Skynet Skynet - Router Firewall & Security Enhancements

[AntonK]

Doesn't that stop the IoT device from functioning?

Hi Ninko,

See this post from Adamm on the introduction of Skynet's IOT feature. It may answer some of your questions.

Anton

 

[Ninko]

Hi Ninko,

See this post from Adamm on the introduction of Skynet's IOT feature. It may answer some of your questions.

Anton

Hi AntonK,
Thanks for providing the link.
Many IoT devices need to connect to the cloud in order to do what their made for, for example a smart plug, that surely wouldn't work with basically just LAN access?

I might be completely wrong here, my knowledge is basic compared to many on here, but I learn lol.

 

[AntonK]

Hi AntonK,
Thanks for providing the link.
Many IoT devices need to connect to the cloud in order to do what their made for, for example a smart plug, that surely wouldn't work with basically just LAN access?

I might be completely wrong here, my knowledge is basic compared to many on here, but I learn lol.

I'm a relative non-techie here too. I solved my minor IoT access (both on my LAN, while providing the IoT devices on one of my Guest Networks to the WAN they needed), by using Jack Yaz's YazFi script. Take a look, if you dare

 

[Ninko]

I'm a relative non-techie here too. I solved my minor IoT access (both on my LAN, while providing the IoT devices on one of my Guest Networks to the WAN they needed), by using Jack Yaz's YazFi script. Take a look, if you dare

Wow, I might come to that at some point but for now I'm still getting to know Diversion and Skynet, that'll do me for the moment. I was just curious how Skynet worked to stop IoT devices from phoning home but without breaking it's functionality.

 

[CriticJay]

Hi AntonK,
Thanks for providing the link.
Many IoT devices need to connect to the cloud in order to do what their made for, for example a smart plug, that surely wouldn't work with basically just LAN access?

I might be completely wrong here, my knowledge is basic compared to many on here, but I learn lol.

Indeed you are right. For example, all of the "Google Nest" products are 100% cloud based; they have no local storage (SD Card) to speak of. I am quite sure that if they were IOT-blocked you wouldn't even be able to access them through the official Google Nest app.

On the other hand, there are products like Wyze which are not completely cloud based. The Wyze Cam can have an SD Card installed, and you can flash it with an alternative firmware that enables RTSP functionality which also removes Wyze cloud functionality (I believe). In such a case, you could do an IOT-block on the camera and it would still be perfectly useful on your LAN.

 

[Ninko]

Indeed you are right. For example, all of the "Google Nest" products are 100% cloud based; they have no local storage (SD Card) to speak of. I am quite sure that if they were IOT-blocked you wouldn't even be able to access them through the official Google Nest app.

On the other hand, there are products like Wyze which are not completely cloud based. The Wyze Cam can have an SD Card installed, and you can flash it with an alternative firmware that enables RTSP functionality which also removes Wyze cloud functionality (I believe). In such a case, you could do an IOT-block on the camera and it would still be perfectly useful on your LAN.

I see what your saying, it's possible for some but not all.

Thanks

 

[leon]

May I know what is the different between banmalware and blacklist? That is if I want to stop connection to tor exit node, should I do

firewall banmalware https://check.torproject.org/torbulkexitlist
or
firewall import blacklist https://check.torproject.org/torbulkexitlist

I would prefer banmalware since the daily update is build-in. For import blacklist, I would need to setup a cron job.

 

[Adamm]

May I know what is the different between banmalware and blacklist? That is if I want to stop connection to tor exit node, should I do

firewall banmalware https://check.torproject.org/torbulkexitlist
or
firewall import blacklist https://check.torproject.org/torbulkexitlist

I would prefer banmalware since the daily update is build-in. For import blacklist, I would need to setup a cron job.

Import is a one time addition, whereas the banmalware feature is for dynamic lists and is automatically refreshed every day or week depending on your settings.

Also note the banmalware feature uses a filter list, for example;

IPSet_ASUS/filter.list at master · Adamm00/IPSet_ASUS

Skynet - Advanced IP Blocking For ASUS Routers Using IPSet. - Adamm00/IPSet_ASUS

github.com

 

[leon]

OK. So banmalware is idea for block Tor exit nodes. I tried

firewall banmalware check.torproject.org/torbulkexitlist

and got the below error. https://check.torproject.org/torbulkexitlist did supply a list of ip addresses. Any reason for the failure?

[i] Custom Filter Detected: check.torproject.org/torbulkexitlist
[i] Downloading filter.list         | [4s]
[i] Refreshing Whitelists           | [46s]
[i] Consolidating Blacklist         | curl: no URL specified!
curl: try 'curl --help' for more information
[0s]
[*] List Content Error Detected - Stopping Banmalware

 

[Adamm]

OK. So banmalware is idea for block Tor exit nodes. I tried

firewall banmalware check.torproject.org/torbulkexitlist

and got the below error. https://check.torproject.org/torbulkexitlist did supply a list of ip addresses. Any reason for the failure?

[i] Custom Filter Detected: check.torproject.org/torbulkexitlist
[i] Downloading filter.list         | [4s]
[i] Refreshing Whitelists           | [46s]
[i] Consolidating Blacklist         | curl: no URL specified!
curl: try 'curl --help' for more information
[0s]
[*] List Content Error Detected - Stopping Banmalware

Because thats an IP list, not a filter list. Check the example list I provided in my last post.

 

[Chuckles67]

Hi AntonK,
Thanks for providing the link.
Many IoT devices need to connect to the cloud in order to do what their made for, for example a smart plug, that surely wouldn't work with basically just LAN access?

