Skynet banning ip doesnt work

[LaMpiR]

Hi good people.

I am using the latest Skynet with AX88U and I wanted to ban tiktok.com. Opened skynet, option 2, then 3 and entered tiktok.com.

Adding tiktok.com To Blacklist
Banning 18.66.15.50
ipset v7.6: Element cannot be added to the set: it's already added
Banning 18.66.15.65
ipset v7.6: Element cannot be added to the set: it's already added
Banning 18.66.15.27
ipset v7.6: Element cannot be added to the set: it's already added
Banning 18.66.15.77
ipset v7.6: Element cannot be added to the set: it's already added

But after that, when I pink tiktok.com, everything is working and the website is working. Did I do something wrong? Would appreciate any help.

 

[dave14305]

Is the IP returned from ping the same as one of the IPs you tried to block? I see different IPs for TikTok.com versus www.TikTok.com. Better to try to block the domain in Diversion or Pi-Hole.

 

[Adamm]

Hi good people.

I am using the latest Skynet with AX88U and I wanted to ban tiktok.com. Opened skynet, option 2, then 3 and entered tiktok.com.



But after that, when I pink tiktok.com, everything is working and the website is working. Did I do something wrong? Would appreciate any help.

Use the command to see where the IP is listed;

firewall stats search ip 1.1.1.1

You will find it is probably part of a cdn whitelist

 

[johndoe85]

Hi good people.

I am using the latest Skynet with AX88U and I wanted to ban tiktok.com. Opened skynet, option 2, then 3 and entered tiktok.com.



But after that, when I pink tiktok.com, everything is working and the website is working. Did I do something wrong? Would appreciate any help.

The firewall is for inbound only?
Use Adguard Home to ban/block outgoing traffic to Tiktok and the other services.
You find the settings in adguard home under Filter - > blocked services

 

[SomeWhereOverTheRainBow]

Hi good people.

I am using the latest Skynet with AX88U and I wanted to ban tiktok.com. Opened skynet, option 2, then 3 and entered tiktok.com.



But after that, when I pink tiktok.com, everything is working and the website is working. Did I do something wrong? Would appreciate any help.

What is the size of your block list? Please share your skynet stats.

 

[SomeWhereOverTheRainBow]

Use the command to see where the IP is listed;

firewall stats search ip 1.1.1.1

You will find it is probably part of a cdn whitelist

This is most likely the scenario. The CDN whitelist actually uses netblock style ip listings that cover a wide range of ip addresses. If the tiktok IP overlaps in one of the netblocks covered by CDN whitelist, then that explains the blocking issue.

Another problem might be related to the user having already reached the maximum element size in single IP additions that skynet (and ipset) supports.

This is why I requested the user share his current skynet stats including blocklist and range blocklist sizes.

 

[Viktor Jaep]

With services like facebook and tiktok that are so incredibly massive, it gets very difficult to block something like this until you've plugged ALL the holes from which they can spring through to provide their service. Blocking the domain tiktok.com is only one piece of the puzzle.

This would actually be a pretty cool possible feature request, @Adamm, @thelonelycoder or @SomeWhereOverTheRainBow?... If there's a programmatic way of keeping tabs of all the domains/IPs that these major apps use (since I'm sure this stuff changes all the time), or perhaps there's a service out there that already captures this info that you might be able to use, it would be pretty cool if you could select which major app to block directly within Skynet or Diversion... which then proceeds to download the necessary domains/IPs that a service like this might possibly use. Having a selection of major apps to pick from, like facebook, tiktok, twitter, etc. For instance, according to this, to block tiktok completely:

• v16a.tiktokcdn.com
  ib.tiktokv.com
  v16m.tiktokcdn.com
  api.tiktokv.com
  log.tiktokv.com
  api2-16-h2.musical.ly
  mon.musical.ly
  p16-tiktokcdn-com.akamaized.net
  api-h2.tiktokv.com
  v19.tiktokcdn.com
  api2.musical.ly
  log2.musical.ly
  api2-21-h2.musical.ly
  
  And IP addresses:
  161.117.70.145
  161.117.71.36
  161.117.71.33
  161.117.70.136
  161.117.71.74
  205.251.194.210
  205.251.193.184
  205.251.198.38
  205.251.197.195
  
  And networks:
  185.127.16.0/24
  182.176.156.0/24
  216.58.207.0/24
  47.89.136.0/24
  47.252.50.0/24
  
  Thoughts?

While this might be out-of-date, this is an example of application-specific blocklists... https://blocklist.site/

GitHub - blocklistproject/Lists: Primary Block Lists

Primary Block Lists. Contribute to blocklistproject/Lists development by creating an account on GitHub.

github.com

 

[LaMpiR]

Is the IP returned from ping the same as one of the IPs you tried to block? I see different IPs for TikTok.com versus www.TikTok.com. Better to try to block the domain in Diversion or Pi-Hole.

Hi. Thank you for the reply. Yes, same IP.

