Skynet Skynet - Router Firewall & Security Enhancements

[ReDaLeRt]

In reference to forwarding all NTP traffic to a specific LAN address, this functionality is already included in Merlins firmware by forcing all NTP traffic to the local NTP server.

I see. But there is no option for a different IP address, as my network has NTP and DNS servers independently configured from the router.

This is also already included in the firmware via the "DNSFilter" feature.

My network has an independent DNS server, I'm not using this service on the asuswrt. Therefore, the need to setup the forward/redirect for those kinds of traffic, on those hardcoded devices.

Would be awesome to have those features for advanced network configurations.

Thanks.

 

[Adamm]

My network has an independent DNS server, I'm not using this service on the asuswrt. Therefore, the need to setup the forward/redirect for those kinds of traffic, on those hardcoded devices.

This can be done with DNSFilter if I'm not mistaken by using a custom filter + exception for the DNS server its-self so your not in a DNS loop.

 

[ReDaLeRt]

This can be done with DNSFilter if I'm not mistaken by using a custom filter + exception for the DNS server its-self so your not in a DNS loop.

Yes, I managed to get that done right now through DNSFilter. Thanks.

And for the NTP service, please?

Thank you.

 

[Treadler]

Sounds like Skynet is doing its job correctly

Very cool.
Skynet rocks!

 

[ReDaLeRt]

BTW, I'm having an issue:

[$] /jffs/scripts/firewall banmalware
=============================================================================================================
Downloading filter.list | [0s]
Refreshing Whitelists | [3s]
Consolidating Blacklist | [5s]
[*] List Content Error Detected - Stopping Banmalware
=============================================================================================================

@Adamm, what am I doing wrong?

Thanks.

 

[dave14305]

BTW, I'm having an issue:



@Adamm, what am I doing wrong?

Thanks.

I saw a drop of about 50,000 bans overnight, so one of the lists probably had an issue, but seems OK now with a manual update a minute ago.

 

[ReDaLeRt]

I saw a drop of about 50,000 bans overnight, so one of the lists probably had an issue, but seems OK now with a manual update a minute ago.

It continues reporting the error. I tested it right now.

 

[WuTang LAN]

It’s still going on after so many hours. Will it ever stop? Now it’s coming from different IPs.

Welcome to the internet.

 

[RMerlin]

There is such a thing as a technological hypochondriac...

 

[WuTang LAN]

There is such a thing as a technological hypochondriac...

I'd say 7 out of 10 being one is a safe estimate.

 

[Treadler]

There is such a thing as a technological hypochondriac...

Oh no! I’ve been outed! ;-)

 

[Adamm]

Yes, I managed to get that done right now through DNSFilter. Thanks.

And for the NTP service, please?

Thank you.

Unfortunately this is somewhat out of the scope of Skynet. I try keep features related to router based services, otherwise there will be requests to support every external service.

You can easily achieve this manually via an IPTables rule in your firewall-start script though.

 

[wbartels]

Hello Adamm I have a feature request.
Besides enabling and disabling logging it would be nice to have an option to set it to RAM memory.

For example the menu could look like:

Select Logging Option:
[1]  --> USB Storage
[2]  --> RAM Memory
[3]  --> Disable

 

[Adamm]

Hello Adamm I have a feature request.
Besides enabling and disabling logging it would be nice to have an option to set it to RAM memory.

For example the menu could look like:

Select Logging Option:
[1]  --> USB Storage
[2]  --> RAM Memory
[3]  --> Disable

Unfortunately after 1000 messages or so the syslog gets automatically purged, plus if we don't manage log entries it gets quite cluttered and hides potentially important messages.

 

[wbartels]

Unfortunately after 1000 messages or so the syslog gets automatically purged, plus if we don't manage log entries it gets quite cluttered and hides potentially important messages.

I don't really understand, the syslog already is stored in memory: /tmp/syslog.log
I meant the skynet.log. With this small modification it perfectly works, and it has nothing to do with de syslog.log.

##skynetlog="${skynetloc}/skynet.log"
skynetlog="/tmp/skynet.log"
touch $skynetlog

Or have I missed something?

 

[dave14305]

I don't really understand, the syslog already is stored in memory: /tmp/syslog.log
I meant the skynet.log. With this small modification it perfectly works, and it has nothing to do with de syslog.log.

##skynetlog="${skynetloc}/skynet.log"
skynetlog="/tmp/skynet.log"
touch $skynetlog

Or have I missed something?

What does it gain you (or us)? Consuming more RAM over time until the router runs out of memory? What is the downside of USB in your setup?

 

[wbartels]

What does it gain you (or us)? Consuming more RAM over time until the router runs out of memory? What is the downside of USB in your setup?

Prevent to many usb flash drive erase/write cycles.
In 24 hour I have approximately 8.000 entry's in the skynet.log file.
Memory shouldn't be an issue, at the moment 182 MB free.

 

[WuTang LAN]

Prevent to many usb flash drive erase/write cycles.
In 24 hour I have approximately 8.000 entry's in the skynet.log file.
Memory shouldn't be an issue, at the moment 182 MB free.

Yeah, at the moment. But it would become an issue.

As far as USB drives go, small capacity ones are very cheap. If you're concerned about it wearing out, I wouldn't be. I've not heard or read one report of Skynet script destroying flash drives.

I've been using the scripts in my sig for over a year on a USB drive that was already years old. Still going strong and I expect it to keep going for years to come.

 

[Adamm]

I've pushed v6.9.2

Add DNSCrypt Whitelisting Support
Add syslog-ng Support
Add ASN Banning/Unbanning Support

 

[wbartels]

Adamm Thanks for the update