What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@Adamm, please consider making skynet much more user friendly for your users by automatically parsing whitlisted domains for ips, ips change. When ips change, they must be whitelisted manually even if the domain is already in the whitelist, very annoying. Should happen each time skynet loads/reloads. Thanks.
Has anyone ever tried using the ipset option in dnsmasq to create a dynamic ipset for whitelisted domains?
 
Has anyone ever tried using the ipset option in dnsmasq to create a dynamic ipset for whitelisted domains?

We manually refresh these IP's frequently enough with Refresh_MWhitelist() where it probably isn't needed, although in hindsight it probably would have been a better design choice.
 
Has anyone ever tried using the ipset option in dnsmasq to create a dynamic ipset for whitelisted domains?

So out of curiosity I looked into this, and remembered there are some limitations;

1) Comments can't be automatically added with dnsmasq entries
2) dnsmasq fails to start when a line in its config is 1000(ish) characters (despite this being a simple issue, it makes an otherwise basic function quite complex when having to do dynamic character counting/word splitting etc with our limited stock binaries)
3) This would effectively break whitelisting for people not using dnsmasq
 
I've been noticing Skynet has been blocking valid (legitimate) sites as fake sales recently. These two are just a couple (I believe cloudfront). So where is this information coming from to determine what's being blocked. I'm assuming it's IP based so I'm going to have to whitelist domains, correct?

karveshaving.com, getrockwell.com
 
Last edited:
I've been noticing Skynet has been blocking valid (legitimate) sites as fake sales recently. These two are just a couple (I believe cloudfront). So where is this information coming from to determine what's being blocked. I'm assuming it's IP based so I'm going to have to whitelist domains, correct?

karveshaving.com, getrockwell.com
Interesting (from my amateur point of view). I tried the 2 sites you mention above, and could get to neither. They show up as Outbound blocks in my stats. The blocking list in their case appears to be "blocklist_net_ua.ipset". Clicking on that list in the stats page leads to this explanation (which I don't understand from a technical point of view).
Annotation 2020-07-12 200357.jpg
 
Interesting (from my amateur point of view). I tried the 2 sites you mention above, and could get to neither. They show up as Outbound blocks in my stats. The blocking list in their case appears to be "blocklist_net_ua.ipset". Clicking on that list in the stats page leads to this explanation (which I don't understand from a technical point of view).View attachment 24681

Correct. It looks like it’s all the one shared IP address for a bunch of e-commerce sites. While some may be legitimate (confirmed folks purchasing from these two sites), some of the others were spam or malware. I added the karve domain to the whitelist and it whitelisted the IP. To Since Skynet is totally IP based, adding the karve domain on my end also opened the Rockwell site. I was hoping to just allow the sites without allowing everything, but I’ll let my AV and script blocker deal with that issue.

I’ve got needed Samsung domains blocked by diversion (another thread), where pihole allows it. I’m working on getting a raspberrypi so I move away from this stuff for better solutions (and I may be able to get a juniper fw from a work buddy (we’ll see).
 
IMO the list of default lists includes some lists which have these false positives, and which gain new false positives every couple of days (lists are dynamic after all).

i removed 2 of the default lists and stopped getting any false positive issues (for the past 1 month).
 
IMO the list of default lists includes some lists which have these false positives, and which gain new false positives every couple of days (lists are dynamic after all).

i removed 2 of the default lists and stopped getting any false positive issues (for the past 1 month).
Can you remind us which ones you removed please? TIA...:)
 
Can you remind us which ones you removed please? TIA...:)

My current exclusion list: blocklist_net_ua.ipset|firehol_level3.netset

basically those 2 lists above separated by the pipe character
but that's how you enter multiple lists in the Skynet script menu anyways :)

Note: Keep in mind that when backing up and restoring Skynet configuration (i.e. if you are rebuilding your router from scratch) for whatever reason it does not keep exclusion lists, so you need to re-enter your Skynet exclusion lists.
 
My current exclusion list: blocklist_net_ua.ipset|firehol_level3.netset

basically those 2 lists above separated by the pipe character
but that's how you enter multiple lists in the Skynet script menu anyways :)

Note: Keep in mind that when backing up and restoring Skynet configuration (i.e. if you are rebuilding your router from scratch) for whatever reason it does not keep exclusion lists, so you need to re-enter your Skynet exclusion lists.

Thanks. I just saw that somehow 1.1.1.1 was added June of this year to firehole l3. If that kind of crap is happening with that list, how can it be reliable and include as a standard list in Skynet?
Don’t get me wrong, I know many of these are user supported lists but that’s not good.
Also looks like there was a big update for the blacklist one today (50 added, 49 removed).
 
