Skynet Skynet - Router Firewall & Security Enhancements

[Deleted member 62525]

Adding per device blocking lists would be a nightmare and unnecessarily over complicate so many functions, I don't see it happening any time soon. With that being said, is there any reason you can't just block this IP from all your devices?

@Adamm , good question. On my Sony TV (android) I have maybe 5 apps - legit. Some of them are calling home to Facebook IP's and Google IP's - even if I declined any diagnostic data from OS. I actually dont have a Facebook account. It the app that is calling some Facebook IP and it is the same IP over and over every few seconds.
If I block that IP my wife would probably kill me since she is a Facebook junky.

I understand what you are saying with the difficulty and all. I was just asking. I could figure out manually building a set of IP rules using iptables to drop these. It is easy done using PF but I am not that experienced with iptables.

 

[dave14305]

Yup, that is exactly what I have done. Nice thing about MacOS is that it comes with PF firewall which is very efficient.
I created a special table (actually it a file that holds the offending IP's) and using PF I am banning that list (table) from outbound communication. Cool thing with PF (just as with FreeBSD PF) you can dynamically add new IP's to the table and it will start blocking.

The issue as I have mentioned is not so much with Mac or PC on the local LAN but rather IoT or TV apps. You cannot access these and control outbound traffic on these devices even if you assign them static IP.
You need a different way and this is were SkyNet could be handy and blocking specific outbound IP's based on LAN device IP. You could for example build a list like I did on my Mac using PF functionality, on Skynet and configure Skynet to watch specific LAN device (static IP) for these outbound traffic and block it. That would be cool and allow you to better control these offending apps/vendors and what they are doing.

I'm referring to the router GUI, Firewall section, Network Services Filter tab. Have you checked that out? I feel like we're talking past each other. You can block lots of outbound traffic. See page here: http://demoui.asus.com/Advanced_Firewall_Content.asp

 

[Martineau]

I could figure out manually building a set of IP rules using iptables to drop these. It is easy done using PF but I am not that experienced with iptables.

My old-skool IoTBlock.sh (circa 2018) may give you ideas to start.

e.g. Simply create the two text files

/jffs/configs/IPGroups

e.g. Define your desired device Group names

CAMERAS      192.168.1.120, 192.168.1.121-192.168.1.123, 192.168.1.125,192.168.1.148 #comment used by IPCamsBlock.sh
ANDROID      192.168.1.156
ALEXA        Echo_Show,Echo_Kitchen,Echo_Spot,Echo_Guest,Echo_Spare
TPLINK       HS110_Lounge1, HS110_Lounge2  # Switches
LIFX         LIFX_Table,LIFX_Reading
HIVE         Hive-Hub
GOOGLE       Chromecast-Bed1,Chromecast-Bed2
IOT          Hive-Hub,LIFX

and define the apps rules

e.g. for the ALEXA group of devices

/jffs/configs/IoT_Alexa_apps

# IoT group 'Google' firewall rules
# Standard stuff; but we don't need to track the destinations or should we?
# 93.184.216.34:80 ???
-A MyAlexa -i br0 -p tcp -m tcp -m multiport --dports 80,443,8080 -j ACCEPT
-A MyAlexa -d 8.8.8.8/32 -i br0 -p udp -m udp --dport 53 -j ACCEPT

# Alexa "calling"
-A MyAlexa -i br0  -p udp -m udp --dport 4172 -j ACCEPT -m comment --comment Voice-Calling

etc.

 

[Deleted member 62525]

I'm referring to the router GUI, Firewall section, Network Services Filter tab. Have you checked that out? I feel like we're talking past each other. You can block lots of outbound traffic. See page here: http://demoui.asus.com/Advanced_Firewall_Content.asp

Darn, your are so right. Yes, that would do it just fine.

 

[Deleted member 62525]

My old-skool IoTBlock.sh (circa 2018) may give you ideas to start.

e.g. Simply create the two text files

/jffs/configs/IPGroups

e.g. Define your desired device Group names

CAMERAS      192.168.1.120, 192.168.1.121-192.168.1.123, 192.168.1.125,192.168.1.148 #comment used by IPCamsBlock.sh
ANDROID      192.168.1.156
ALEXA        Echo_Show,Echo_Kitchen,Echo_Spot,Echo_Guest,Echo_Spare
TPLINK       HS110_Lounge1, HS110_Lounge2  # Switches
LIFX         LIFX_Table,LIFX_Reading
HIVE         Hive-Hub
GOOGLE       Chromecast-Bed1,Chromecast-Bed2
IOT          Hive-Hub,LIFX

and define the apps rules

e.g. for the ALEXA group of devices

/jffs/configs/IoT_Alexa_apps

# IoT group 'Google' firewall rules
# Standard stuff; but we don't need to track the destinations or should we?
# 93.184.216.34:80 ???
-A MyAlexa -i br0 -p tcp -m tcp -m multiport --dports 80,443,8080 -j ACCEPT
-A MyAlexa -d 8.8.8.8/32 -i br0 -p udp -m udp --dport 53 -j ACCEPT

# Alexa "calling"
-A MyAlexa -i br0  -p udp -m udp --dport 4172 -j ACCEPT -m comment --comment Voice-Calling

etc.

