Skynet Skynet - Router Firewall & Security Enhancements

[dave14305]

So if you enable outbound blocking in skynet, does it only block sites that are listed in the "bad sites" list? I assumed it blocked everything and you have to open what you want. I have enabled the malware ban feature with the default list also.

Yes only the known malware IPs and IP ranges.

 

[Adamm]

As far as I can tell, this is stopping the usb drive from being umounted.

I believe your issue lies somewhere else, perhaps remnants of another script. Judging by your posts in the amtm thread there seems to be a bigger issue at play in regards to unmounting. Might be a good time for a clean install to fix both issues which seem related.

Banned the WeMo switches (as a test) and the WeMo App could immediately no longer see them, even though my iPhone was on the same local network...

(Homekit/homebridge still could communicate with them though)

Poor design choice by the manufacturer requiring the device to phone home and not allow it to run independently from the local network. I'll look at making allowed ports customization in future as IOT is such a wide category.

Is there a command line way of doing the temp disable option? And in turn a way to re-enable?

sh /jffs/scripts/firewall disable

sh /jffs/scripts/firewall restart

These and other commands are all listed in the readme for future reference.

1) Is there a way to show the country in the stats? Specifically, I try to block countries and not IP's whenever possible. I use the country function to block, but when I look at stats to see what things have been blocked, it shows the IP and the link to alienvault, but it would be great if it showed the country. That way I could just add that country to the list and move on.

Yes and no. Most services limit the amount of requests you can make, the stats feature would max these limits almost instantly. For that reason we only identify the single IP's within the following command;

sh /jffs/scripts/firewall stats search ip x.x.x.x

2) Is there a way to tell skynet to block ALL countries except x? So basically a country whitelist? In my case, that would make it easier.

No and for good reason. Content is increasingly hosted in multiple locations for reliability. Adding such a feature would cause more problems then it solves.

4) Since I am new to skynet, are there anything I should definitely do or avoid? Just thinking any gotchas or must-haves that you guys may have learned along the way.

Skynet was designed to be as simple as possible for inexperienced users, but have the technical capacity for enthusiasts who decide to dig deeper. So long as you understand the concepts of blacklisting and whitelisting you should be fine. The fact you are even posting on these forums puts you right in Skynet's demographic

So if you enable outbound blocking in skynet, does it only block sites that are listed in the "bad sites" list? I assumed it blocked everything and you have to open what you want. I have enabled the malware ban feature with the default list also.

Skynet only blocks whatever you have specifically blacklisted, in this case all entries from the default banmalware filter.

 

[djtech2k]

I believe your issue lies somewhere else, perhaps remnants of another script. Judging by your posts in the amtm thread there seems to be a bigger issue at play in regards to unmounting. Might be a good time for a clean install to fix both issues which seem related.



Poor design choice by the manufacturer requiring the device to phone home and not allow it to run independently from the local network. I'll look at making allowed ports customization in future as IOT is such a wide category.

sh /jffs/scripts/firewall disable

sh /jffs/scripts/firewall restart

These and other commands are all listed in the readme for future reference.



Yes and no. Most services limit the amount of requests you can make, the stats feature would max these limits almost instantly. For that reason we only identify the single IP's within the following command;

sh /jffs/scripts/firewall stats search ip x.x.x.x

No and for good reason. Content is increasingly hosted in multiple locations for reliability. Adding such a feature would cause more problems then it solves.



Skynet was designed to be as simple as possible for inexperienced users, but have the technical capacity for enthusiasts who decide to dig deeper. So long as you understand the concepts of blacklisting and whitelisting you should be fine. The fact you are even posting on these forums puts you right in Skynet's demographic




Skynet only blocks whatever you have specifically blacklisted, in this case all entries from the default banmalware filter.

So if I turn on outbound blocking, where does the list of things it blocks come from? Does it rely on the AI features built into the firmware or is there another type of blacklist source? As you can probably tell, I am still very cautious with outbound blocking.

