... Thanks for your help anyway

 

[Martineau]

That script is literally a copy and paste of a 6 month old version of Skynet with some modifications, non really changing overall functionality.

@Mikiya requested the latest version of my script yesterday and offered an insight into the current discussion/comparision between the scripts.

So before you unfairly continue to imply gross plagiarism with intent:

Firstly, this most definitely wasn't a case of lazy copy'n'paste - literally or should I post your original to prove it?
Secondly, clearly I rewrote the compatible script in direct response to a user request, as the original script seemingly had lain dormant for months - plus it didn't always work; which I corrected.

NOTE: Scripts using ipsets for the same purpose are availble to copy'n'paste from the web (published 2011), so perhaps that is where you copied the script/idea from?

However, as you can see, I duly gave full credit to you in your abscence.

So quite why you would be so very snidely dismissive in public prompts me to respond and evidently this paints a different picture

So I wonder where the unique idea for providing the reporting statistics and the useful feature to incorporate 'speedguide.net' (to assist the user to understand the ports etc.) first appeared?
Bit of a coincidence that this feature suddenly appears to have magically been copy'n'pasted into your script?

I'll let others judge if the false cameraderie of the naff 'Hi bud' salutation shows your true hypocritical nature (having examined my script) to self-justify you blatently lifting my code/ideas without credit?

P.S. The current version of my script does still contain several unique features that I have developed since the version I created as a courtesy back in March.

As @Mikiya states, the two scripts now have differing goals, with mine coexisting and openly relying on the appropriate protection features provided by the sterling efforts of additional community scripts such as ya-malware-block.sh and iblocklist-loader-v2.sh etc.

Finally, I would like to believe that I have provided several original scripts that have benefited the forum, without the need to sarcastically whine about the scripting efforts of others who reuse my code.

So I'll let the mods decide my fate, but I want to make it clear that I find your insinuations extremely offensive.