Skynet Skynet - Router Firewall & Security Enhancements

[AntonK]

Hi,

Can anyone tell me what "firehol_level3.netset" means? It's associated with my Outbound Blocks, and seems to be communication with both Google and Microsoft servers. I'm not surprised nor paranoid about this, just curious.

Thanks
Anton

 

[dave14305]

Hi,

Can anyone tell me what "firehol_level3.netset" means? It's associated with my Outbound Blocks, and seems to be communication with both Google and Microsoft servers. I'm not surprised nor paranoid about this, just curious.

Thanks
Anton

It's the name of the public blocklist (ipset) that Skynet downloaded. From here: https://iplists.firehol.org/

All the default lists Skynet uses are found here: https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list

 

[dave14305]

I have no idea what dnsmasq.conf.add is, how to use it, how to install it, or where to get it from.

It's a customization on top of the built-in dnsmasq configuration. See https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

You could create a file via SSH named /jffs/configs/dnsmasq.conf.add that includes:

server=/callhome.yourdomainhere.com/
server=/trackme.anotherdomainhere.com/

Then dnsmasq would not forward any hostname in those sub-domains upstream.

 

[AntonK]

It's the name of the public blocklist (ipset) that Skynet downloaded. From here: https://iplists.firehol.org/

All the default lists Skynet uses are found here: https://github.com/Adamm00/IPSet_ASUS/blob/master/filter.list

Thank you!
Anton

 

[Henrik!]

How do I list all the countries I banned long time ago ?
And can I add countries to the list, or do I have to add all the same countries again + the new ones in the same commandline ?

 

[QuikSilver]

How do I list all the countries I banned long time ago ?
And can I add countries to the list, or do I have to add all the same countries again + the new ones in the same commandline ?

It's been awhile since Ive had to redo mine but I believe door number 2 is the correct option.

"add all the same countries again + the new ones in the same commandline"

 

[Henrik!]

It's been awhile since Ive had to redo mine but I believe door number 2 is the correct option.

"add all the same countries again + the new ones in the same commandline"

I was afraid of that. But I guess Im better of with compiling a new list.

 

[dave14305]

I was afraid of that. But I guess Im better of with compiling a new list.

The list should be visible in the Skynet startup menu under the SWAP File line, unless you've removed it accidentally.

 

[Henrik!]

The list should be visible in the Skynet startup menu under the SWAP File line, unless you've removed it accidentally.

I only have a green line with numbers on how many IPs and ranges are banned. But no list of the countries I banned.

 

[CaptainSTX]

When you SSH into your router and then open Skynet the list of the countries you have manually banned is displayed as a row in the opening header.

You can then use this as your starting point for the countries to ban. You will have to retype all the existing entries then add the additional countries you want to ban onto the end of the string.

Be careful in typing as Skynet dose not check or edit what you type so it is quite possible to add non existent country codes or correct for missing commas.

 

[Henrik!]

When you SSH into your router and then open Skynet the list of the countries you have manually banned is displayed as a row in the opening header.

You can then use this as your starting point for the countries to ban. You will have to retype all the existing entries then add the additional countries you want to ban onto the end of the string.

Be careful in typing as Skynet dose not check or edit what you type so it is quite possible to add non existent country codes or correct for missing commas.

I see this :

Router Model; RT-AC68U
Skynet Version; v7.1.6 (26/04/2020) (37080f05acfdd01405d0cd2d5b71377c)
iptables v1.4.15 - (vlan101 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (xxx.xxx.xxx.xxx)
FW Version; 384.17_0 (Apr 25 2020) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/data/skynet (7.8G / 10.4G Space Available)
SWAP File; /tmp/mnt/data/myswap.swp (2.0G)

254133 IPs (+0) -- 1647 Ranges Banned (+0) || 34371 Inbound -- 0 Outbound !

Select Menu Option:

 

[dave14305]

I see this :

Router Model; RT-AC68U
Skynet Version; v7.1.6 (26/04/2020) (37080f05acfdd01405d0cd2d5b71377c)

First, you may choose to remove your WAN IP from the output above.

Second, you could try to see if the country blocks are still in the big list:

grep Country /tmp/mnt/data/skynet/skynet.ipset

 

[krgck]

nvme i found it on faq

 

[Henrik!]

First, you may choose to remove your WAN IP from the output above.

Thanks.

Second, you could try to see if the country blocks are still in the big list:

grep Country /tmp/mnt/data/skynet/skynet.ipset

That returns nothing.
I think Im better off making a whole new list.

Thanks for all the help.

 

[Wisiwyg]

I was afraid of that. But I guess Im better of with compiling a new list.

FWIW, I keep a notepad ++ file with the banned countries that I pull up, copy, paste b/c I got tired of putting them in. Low-tech.

 

[randomName]

It's a customization on top of the built-in dnsmasq configuration. See https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

You could create a file via SSH named /jffs/configs/dnsmasq.conf.add that includes:

server=/callhome.yourdomainhere.com/
server=/trackme.anotherdomainhere.com/

Then dnsmasq would not forward any hostname in those sub-domains upstream.

I ended up individually blocking ALL of the samsung callback/callhome dns addresses that someone listed from their packet capture, with Skynet. Was about 40 or so entries but after having to run a TV reset Disney + now needs a samsung account to be installed. That was the last straw.

 

[randomName]

FWIW, I keep a notepad ++ file with the banned countries that I pull up, copy, paste b/c I got tired of putting them in. Low-tech.

Why wouldn't windows notepad work?

 

[JaimeZX]

Two quick questions... running Skynet on my in-laws' RT-AC86U, Merlin v.384.17.

1) Because they have a home Comcast VOIP setup, between the modem and the Asus is a VOIP adapter with a little router that's assigning 192.168.7.3 to the Asus. Skynet sees this and gives a "Private WAN IP detected - Please Put Your Modem In Bridge Mode / Disable CG-NAT." Not sure what to do here. Should I ignore it or will making changes improve the overall stability / connectivity?

2) The Syslog has the line "Mounting Skynet Web Page As user2.asp," but if I go to Firewall -> Skynet I just get a pink background with 404 Not Found. What am I missing?

Thanks!!

 

[Adamm]

1) Because they have a home Comcast VOIP setup, between the modem and the Asus is a VOIP adapter with a little router that's assigning 192.168.7.3 to the Asus. Skynet sees this and gives a "Private WAN IP detected - Please Put Your Modem In Bridge Mode / Disable CG-NAT." Not sure what to do here. Should I ignore it or will making changes improve the overall stability / connectivity?

If your setup is intentionally this way then you can ignore the error.

2) The Syslog has the line "Mounting Skynet Web Page As user2.asp," but if I go to Firewall -> Skynet I just get a pink background with 404 Not Found. What am I missing?

The quickest solution is just a simple reboot which should clear all the mounted pages for scripts.

 

[martinr]

Why wouldn't windows notepad work?

Maybe randomName’s just adopting consistent and good practices so he doesn’t get sloppy or forgetful and later uses Notepad to edit something requiring Unix formatting and then wastes time asking why something won’t work? After all, he never said Notepad wouldn’t work.