Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

I see that the source is from an internal ip address from my isp network and the destination is my wan cgnat( I hate this but i don't have a choice)... My log is getting flooded sometimes with this same information.

These are just invalid packets being picked up by the SPI firewall. You can disable invalid logging in settings if the spam is an issue for you.

 

[shark]

These are just invalid packets being picked up by the SPI firewall. You can disable invalid logging in settings if the spam is an issue for you.

Thx, i just wanted confirmation that there was nothing wrong with my isp.

 

[vw-kombi]

I had banned countries - N Korea, Russia and China.
All been fine for ages, and still is.
I recently went through a load of pain - not Skynet's fault.
I bought a Mi Robot Vacuum, and to get that unbanned so it would work (as it is internet connect and smart etc etc) was a heap of trouble.
I watched the blocks, added an allowed IP, then another, and other, I think I got to over 20 IP's before just giving up and allowing China again and it was all fine.
No idea how many I would have had to do to complete it, then they could have changed it on their end and more work.
Just a heads up for anyone that blocks China and they buys one of these.

 

[Adamm]

I had banned countries - N Korea, Russia and China.
All been fine for ages, and still is.
I recently went through a load of pain - not Skynet's fault.
I bought a Mi Robot Vacuum, and to get that unbanned so it would work (as it is internet connect and smart etc etc) was a heap of trouble.
I watched the blocks, added an allowed IP, then another, and other, I think I got to over 20 IP's before just giving up and allowing China again and it was all fine.
No idea how many I would have had to do to complete it, then they could have changed it on their end and more work.
Just a heads up for anyone that blocks China and they buys one of these.

That's to be expected unfortunately blanket banning millions of IP's from a particular country. Beyond unbanning China like you did your best bet would be to try see if the company in particular has their IP space publicly listed.

 

[Skeptical.me]

So, I've installed successfully. One question, how do I know its actually working?

 

[Adamm]

So, I've installed successfully. One question, how do I know its actually working?

sh /jffs/scripts/firewall debug info

 

[Skeptical.me]

sh /jffs/scripts/firewall debug info

Awesome, thank you very much

 

[M@rco]

Awesome, thank you very much

Take some time to read to the first two posts of this thread. Lots of useful info there

 

[Skeptical.me]

sh /jffs/scripts/firewall debug info

Sorry for the noob question but does this look correct? I noticed " Checking For Diversion Plus Content... [Failed]" and " Checking Log Invalid Setting... [Disabled]"

Router Model; RT-AC86U
Skynet Version; v6.4.5 (15/09/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.6_0 (Jul 25 2018) (4.1.27)
Install Dir; /tmp/mnt/RT-AC68U/skynet (25.2G / 28.7G Space Available)
SWAP File; /tmp/mnt/RT-AC68U/myswap.swp (2.0G)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/RT-AC68U/skynet
No Lock File Found

[i] Checking Install Directory Write Permissions...    [Passed]
[i] Checking Firewall-Start Entry...            [Passed]
[i] Checking Services-Stop Entry...            [Passed]
[i] Checking CronJobs...                [Passed]
[i] Checking IPSet Comment Support...            [Passed]
[i] Checking Log Level 5 Settings...            [Passed]
[i] Checking For Duplicate Rules In RAW...        [Passed]
[i] Checking Inbound Filter Rules...            [Passed]
[i] Checking Inbound Debug Rules            [Passed]
[i] Checking Outbound Filter Rules...            [Passed]
[i] Checking Outbound Debug Rules            [Passed]
[i] Checking Whitelist IPSet...                [Passed]
[i] Checking BlockedRanges IPSet...            [Passed]
[i] Checking Blacklist IPSet...                [Passed]
[i] Checking Skynet IPSet...                [Passed]
[i] Checking For Diversion Plus Content...               [Failed]

[i] Checking Autoupdate Setting...            [Enabled]
[i] Checking Auto-Banmalware Update Setting...        [Enabled]
[i] Checking Debug Mode Setting...            [Enabled]
[i] Checking Filter Traffic Setting...            [Enabled]
[i] Checking Unban PrivateIP Setting...            [Enabled]
[i] Checking Log Invalid Setting...            [Disabled]
[i] Checking Ban AiProtect Setting...            [Enabled]
[i] Checking Secure Mode Setting...            [Enabled]

[#] 124283 IPs (+0) -- 1905 Ranges Banned (+0) || 295 Inbound -- 0 Outbound Connections Blocked! [debug] [0s]

 

[Skeptical.me]

Take some time to read to the first two posts of this thread. Lots of useful info there

Ok, will do

 

[Adamm]

I noticed " Checking For Diversion Plus Content... [Failed]" and " Checking Log Invalid Setting... [Disabled]"

Both warnings are fine. The first is additional content for Diversion (known as "plus" content). The second is additional logging which isn't required (which is why the setting is yellow not red)

 

[Skeptical.me]

Both warnings are fine. The first is additional content for Diversion (known as "plus" content). The second is additional logging which isn't required (which is why the setting is yellow not red)

Excellent, thank you for your reply. Great to know.

