Skynet v7.3.6

[JTnola]

Is there a change log someone could point me toward, (if there is one)? Or else, anyone update yet?

Please and thank you!!

 

[heysoundude]

Huh, I can't seem to find anything either

IPSet_ASUS/README.md at master · Adamm00/IPSet_ASUS

Skynet - Advanced IP Blocking For ASUS Routers Using IPSet. - Adamm00/IPSet_ASUS

github.com

but i believe everything you might be looking to learn is contained here:

Skynet - Filter Validator v0.7 - Skynet Firewall Filter List IPv4 Integrity Validator

Filter Validator v0.7 A collaborative project between @Viktor Jaep and @SomeWhereOverTheRainBow! Filter Validator tests the IPv4 addresses (and IPv6 if present) on a given filter list that are to be used with the Skynet Firewall running on Asus-Merlin Firmware in order to block...

www.snbforums.com

 

[archiel]

Hi @Adamm rebuilding router after factory reset. Just installed diversion, then skynet but there are no entries in the blacklist ipsets - what am I missing

Router Model; RT-AX88U
Skynet Version; v7.3.6 (09/03/2023) (35af187c15ed5871393a3249262c8dbc)
iptables v1.4.15 - (eth0 @ 10.50.60.1)
ipset v7.6, protocol version: 7
IP Address; (wan ipv4) - (wan ipv6)
FW Version; 388.1_0 (Dec 3 2022) (4.1.51)
Install Dir; /tmp/mnt/Router/skynet (101.8G / 109.5G Space Available)
SWAP File; /tmp/mnt/Router/myswap.swp (2.0G)

0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked!

Name: Skynet-Blacklist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 500000 comment
Size in memory: 96
References: 1
Number of entries: 0
Members:

Name: Skynet-BlockedRanges
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 200000 comment
Size in memory: 352
References: 1
Number of entries: 0
Members:

 

[Adamm]

Hi @Adamm rebuilding router after factory reset. Just installed diversion, then skynet but there are no entries in the blacklist ipsets - what am I missing

Router Model; RT-AX88U
Skynet Version; v7.3.6 (09/03/2023) (35af187c15ed5871393a3249262c8dbc)
iptables v1.4.15 - (eth0 @ 10.50.60.1)
ipset v7.6, protocol version: 7
IP Address; (wan ipv4) - (wan ipv6)
FW Version; 388.1_0 (Dec 3 2022) (4.1.51)
Install Dir; /tmp/mnt/Router/skynet (101.8G / 109.5G Space Available)
SWAP File; /tmp/mnt/Router/myswap.swp (2.0G)

0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked!

Name: Skynet-Blacklist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 500000 comment
Size in memory: 96
References: 1
Number of entries: 0
Members:

Name: Skynet-BlockedRanges
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 200000 comment
Size in memory: 352
References: 1
Number of entries: 0
Members:

Have you tried to ban anything yet or use the ban malware feature? lol

 

[archiel]

Have you tried to ban anything yet or use the ban malware feature? lol

I am confused. I had thought that when installed, Skynet blocked traffic derived via a default set of ipsets, e.g. firehol_level2.netset, firehol_level3.netset, etc. However nothing is being blocked at all, either inbound or outbound* and while

sh /jffs/scripts/firewall debug info

shows everything in green

if I run

sh /jffs/scripts/firewall banmalware

then I get

[i] Downloading filter.list         | [1s]
[i] Refreshing Whitelists           | [3s]
[i] Consolidating Blacklist         | [1s]
[*] List Content Error Detected - Stopping Banmalware

and looking at the log file I just see

Mar 12 00:29:01 Router Skynet: [#] 0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [debug] [1s]
Mar 12 00:42:38 Router Skynet: [i] Skynet Up To Date - v7.3.6 (35af187c15ed5871393a3249262c8dbc)
Mar 12 00:47:28 Router Skynet: [#] 0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [debug] [1s]
Mar 12 00:52:01 Router Skynet: [#] 0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [banmalware] [5s]

I have tried uninstalling, rebooting and re-installing - it makes no difference.

* As some devices are running bitorrent/transmission, I would expect to see some outbound blocks.

 

[Adamm]

I am confused. I had thought that when installed, Skynet blocked traffic derived via a default set of ipsets, e.g. firehol_level2.netset, firehol_level3.netset, etc. However nothing is being blocked at all, either inbound or outbound* and while

sh /jffs/scripts/firewall debug info

shows everything in green

if I run

sh /jffs/scripts/firewall banmalware

then I get

[i] Downloading filter.list         | [1s]
[i] Refreshing Whitelists           | [3s]
[i] Consolidating Blacklist         | [1s]
[*] List Content Error Detected - Stopping Banmalware

and looking at the log file I just see

Mar 12 00:29:01 Router Skynet: [#] 0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [debug] [1s]
Mar 12 00:42:38 Router Skynet: [i] Skynet Up To Date - v7.3.6 (35af187c15ed5871393a3249262c8dbc)
Mar 12 00:47:28 Router Skynet: [#] 0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [debug] [1s]
Mar 12 00:52:01 Router Skynet: [#] 0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [banmalware] [5s]

I have tried uninstalling, rebooting and re-installing - it makes no difference.

* As some devices are running bitorrent/transmission, I would expect to see some outbound blocks.

[*] List Content Error Detected - Stopping Banmalware

The issue is your custom list

 

[archiel]

[*] List Content Error Detected - Stopping Banmalware

The issue is your custom list

(AFAIK) I don't have a custom list, this is a clean install and should just be using default settings. Where can I locate what list is being used?