I might be completely wrong here, my knowledge is basic compared to many on here, but I learn lol.

Asus RT-AC66U-B1 / Merlin 384.18

I have three HomeKit IoT devices using Skynet to "ban" them (menu: 11, 11, 2) from internet access. These devices are connected to the same WiFi as the AppleTV that acts as the hub in HomeKit. Everything HomeKit works fine. So if your smart plugs have a hub, like HomeKit does, and all are on the same internal network then should be okay.

Earlier I tried putting the IoT devices on a Guest Network WiFi but failed (of course), because the guest network does not allow devices to talk with each other - so the AppleTV "hub" couldn't control the IoT devices. The weird thing was occasionally there was delayed control - so perhaps HomeKit might do some hub-device communications over the internet - but it wasn't reliable. The above setup is working reliably for me. Perhaps sometime I should remove the Skynet ban off and see if the IoT devices need new Firmware.

 

[Ubimo]

Skynet gives double the output in syslog, why?
I just restarted the WAN connection.

Jul 21 21:06:50 kernel: ip_set: protocol 6
Jul 21 21:08:38 Skynet: [*] WebUI Integration Requires Logging To Be Enabled
Jul 21 21:08:38 Skynet: [*] WebUI Integration Requires Logging To Be Enabled
Jul 21 21:08:41 Skynet: [#] 352669 IPs (+0) -- 1578 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [114s]
Jul 21 21:08:42 Skynet: [#] 352669 IPs (+0) -- 1578 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [115s]

Edit:
I restarted the router, all ok now again.

 

[TonyK132]

In vers 7.2.0, here's a typo:

Jul 21 21:58:49 rc_service: waitting "restart_firewall" via ...

Also, I had to replace my flash drive since my old one died. I had been running Skynet 7.1.9, but when I made the change, I changed the name of the partition. When I tried to run Skynet from amtm, all I get is a "usb not found" message, retrying 1 of 10. Goes on for 10 retries, so I never got to the Skynet menu. I then loaded Skynet from the cmd line, and that seemed to work, but from amtm, I still get the USB not found message. I'm guessing it's reusing a config file from before. Where is that file located? I'm thinking I could edit it and correct the name of the directory that is wrong.

 

[Adamm]

Skynet gives double the output in syslog, why?
I just restarted the WAN connection.

Jul 21 21:06:50 kernel: ip_set: protocol 6
Jul 21 21:08:38 Skynet: [*] WebUI Integration Requires Logging To Be Enabled
Jul 21 21:08:38 Skynet: [*] WebUI Integration Requires Logging To Be Enabled
Jul 21 21:08:41 Skynet: [#] 352669 IPs (+0) -- 1578 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [114s]
Jul 21 21:08:42 Skynet: [#] 352669 IPs (+0) -- 1578 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [115s]

Edit:
I restarted the router, all ok now again.

During certain events the firewall service is restarted multiple times within a short period, usually our lock file catches this, but in a very small % of cases startup is initiated at the exact same time therefore passing the lock file check.

In vers 7.2.0, here's a typo:

Jul 21 21:58:49 rc_service: waitting "restart_firewall" via ...

That is a firmware typo, not Skynet.

Also, I had to replace my flash drive since my old one died. I had been running Skynet 7.1.9, but when I made the change, I changed the name of the partition. When I tried to run Skynet from amtm, all I get is a "usb not found" message, retrying 1 of 10. Goes on for 10 retries, so I never got to the Skynet menu. I then loaded Skynet from the cmd line, and that seemed to work, but from amtm, I still get the USB not found message. I'm guessing it's reusing a config file from before. Where is that file located? I'm thinking I could edit it and correct the name of the directory that is wrong.

Skynet grabs the config file location from its entry in /jffs/scripts/firewall-start. In the event someone changes the USB path, you would need to run the install command (or manually edit this file) again to correct it as Skynet has no way of knowing the new location.

 

[Wisiwyg]

Earlier I tried putting the IoT devices on a Guest Network WiFi but failed (of course), because the guest network does not allow devices to talk with each other - so the AppleTV "hub" couldn't control the IoT devices. The weird thing was occasionally there was delayed control - so perhaps HomeKit might do some hub-device communications over the internet - but it wasn't reliable. The above setup is working reliably for me. Perhaps sometime I should remove the Skynet ban off and see if the IoT devices need new Firmware.

YazFi has a feature to block internal LAN access from IOT device on the Guest network, but allows devices on the LAN to connect to the IOT on Guest - a one-way communication from LAN to Guest but not from Guest to LAN. The IOT device has internet, but no LAN access to protect your LAN and all devices attached from the IOT. (IIRC there was an issue a month or two ago with WYZE cameras providing a back door to the local network. This why there's alternate firmware.) I use this YazFi feature with a couple of security cameras. I've also used the Parental Control feature in Merlin to Restrict Time to IOT devices to Block internet access if I can't put them on a Guest and they function properly.

 

[TonyK132]

That is a firmware typo, not Skynet.

Sorry. I suppose that's for Merlin to fix?

Also, where is the Skynet banned country list saved?

 

[RMerlin]

Sorry. I suppose that's for Merlin to fix?

No, that's Asus' to fix. That code is closed source.

 

[Adamm]

Also, where is the Skynet banned country list saved?

In the config file in Skynets install dir (skynet.cfg)

 

[XIII]

Did Skynet block Spotify for anyone else today?

 

[Adamm]

Did Skynet block Spotify for anyone else today?

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Logging

firewall settings logmode enable

2.) Open the blocked application/website and use the command;

firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

firewall whitelist ip 175.115.37.52