Thanks @Martineau. Very helpful and I need to dig into this. Much appreciated.

 

[Deleted member 62525]

I'm referring to the router GUI, Firewall section, Network Services Filter tab. Have you checked that out? I feel like we're talking past each other. You can block lots of outbound traffic. See page here: http://demoui.asus.com/Advanced_Firewall_Content.asp

Yup, I am blind . yes that would do it. I have immediately banned offending apps outbound traffic.
Things are looking good.

 

[HardCat]

I can confirm @Martineau 's IoTBlock.sh works very well, I have been using since 2018.

 

[Centrifuge]

banned offending apps outbound traffic

I would be curious to know if it breaks the app, and would you care to post a example of how you did this. Thanks folks for having this discussion.

 

[Deleted member 62525]

I would be curious to know if it breaks the app, and would you care to post a example of how you did this. Thanks folks for having this discussion.

It all happened after I enabled QoS and installed FreshJR Asus addon. I started to examine the QoS - Classification page.
See attached screen shot. It got me thinking when looking at my Sony TV. It was switched off but I was seeing internet traffic to specific IP's and with the app name Facebook or Google. I copied the IP's I wanted to investigate and used
https://otx.alienvault.com/indicator/ip/<IP> to check who it is. Sure enough it was Facebook IP. Once you confirm the IP you can simply use router Firewall->Network Service Filter and enter the source IP (my TV) destination IP and port or port range.

Once configured give it few minutes and when you go back to QoS - Classification page that traffic will not show anymore.
I checked my TV apps and all is working as before so all is good. During this, I found out that one of the IP's that TV app (don't know which one) was trying to reach was actually invalid.

 

[andresmorago]

hello guys
quick question regarding the web gui. why am i not seeing any data under Top 10 Blocks (Outbound)
this is the only section that shows no data at all.

all my scripts are upto date

 

[Ubimo]

@andresmorago
That's a good sign.
That means, no outbound connections had to be blocked.
Usually, when a PC is infected with malware, it's trying to download something else or contact a control server. In that case, Skynet tries to block these attempts.
Also, should your browser try to open a malicious website, this attempt would also be blocked and logged under blocked outgoing connections.
You could try to ping a banned IP, then you would see some blocked outgoing connentions.

 

[Centrifuge]

It got me thinking when looking at my Sony TV

Thanks for that, I've got a Samsung Smart TV that's calling all over the place, I've just been lazy, but I think I'm going to start scrutinizing what it's doing. It's very busy, I know some of it is the apps that I use but I feel like it's in control and not me. That's going to come to an end soon.

 

[KGB7]

Installed Skynet on AC68U router. Firmware 384.16.

1. Rebooted router.
2. Log in to router.
I don't have a WebUI "Skynet" tab under the heading Firewall.

3. SSH in to router and run command: "sh /jffs/scripts/firewall'.
I get:
IPSets | [Failed]
IPTables Rules | [Failed]

4. Select option 8. (restart Skynet)
IPSets | [Failed]
IPTables Rules | [Failed]

5. Select option [r] --> Reload Menu
IPTables Rules | [Failed]

6. Restarted Skynet. option 8.
[*] Lock File Detected (start skynetloc=/tmp/mnt/sda1/skynet) (pid=7189)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporaris

7. 5 min gone by.
[r] --> Reload Menu

IPTables Rules | [Failed]

8. Waited another 3-4min.
[r] --> Reload Menu
IPTables Rules | [Failed]

9. [11] --> Settings

10. [14] --> Display WebUI | [Enabled]
[*] Skynet Not Running - Exiting

 

[martinr]

Installed Skynet on AC68U router. Firmware 384.16.

1. Rebooted router.
2. Log in to router.
I don't have a WebUI "Skynet" tab under the heading Firewall.

3. SSH in to router and run command: "sh /jffs/scripts/firewall'.
I get:
IPSets | [Failed]
IPTables Rules | [Failed]

4. Select option 8. (restart Skynet)
IPSets | [Failed]
IPTables Rules | [Failed]

5. Select option [r] --> Reload Menu
IPTables Rules | [Failed]

6. Restarted Skynet. option 8.
[*] Lock File Detected (start skynetloc=/tmp/mnt/sda1/skynet) (pid=7189)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporaris

7. 5 min gone by.
[r] --> Reload Menu

IPTables Rules | [Failed]

8. Waited another 3-4min.
[r] --> Reload Menu
IPTables Rules | [Failed]

9. [11] --> Settings

10. [14] --> Display WebUI | [Enabled]
[*] Skynet Not Running - Exiting

Try a reinstall Option 14 or a forced update Option 10.

 

[Runcajsz]

I'm using Transmission daemon on my router as well. I've installed Skynet yesterday. I've noticed in Skynet's stats log and in my router's syslog the number 1 blocked port became 51413 which is for torrent peer connection. Thousands of attempts were blocked since yesterday which related to port 51413 (inbound dpt=51413, outbound spt=51413). How can I make it work better with Transmission daemon?