My question about a block all except whitelist countries was meant only for inbound blocking. I understand geo-redundancy and hosting services abroad, but I mean more on the lines of blocking all inbound requests outside of a certain country. Nobody from other countries needs to reach my router, for example.

 

[dave14305]

So if I turn on outbound blocking, where does the list of things it blocks come from? Does it rely on the AI features built into the firmware or is there another type of blacklist source?

https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list
Multiple lists from iplists.firehol.org.

 

[skeal]

I believe your issue lies somewhere else, perhaps remnants of another script. Judging by your posts in the amtm thread there seems to be a bigger issue at play in regards to unmounting. Might be a good time for a clean install to fix both issues which seem related.

This is a new install on a reset router. I also have an issue with the log being purged. I woke this morning to a system log that had only 3 lines. This didn't last long as the IoT blocking generates a lot of log traffic. Why would my log clear for no known reason?

 

[Skeptical.me]

Hi,

I installed amtm on my new router just the other day and installed skynet and diversion. They install okay and everything seemed to be working.

I just tried to open SkyNet to check something and it won't run. I get the following error message:

/jffs/scripts/firewall: line 1: arithmetic syntax error

Would an uninstall reinstall fix this?

 

[Adamm]

Why would my log clear for no known reason?

Possibly it was rotated by the system to syslog-1

Would an uninstall reinstall fix this?

Looks like the file didn't download correctly (maybe has weird line endings?), replacing it should do the trick via any method.

 

[Skeptical.me]

Possibly it was rotated by the system to syslog-1



Looks like the file didn't download correctly (maybe has weird line endings?), replacing it should do the trick via any method.

Thabks for the reply. How do I delete Skynet without having to delete amtm?

 

[Skeptical.me]

Possibly it was rotated by the system to syslog-1



Looks like the file didn't download correctly (maybe has weird line endings?), replacing it should do the trick via any method.

never mind, i just ran the install command again and tha fixed it

 

[skeal]

Hey @Adamm I have been using the logger command and found that the system thinks the usb is unmounted and it isn't really. When I check dcl on amtm it says the usb drive was forced to remove. The entry in the logs during reboot is this:

Jan 29 09:47:22 XXXXXXXXX: UNMOUNTED
Jan 29 09:47:24 syslog: USB partition unmounted from /tmp/mnt/EXT2
May  4 23:05:03 syslogd started: BusyBox v1.25.1

This is right at the end of the log for the reboot. As you can see the date and time changes as the wan comes up and is restored. The usb statement by the system is literally the last thing before the router boots back up. The UNMOUNTED is a logger I sued to determine that the umount script without other modification runs.

 

[skeal]

I know this is not your issue but it's information that may help figure this out. Stubby is trying to start twice moments before the power cycle in a reboot. Is this some kind of keep alive code to make sure Stubby runs?

 

[Skeptical.me]

@Adamm Does

Ban AiProtect

Block all features of AiProtection?

And what exactly does

[11] --> IOT Blocking          | [Disabled]

actually do? Block devices like, say, Google Home?

 

[skeal]

@Adamm Does

Ban AiProtect

Block all features of AiProtection?

And what exactly does

[11] --> IOT Blocking          | [Disabled]

actually do? Block devices like, say, Google Home?

No it does not block AiProtection on the contrary it blacklists all the ips that AI-P finds. Yes IoT blocking can be used to block WAN access to devices.

 

[martinr]

@Adamm Does

Ban AiProtect

Block all features of AiProtection?

And what exactly does

[11] --> IOT Blocking          | [Disabled]

actually do? Block devices like, say, Google Home?

You can read up on the new IOT fearure here:

https://www.snbforums.com/threads/skynet-asus-firewall-addition.16798/page-198#post-461835

and skeal has explained the Ban AIProtect feature (better than I would have done!)