I'd like to remind users I don't maintain any of the example lists provided, these are merely there to guide users on compiling filter lists to suit their own needs. Personally I use these example lists and rarely run into false positives.

Unfortunately due to the nature of shared hosting, it only takes one bad domain to get an IP blacklisted for web-servers that potentially host thousands of websites using the same address. This is a fundamental issue entirely outside Skynet's control, we provide IP banning functionality, not content.



Now with that being said, if users believe the quality of a list has dropped for a significant amount of time (with examples!), we can discuss removal of said list from the examples provided.
 
I'd like to remind users I don't maintain any of the example lists provided, these are merely there to guide users on compiling filter lists to suit their own needs. Personally I use these example lists and rarely run into false positives.

Unfortunately due to the nature of shared hosting, it only takes one bad domain to get an IP blacklisted for web-servers that potentially host thousands of websites using the same address. This is a fundamental issue entirely outside Skynet's control, we provide IP banning functionality, not content.



Now with that being said, if users believe the quality of a list has dropped for a significant amount of time (with examples!), we can discuss removal of said list from the examples provided.

If the above user's example of "1.1.1.1" being added to firehol_level3 is indeed verified ... that is quite egregious ... considering that 1.1.1.1 may actually be the default (or at least the "first on the list" / "recommended") DNS-over-TLS server in Asuswrt-Merlin.

I would propose that as a starting point, we consider removing firehol_level3 from the Skynet default lists.
 
If the above user's example of "1.1.1.1" being added to firehol_level3 is indeed verified ... that is quite egregious ... considering that 1.1.1.1 may actually be the default (or at least the "first on the list" / "recommended") DNS-over-TLS server in Asuswrt-Merlin.

I would propose that as a starting point, we consider removing firehol_level3 from the Skynet default lists.
Even if firehol_level3 adds 1.1.1.1 or any of the chosen lists, all anycast DNS ip's are whitelisted by skynet.
Code:
[i] Monitoring From Jul 12 05:00:02 To Jul 15 12:01:53
[i] 32112 Block Events Detected
[i] 3618 Unique IPs
[i] 0 Manual Bans Issued

1.1.1.1 is in set Skynet-Whitelist.
1.1.1.1 is NOT in set Skynet-Blacklist.
1.1.1.1 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
 1.1.1.1 "nvram: dnspriv_rulelist"


Associated Domain(s);
cartodb-basemaps-a.freetls.fastly.net
dualstack.com.imgix.map.fastly.net
confiant-integrations.global.ssl.fastly.net
limited-prod.giphy.map.fastly.net
prod.disqus.map.fastlylb.net
disqus.com
platform.twitter.map.fastly.net
medallia.map.fastly.net
dualstack.pinterest.map.fastly.net
browser.sentry-cdn.com
prod.nrhl.map.fastly.net
tenor.map.fastly.net
klaviyo.map.fastly.net
spreedly.map.fastly.net
paypal.map.fastly.net
f4.shared.global.fastly.net
github.map.fastly.net
ipv4.imgur.map.fastly.net
prod.grubhub2.map.fastlylb.net
media.amazon.map.fastly.net
dualstack.shopify.map.fastly.net
cloudinary.map.fastly.net
dualstack.brightcove.map.fastly.net
d.sni.global.fastly.net
prod.pinterest.global.map.fastly.net
hearst-newspapers.map.fastly.net
f4.shared.us-eu.fastly.net
scdnco.spotify.map.fastly.net
t.shared.global.fastly.net
jwplayer-dualstack.map.fastly.net
mansueto.map.fastly.net
dualstack.f3.shared.global.fastly.net
incimages.map.fastly.net
g2.shared.global.fastly.net
cdn1.affirm.com
cdn-assets.affirm.com
qognvtzku-x.global.ssl.fastly.net
b2.shared.us-eu.fastly.net
wkxppshj-qx.global.ssl.fastly.net
vwonwkaqvq-a.global.ssl.fastly.net
s3-cloudinary-pin.map.fastly.net
v2.shared.global.fastly.net
reddit.map.fastly.net
l2.shared.us-eu.fastly.net
dualstack.f.shared.us-eu.fastly.net
f6.shared.global.fastly.net
stripecdn.map.fastly.net
y2.shared.global.fastly.net
d2.shared.global.fastly.net
dss.map.fastly.net
n2.shared.global.fastly.net
brightcove.map.fastly.net
clarium.global.ssl.fastly.net (Flagged By Diversion)


[i] IP Location - Australia (CLOUDFLARENET / AS13335)