 

[dave14305]

I'm using Transmission daemon on my router as well. I've installed Skynet yesterday. I've noticed in Skynet's stats log and in my router's syslog the number 1 blocked port became 51413 which is for torrent peer connection. Thousands of attempts were blocked since yesterday which related to port 51413 (inbound dpt=51413, outbound spt=51413). How can I make it work better with Transmission daemon?

Skynet doesn’t care which port. It blocks based on the remote IP address being identified as malicious by the publicly curated lists it downloads. So I’d say it’s working to keep bad actors out of your network, even if you’re inviting them in.

 

[JT Strickland]

I enabled Aiprotection a couple of weeks ago, and I was wondering if it was even working correctly. When I would check it hadn't blocked anything. This morning I noticed it had blocked some attempts that appeared to be outbound from my firestick, but Skynet shows 0 blocks outbound. Does this mean that Skynet missed something that Aiprotection caught, or was this just a false positive (I think that is what it is called) by Aiprotection?
22808[/ATTACH]

 

[JT Strickland]

What a mess! I tried to fix it and made it worse. Sorry about that.
edit: I'm glad ya'll didn't see that before I got it kinda fixed.

 

[Adamm]

Does this mean that Skynet missed something that Aiprotection caught, or was this just a false positive (I think that is what it is called) by Aiprotection?

Skynet waits until your daily malware list cronjob kicks in or during startup to import new AiProtect data. As you only ever visited the site in question once, Skynet never had a chance to "step in" and take over blocking it.

 

[Sean Rhodes]

Does anyone know how to fix this?

#############################################################################################################
#                                                                                                           #
#                  ‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ïó‚ñà‚ñà‚ïó  ‚ñà‚ñà‚ïó‚ñà‚ñà‚ïó   ‚ñà‚ñà‚ïó‚ñà‚ñà‚ñà‚ïó   ‚ñà‚ñà‚ïó‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ïó‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ïó    ‚ñà‚ñà‚ïó   ‚ñà#
#                  ‚ñà‚ñà‚ïî‚ïê‚ïê‚ïê‚ïê‚ïù‚ñà‚ñà‚ïë ‚ñà‚ñà‚ïî‚ïù‚ïö‚ñà‚ñà‚ïó ‚ñà‚ñà‚ïî‚ïù‚ñà‚ñà‚ñà‚ñà‚ïó  ‚ñà‚ñà‚ïë‚ñà‚ñà‚ïî‚ïê‚ïê‚ïê‚ïê‚ïù‚ïö‚ïê‚ïê‚ñà‚ñà‚ïî‚ïê‚ïê‚ïù    ‚ñà‚ñà‚#
#                  ‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ïó‚ñà‚ñà‚ñà‚ñà‚ñà‚ïî‚ïù  ‚ïö‚ñà‚ñà‚ñà‚ñà‚ïî‚ïù ‚ñà‚ñà‚ïî‚ñà‚ñà‚ïó ‚ñà‚ñà‚ïë‚ñà‚ñà‚ñà‚ñà‚ñà‚ïó     ‚ñà‚ñà‚ïë       ‚ñà‚ñà‚ïë   ‚ñà‚ñà‚ïë  #
#                  ‚ïö‚ïê‚ïê‚ïê‚ïê‚ñà‚ñà‚ïë‚ñà‚ñà‚ïî‚ïê‚ñà‚ñà‚ïó   ‚ïö‚ñà‚ñà‚ïî‚ïù  ‚ñà‚ñà‚ïë‚ïö‚ñà‚ñà‚ïó‚ñà‚ñà‚ïë‚ñà‚ñà‚ïî‚ïê‚ïê‚ïù     ‚ñà‚ñà‚ïë       ‚ïö‚ñà‚ñà‚ïó ‚ñà‚ñà‚ïî‚ïù#
#                  ‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ïë‚ñà‚ñà‚ïë  ‚ñà‚ñà‚ïó   ‚ñà‚ñà‚ïë   ‚ñà‚ñà‚ïë ‚ïö‚ñà‚ñà‚ñà‚ñà‚ïë‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ñà‚ïó   ‚ñà‚ñà‚ïë        ‚ïö‚ñà‚ñà‚ñà‚ñà‚ïî‚ïù    ‚ñà#
#                  ‚ïö‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïù‚ïö‚ïê‚ïù  ‚ïö‚ïê‚ïù   ‚ïö‚ïê‚ïù   ‚ïö‚ïê‚ïù  ‚ïö‚ïê‚ïê‚ïê‚ïù‚ïö‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïù   ‚ïö‚ïê‚ïù         ‚ïö‚ïê‚ïê‚ïê‚ïù     ‚ïö‚ïê‚ïù#
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            16/04/2020 - v7.1.6                                            #
#############################################################################################################
The script runs fine, but for some reason the header block is really messed up

=============================================================================================================