 

[consorts]

You can run banmalware manually or wait

ok, thanks for teaching me new tricks - just posting this in case it's not fast enough

96220 IPs (+0) -- 1379 Ranges Banned (+0) || 10154 Inbound -- 749 Out

[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | [3s]
[i] Consolidating Blacklist         | [16s]
[i] Filtering IPv4 Addresses        | [4s]
[i] Filtering IPv4 Ranges           | [0s]
[i] Applying New Blacklist          | [8s]
[i] Refreshing AiProtect Bans       | [1s]
[i] Saving Changes                  | [9s]

155736 IPs (+59516) -- 1696 Ranges Banned (+317) || 10157 Inbound -- 749 Out

im using diversion's small file, not the normal one, with about 6 of my urls whitelisted.

 

[EmeraldDeer]

Banmalware is just Skynet's IP address lists rather than Diversion's hostname lists.

I changed the cron time of Skynet banmalware from 2:25 AM to 3:25 AM and duration went from 171 seconds to 43 seconds.

Are there enough Eastern USA Skynet users all firing off at 2:25 AM EDT to slow the downloads? Who knows.

Jan 28 02:27:51 router Skynet: [#] 151871 IPs (+1568) -- 1490 Ranges Banned (-131) || 94 Inbound -- 0 Outbound Connections Blocked! [banmalware] [171s]
Jan 28 10:16:17 router Skynet: [#] 154012 IPs (+2141) -- 1657 Ranges Banned (+167) || 1101 Inbound -- 0 Outbound Connections Blocked! [banmalware] [14s]
Jan 28 13:51:25 router Skynet: [#] 153138 IPs (-874) -- 1667 Ranges Banned (+10) || 1495 Inbound -- 0 Outbound Connections Blocked! [banmalware] [20s]
Jan 29 03:25:43 router Skynet: [#] 155142 IPs (+2004) -- 1686 Ranges Banned (+19) || 3005 Inbound -- 0 Outbound Connections Blocked! [banmalware] [43s]

 

[consorts]

changed the cron time of Skynet banmalware from 2:25 AM to 3:25 AM

could you lay out how to do this to us mere mortals

The following cron jobs are active (cru l):
____________________________________________________

 25 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
 0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
 25 2 * * Mon sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
 00 3 * * Wed sh /opt/share/diversion/file/update-bf.div reset #Diversion_Updat#

 

[EmeraldDeer]

could you lay out how to do this to us mere mortals

I actually just changed it again to 5:50 AM EDT with the idea that I do not want to align my downloads with bulk users in any time zones. Look at the cron with crontab -l and vi edit the cron with crontab -e.

# crontab -l
50 5 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
25 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
00 2 * * Wed sh /opt/share/diversion/file/update-bf.div reset #Diversion_UpdateBF#
20 5 * * * sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#
30 1 * * Wed sh /opt/share/diversion/file/stats.div #Diversion_WeeklyStats#

Diversion command "cj" has a nice reference display

 The following cron jobs are active (cru l):
____________________________________________________

 50 5 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
 25 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
 0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
 00 2 * * Wed sh /opt/share/diversion/file/update-bf.div reset #Diversion_UpdateBF#
 20 5 * * * sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
 20 17 * * * diversion count_ads count #Diversion_CountAds#
 30 1 * * Wed sh /opt/share/diversion/file/stats.div #Diversion_WeeklyStats#
____________________________________________________

 |  |  |  |  |   |   command to run #job_name#   |
 .  .  .  .  ....... day-of-week
 .  .  .  .......... month
 .  .  ............. day-of-month
 .  ................ hour
 ................... minute     ( * = every ... )

 

[consorts]

once i realized where the cron jobs list were,

/var/spool/cron/crontabs.30127

i simply edited is using WinSCP

 

[cmkelley]

once i realized where the cron jobs list were,

/var/spool/cron/crontabs.30127

i simply edited is using WinSCP

Which won't survive a reboot. You'll have to do that after every reboot or script it. Add cru lines to delete and re-add the crontab with your preferences in firewall-start _after_ the firewall script is called.