[i] 1.1.1.1 First Tracked On
[i] 1.1.1.1 Last Tracked On
[i] 0 Blocks Total
 
Even if firehol_level3 adds 1.1.1.1 or any of the chosen lists, all anycast DNS ip's are whitelisted by skynet.
Code:
[i] Monitoring From Jul 12 05:00:02 To Jul 15 12:01:53
[i] 32112 Block Events Detected
[i] 3618 Unique IPs
[i] 0 Manual Bans Issued

1.1.1.1 is in set Skynet-Whitelist.
1.1.1.1 is NOT in set Skynet-Blacklist.
1.1.1.1 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
 1.1.1.1 "nvram: dnspriv_rulelist"


Associated Domain(s);
cartodb-basemaps-a.freetls.fastly.net
dualstack.com.imgix.map.fastly.net
confiant-integrations.global.ssl.fastly.net
limited-prod.giphy.map.fastly.net
prod.disqus.map.fastlylb.net
disqus.com
platform.twitter.map.fastly.net
medallia.map.fastly.net
dualstack.pinterest.map.fastly.net
browser.sentry-cdn.com
prod.nrhl.map.fastly.net
tenor.map.fastly.net
klaviyo.map.fastly.net
spreedly.map.fastly.net
paypal.map.fastly.net
f4.shared.global.fastly.net
github.map.fastly.net
ipv4.imgur.map.fastly.net
prod.grubhub2.map.fastlylb.net
media.amazon.map.fastly.net
dualstack.shopify.map.fastly.net
cloudinary.map.fastly.net
dualstack.brightcove.map.fastly.net
d.sni.global.fastly.net
prod.pinterest.global.map.fastly.net
hearst-newspapers.map.fastly.net
f4.shared.us-eu.fastly.net
scdnco.spotify.map.fastly.net
t.shared.global.fastly.net
jwplayer-dualstack.map.fastly.net
mansueto.map.fastly.net
dualstack.f3.shared.global.fastly.net
incimages.map.fastly.net
g2.shared.global.fastly.net
cdn1.affirm.com
cdn-assets.affirm.com
qognvtzku-x.global.ssl.fastly.net
b2.shared.us-eu.fastly.net
wkxppshj-qx.global.ssl.fastly.net
vwonwkaqvq-a.global.ssl.fastly.net
s3-cloudinary-pin.map.fastly.net
v2.shared.global.fastly.net
reddit.map.fastly.net
l2.shared.us-eu.fastly.net
dualstack.f.shared.us-eu.fastly.net
f6.shared.global.fastly.net
stripecdn.map.fastly.net
y2.shared.global.fastly.net
d2.shared.global.fastly.net
dss.map.fastly.net
n2.shared.global.fastly.net
brightcove.map.fastly.net
clarium.global.ssl.fastly.net (Flagged By Diversion)


[i] IP Location - Australia (CLOUDFLARENET / AS13335)

[i] 1.1.1.1 First Tracked On
[i] 1.1.1.1 Last Tracked On
[i] 0 Blocks Total
@Adamm It looks like the dots in the IP aren’t being escaped when searching the dnsmasq.log* files? 1.1.1.1 shouldn’t match so many hosts.
 
login.skype-apps.akadns.net is blocked constantly because "skynet" does not unblock it even though the domain is in skynet whitelist, wtf? #skynet #lives #matter
 
@Adamm It looks like the dots in the IP aren’t being escaped when searching the dnsmasq.log* files? 1.1.1.1 shouldn’t match so many hosts.

Good catch, I was escaping the IP later in the function and not for the associated domain lookup. I've gone ahead and pushed v7.2.0

Code:
Only have exposed wan checks under securemode if statement
Reenable word wrap on exit
Fix IP lookup escaping
 
I have two Skynet tabs;

Screenshot_1.jpg


user1.asp and user3.asp both working. How can I get rid of one of them? (without a reboot if it's possible)
 
I have two Skynet tabs;

View attachment 24715

user1.asp and user3.asp both working. How can I get rid of one of them? (without a reboot if it's possible)

Code:
sed -i "\\~user3.asp~d" /tmp/menuTree.js
umount /www/require/modules/menuTree.js
mount -o bind /tmp/menuTree.js /www/require/modules/menuTree.js
rm -rf "/www/user/user3.asp"



I've gone ahead and pushed a small hotfix which should prevent the issue above from occurring when disabling/uninstalling certain scripts and bring Get_WebUI_Page() inline with upstream.
 
Hi,

I'm new to Skynet. I'm looking at my charts. How do I know which computer/device is trying to connect to an IP that was blocked? Is there a way to find that out?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top