Use the command to see where the IP is listed;

firewall stats search ip 1.1.1.1

You will find it is probably part of a cdn whitelist

Thank you. That is true. It is in the whitelist:

Warning: 18.66.15.65 is in set Skynet-Whitelist.
Warning: 18.66.15.65 is in set Skynet-Blacklist.
18.66.15.65 is NOT in set Skynet-BlockedRanges.

 

[LaMpiR]

This is most likely the scenario. The CDN whitelist actually uses netblock style ip listings that cover a wide range of ip addresses. If the tiktok IP overlaps in one of the netblocks covered by CDN whitelist, then that explains the blocking issue.

Another problem might be related to the user having already reached the maximum element size in single IP additions that skynet (and ipset) supports.

This is why I requested the user share his current skynet stats including blocklist and range blocklist sizes.

Would appreciate any help on how do I copy all the data?

38384 IPs (+0) -- 2081 Ranges Banned (+0) || 6705 Inbound -- 0 Outbound Connections Blocked!

So I can block the url through the gui, firewall -> url filter and not through Skynet?

 

[thelonelycoder]

With services like facebook and tiktok that are so incredibly massive, it gets very difficult to block something like this until you've plugged ALL the holes from which they can spring through to provide their service. Blocking the domain tiktok.com is only one piece of the puzzle.

This would actually be a pretty cool possible feature request, @Adamm, @thelonelycoder or @SomeWhereOverTheRainBow?... If there's a programmatic way of keeping tabs of all the domains/IPs that these major apps use (since I'm sure this stuff changes all the time), or perhaps there's a service out there that already captures this info that you might be able to use, it would be pretty cool if you could select which major app to block directly within Skynet or Diversion... which then proceeds to download the necessary domains/IPs that a service like this might possibly use. Having a selection of major apps to pick from, like facebook, tiktok, twitter, etc. For instance, according to this, to block tiktok completely:

• v16a.tiktokcdn.com
  ib.tiktokv.com
  v16m.tiktokcdn.com
  api.tiktokv.com
  log.tiktokv.com
  api2-16-h2.musical.ly
  mon.musical.ly
  p16-tiktokcdn-com.akamaized.net
  api-h2.tiktokv.com
  v19.tiktokcdn.com
  api2.musical.ly
  log2.musical.ly
  api2-21-h2.musical.ly
  
  And IP addresses:
  161.117.70.145
  161.117.71.36
  161.117.71.33
  161.117.70.136
  161.117.71.74
  205.251.194.210
  205.251.193.184
  205.251.198.38
  205.251.197.195
  
  And networks:
  185.127.16.0/24
  182.176.156.0/24
  216.58.207.0/24
  47.89.136.0/24
  47.252.50.0/24
  
  Thoughts?

While this might be out-of-date, this is an example of application-specific blocklists... https://blocklist.site/

GitHub - blocklistproject/Lists: Primary Block Lists

Primary Block Lists. Contribute to blocklistproject/Lists development by creating an account on GitHub.

github.com

Looks suspiciously like a feature for Diversion. I am working on replacing pixelserv-tls and also abandon hosts and domain lists in general. The way to go is using dnsmasq specific block entries. My brief testing shows this is the way to go. I only wish Dnsmasq would understand wildcards, that would simplify block lists even more.

 

[johndoe85]

Looks suspiciously like a feature for Diversion. I am working on replacing pixelserv-tls and also abandon hosts and domain lists in general. The way to go is using dnsmasq specific block entries. My brief testing shows this is the way to go. I only wish Dnsmasq would understand wildcards, that would simplify block lists even more.

Contact them and ask if they can implement that feature

 

[SomeWhereOverTheRainBow]

With services like facebook and tiktok that are so incredibly massive, it gets very difficult to block something like this until you've plugged ALL the holes from which they can spring through to provide their service. Blocking the domain tiktok.com is only one piece of the puzzle.

This would actually be a pretty cool possible feature request, @Adamm, @thelonelycoder or @SomeWhereOverTheRainBow?... If there's a programmatic way of keeping tabs of all the domains/IPs that these major apps use (since I'm sure this stuff changes all the time), or perhaps there's a service out there that already captures this info that you might be able to use, it would be pretty cool if you could select which major app to block directly within Skynet or Diversion... which then proceeds to download the necessary domains/IPs that a service like this might possibly use. Having a selection of major apps to pick from, like facebook, tiktok, twitter, etc. For instance, according to this, to block tiktok completely:

• v16a.tiktokcdn.com
  ib.tiktokv.com
  v16m.tiktokcdn.com
  api.tiktokv.com
  log.tiktokv.com
  api2-16-h2.musical.ly
  mon.musical.ly
  p16-tiktokcdn-com.akamaized.net
  api-h2.tiktokv.com
  v19.tiktokcdn.com
  api2.musical.ly
  log2.musical.ly
  api2-21-h2.musical.ly
  
  And IP addresses:
  161.117.70.145
  161.117.71.36
  161.117.71.33
  161.117.70.136
  161.117.71.74
  205.251.194.210
  205.251.193.184
  205.251.198.38
  205.251.197.195
  
  And networks:
  185.127.16.0/24
  182.176.156.0/24
  216.58.207.0/24
  47.89.136.0/24
  47.252.50.0/24
  
  Thoughts?