 

[M@rco]

Sorry for the noob question but does this look correct? I noticed " Checking For Diversion Plus Content... [Failed]" and " Checking Log Invalid Setting... [Disabled]"

Checking for Diversion Plus Content: after installing Skynet, it can share your whitelist with Diversion. Open Diversion and you will be prompted. If I recall correctly, choose b followed by 1 to enable in Diversion. When it's done, you'll see a + sign after your blocking file type, indicating that they're sharing data now.

Checking Log Invalid Setting [Disabled]: this is an optional setting, when enabled it will show packets intercepted as INVALID in syslog as well.

Edit: @Adamm types faster...

 

[Skeptical.me]

Checking for Diversion Plus Content: after installing Skynet, it can share your whitelist with Diversion. Open Diversion and you will be prompted. If I recall correctly, choose b followed by 1 to enable in Diversion. When it's done, you'll see a + sign after your blocking file type, indicating that they're sharing data now.

Checking Log Invalid Setting [Disabled]: this is an optional setting, when enabled it will show packets intercepted as INVALID in syslog as well.

Edit: @Adamm types faster...

Done. Its now [Passed] in green ... thank you both for your guidance.

 

[^Tripper^]

I had banned countries - N Korea, Russia and China.
All been fine for ages, and still is.
I recently went through a load of pain - not Skynet's fault.
I bought a Mi Robot Vacuum, and to get that unbanned so it would work (as it is internet connect and smart etc etc) was a heap of trouble.
I watched the blocks, added an allowed IP, then another, and other, I think I got to over 20 IP's before just giving up and allowing China again and it was all fine.
No idea how many I would have had to do to complete it, then they could have changed it on their end and more work.
Just a heads up for anyone that blocks China and they buys one of these.

I have one of those bottom feeders as well. I wasn’t using Skynet when I first set it up so there was no issue. After Skynet was installed, I banned China and expected the vacuum to give me issues but surprisingly it works fine. Just for safety sake, I do have it isolated on a guest network. Do note, researchers have found out that these vacuums do send data back to the mothership, some expected such as telemetry etc and some surprising such as your Wi-Fi password and apparently the scanned layout of your home.

 

[M@rco]

Do note, researchers have found out that these vacuums do send data back to the mothership, some expected such as telemetry etc and some surprising such as your Wi-Fi password and apparently the scanned layout of your home.

I have a (Dutch ) add-on installed on my old (and countlessly revised by yours truly) iRobot Roomba 564 Pet, to make it wirelessly controllable and more 'intelligent' and it phones home continuously. After reading this I think I'd better do some capturing to see what it is actually communicating. Otherwise I'd might end up in the top 10 households covered in pet hair... If not already

 

[^Tripper^]

I have a (Dutch ) add-on installed on my old (and countlessly revised by yours truly) iRobot Roomba 564 Pet, to make it wirelessly controllable and more 'intelligent' and it phones home continuously. After reading this I think I'd better do some capturing to see what it is actually communicating. Otherwise I'd might end up in the top 10 households covered in pet hair... If not already

I most definitely would if I had anything even close to your technical skills!

Just happen to check skynet stats and just found out that its been blocking some of my smart devices. Although I'm glad it is, I'm wondering why. I flashed these cheap China made "smart" switches with custom firmware (Sonoff switches with tasmota firmware) specifically to avoid these devices communicating to the cloud (I only need local control). And now I'm seeing that Skynet is blocking them.. Hmm.. Wonder whats up with that..

Time to use the search function of the board and some Google-fu to figure this out.

 

[thobux]

Hi, this is awesome stuff and it works for me. But only for a few hours then somehow my USB stick's filesystem gets somehow garbled and the router can't mount it anymore. I tried it with ext2 and ext4. May I missed something.
Any idea would be appreciated. Thanks

 

[skeal]

Hi, this is awesome stuff and it works for me. But only for a few hours then somehow my USB stick's filesystem gets somehow garbled and the router can't mount it anymore. I tried it with ext2 and ext4. May I missed something.
Any idea would be appreciated. Thanks

Sounds like a usb drive problem, could be failing, try another drive to eliminate the problem.

 

[thobux]

Sounds like a usb drive problem, could be failing, try another drive to eliminate the problem.

it's the 2nd drive I'm trying out. Could be bad luck though. Both ext2 or ext4 fail after a few hours. they work though fine if I connect them to the PC. Could it be the router, this partic. USB port?