 

[Viktor Jaep]

(AFAIK) I don't have a custom list, this is a clean install and should just be using default settings. Where can I locate what list is being used?

How about just reset the filter list to its default? Option 3 -> Reset Filter List?

You could find the name of your custom filter list you're using in the skynet.cfg, located under /mnt/<drivename>/skynet/skynet.cfg

 

[commodoro]

(AFAIK) I don't have a custom list, this is a clean install and should just be using default settings. Where can I locate what list is being used?

Is the [install_dir]/skynet/lists folder empty?

What WAN DNS are you using?

 

[archiel]

Is the [install_dir]/skynet/lists folder empty?

What WAN DNS are you using?

Yes both

/tmp/skynet/lists and
/tmp/mnt/Router/skynet/lists
are empty

Default WAN DNS are DoT (strict) Cloudflare (IPv4 and IPv6)

Client DNS is routed through Unbound using Wireguard VPN (AzireVPN) DNS servers

 

[commodoro]

Yes both

/tmp/skynet/lists and
/tmp/mnt/Router/skynet/lists
are empty

Default WAN DNS are DoT (strict) Cloudflare (IPv4 and IPv6)

Client DNS is routed through Unbound using Wireguard VPN (AzireVPN) DNS servers

ok, if /tmp/mnt/Router/skynet/lists is empty something went wrong when download the datasets present in the filter list, the reason of [*] List Content Error Detected - Stopping Banmalware

I had same issues when in WAN DNS used the router ip itself, now I use Quad9 and all works, I think with Cloudfire could work

if you are confortable to modify firewall script, you could remove the option -s silent mode, from the curl invocation to see the error

line 3463
from

awk -F/ '{print $0" -Oz "$NF}' /jffs/addons/shared-whitelists/shared-Skynet-whitelist | xargs "curl" -fsLZ

to

awk -F/ '{print $0" -Oz "$NF}' /jffs/addons/shared-whitelists/shared-Skynet-whitelist | xargs "curl" -fLZ

and launch

firewall banmalware

to see the error

 

[archiel]

ok, if /tmp/mnt/Router/skynet/lists is empty something went wrong when download the datasets present in the filter list, the reason of [*] List Content Error Detected - Stopping Banmalware

I had same issues when in WAN DNS used the router ip itself, now I use Quad9 and all works, I think with Cloudfire could work

if you are confortable to modify firewall script, you could remove the option -s silent mode, from the curl invocation to see the error

line 3463
from

awk -F/ '{print $0" -Oz "$NF}' /jffs/addons/shared-whitelists/shared-Skynet-whitelist | xargs "curl" -fsLZ

to

awk -F/ '{print $0" -Oz "$NF}' /jffs/addons/shared-whitelists/shared-Skynet-whitelist | xargs "curl" -fLZ

and launch

firewall banmalware

to see the error

[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | [4s]
[i] Consolidating Blacklist         | Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
DL% UL%  Dled  Uled  Xfers  Live   Qd Total     Current  Left    Speed
--  --      0     0    10    10     0 --:--:-- --:--:-- --:--:--     0      curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
--  --      0     0    10     0     0 --:--:-- --:--:-- --:--:--     0
[0s]
[*] List Content Error Detected - Stopping Banmalware

 

[commodoro]

[i] Downloading filter.list         | [0s]
[i] Refreshing Whitelists           | [4s]
[i] Consolidating Blacklist         | Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
Warning: Illegal date format for -z, --time-cond (and not a file name).
Warning: Disabling time condition. See curl_getdate(3) for valid date syntax.
DL% UL%  Dled  Uled  Xfers  Live   Qd Total     Current  Left    Speed
--  --      0     0    10    10     0 --:--:-- --:--:-- --:--:--     0      curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
curl: (6) Could not resolve host: iplists.firehol.org
--  --      0     0    10     0     0 --:--:-- --:--:-- --:--:--     0
[0s]
[*] List Content Error Detected - Stopping Banmalware

The WAN DNS doesn't resolve the IP, I have this configuration that work,

 

[archiel]

The WAN DNS doesn't resolve the IP, I have this configuration that work,

View attachment 48465

View attachment 48466

Adding the WAN DNS servers fixed it. I would have assumed that the DoT DNS servers would have been able to resolve, but apparently not. Many thanks

 

[Sonyrolfy]

Adding the WAN DNS servers fixed it for me tooooo

 

[SomeWhereOverTheRainBow]

Adding the WAN DNS servers fixed it. I would have assumed that the DoT DNS servers would have been able to resolve, but apparently not. Many thanks

Adding the WAN DNS servers fixed it for me tooooo

This is why @RMerlin always says, "You need Wan DNS servers." Seriously though, You must have something in the WAN DNS1, and WAN DNS2; otherwise, the router will not be able to resolve anything on its own including any of the curl commands needed to update user scripts such as AMTM, Skynet, etc. Coincidental, it may even fail to resolve the necessary NTP server IP addresses from the NTP server addresses used for NTP services causing the routers built in clock to fail to sync. This would also cause DoT to fail.

 

[Sonyrolfy]

This is why @RMerlin always says, "You need Wan DNS servers." Seriously though, You must have something in the WAN DNS1, and WAN DNS2; otherwise, the router will not be able to resolve anything on its own including any of the curl commands needed to update user scripts such as AMTM, Skynet, etc. Coincidental, it may even fail to resolve the necessary NTP server IP addresses from the NTP server addresses used for NTP services causing the routers built in clock to fail to sync. This would also cause DoT to fail.

View attachment 54465

I never had any problems, a least not that i know off. Everything was working fine, Skynet, diversion and NTP did work. But... Lesson learned