While this might be out-of-date, this is an example of application-specific blocklists... https://blocklist.site/

GitHub - blocklistproject/Lists: Primary Block Lists

Primary Block Lists. Contribute to blocklistproject/Lists development by creating an account on GitHub.

github.com

What I would like to do with skynet is to add an aggregation feature so when users stumble upon adding a domain that is already covered by a netblock in use the addresses can be aggregated to keep the lists smaller instead of the overly inflated 500,000 single IP list.

If this can also be done with filter lists it might be advantageous because ip addresses already covered by an aggregated country or ASN can be removed from the main single IP list to reduce the complexity of having a giant size single IP list.

Entware has a package called aggregate similarly there is a python package called aggregate6, but both would mean skynet would have an Entware dependency, which is not something I am looking to do. Especially since skynet has gone this long without relying on entware dependencies. There may be away to use AWK to do the aggregation, but I am still researching this.

To clarify by what I mean to aggregate, let us say I am blocking 100.2.3.4/32, but I already block the netblock 100.2.3.0/24. At this point, there is no longer a need for me to block 100.2.3.4/32 since it is covered in the /24 netblock already. This creates an extra not needed block entry. Now fast forward to country blocking, lets assume @Viktor Jaep blocks RU through country block, but then uses a blocklist that has over 5000 block entries from RU. This is a very wasteful blocklist since it is taking up 5000 of his spaces he could have used for a different 5000 single IP entries.

I already started aggregating my own list

GeneratedAdblock/myfilter.list at master · jumpsmm7/GeneratedAdblock

Contribute to jumpsmm7/GeneratedAdblock development by creating an account on GitHub.

github.com

and my allow list.

https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/allowv4.feed

And I have started a pattern of finding bugs in skynet and submitting pull request to @Adamm

Update firewall.sh by jumpsmm7 · Pull Request #118 · Adamm00/IPSet_ASUS

*Optimize Skynet use of subnet markings via utilization of regexp logic. (e.g. ensure /32 ranges should not wind up in Skynet-BlockedRanges, when single IP's are optimally used in Skynet-Blacklist ...

github.com

Here are my current specs using the patched version I submitted to @Adamm in a pull request using my aggregated blocklist.

 

[SomeWhereOverTheRainBow]

What I would like to do with skynet is to add an aggregation feature so when users stumble upon adding a domain that is already covered by a netblock in use the addresses can be aggregated to keep the lists smaller instead of the overly inflated 500,000 single IP list.

If this can also be done with filter lists it might be advantageous because ip addresses already covered by an aggregated country or ASN can be removed from the main single IP list to reduce the complexity of having a giant size single IP list.

Entware has a package called aggregate similarly there is a python package called aggregate6, but both would mean skynet would have an Entware dependency, which is not something I am looking to do. Especially since skynet has gone this long without relying on entware dependencies. There may be away to use AWK to do the aggregation, but I am still researching this.

To clarify by what I mean to aggregate, let us say I am blocking 100.2.3.4/32, but I already block the netblock 100.2.3.0/24. At this point, there is no longer a need for me to block 100.2.3.4/32 since it is covered in the /24 netblock already. This creates an extra not needed block entry. Now fast forward to country blocking, lets assume @Viktor Jaep blocks RU through country block, but then uses a blocklist that has over 5000 block entries from RU. This is a very wasteful blocklist since it is taking up 5000 of his spaces he could have used for a different 5000 single IP entries.

I already started aggregating my own list

GeneratedAdblock/myfilter.list at master · jumpsmm7/GeneratedAdblock

Contribute to jumpsmm7/GeneratedAdblock development by creating an account on GitHub.

github.com

and my allow list.

https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/allowv4.feed

And I have started a pattern of finding bugs in skynet and submitting pull request to @Adamm

Update firewall.sh by jumpsmm7 · Pull Request #118 · Adamm00/IPSet_ASUS

*Optimize Skynet use of subnet markings via utilization of regexp logic. (e.g. ensure /32 ranges should not wind up in Skynet-BlockedRanges, when single IP's are optimally used in Skynet-Blacklist ...

github.com

Here are my current specs using the patched version I submitted to @Adamm in a pull request using my aggregated blocklist.

View attachment 49824

@Viktor Jaep

This is after aggregating with all the ASN and Countries I block.

See how the list of single IP shrunk, and the overall list of ranges increased.

 

[Viktor Jaep]

@Viktor Jaep

This is after aggregating with all the ASN and Countries I block.

View attachment 49836

See how the list of single IP shrunk, and the overall list of ranges increased.

Nice! I think it would be a nice stat to see the total number of IPs affected as well, and probably could mathematically be determined? So you'd have:

97093 IPs (individual IPs listed on your blacklists)
94145 Ranges (ranges listed on your blacklist)
45,332,336 Total IPs affectively banned (by determining number of IPs + IPs within ranges affected)