What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Try enable it via the install command, that way it will be persistent beyond restart_firewall events (you can remove this at any time using the same command)

Do you handle the case where someone disables it and it stays disabled after a reboot until it is enabled by hand?
 
After ten minutes I disabled it.. and no ipset.txt was created.

ipset.txt is created at the end of every hour during the save cronjob. It can also be manually generated by using;

Code:
sh /jffs/scripts/firewall save


Do you handle the case where someone disables it and it stays disabled after a reboot until it is enabled by hand?
In this event its probably better for users to just change the boot args using the install function and turn it on/off when they need. I actually just removed the debug enable command in the latest update, I'll keep the disable command though but it will not survive a firewall restart.
 
Just found out that if you install the script in debuggin mode, disable and start it, the debugging is disabled and can't be enabled again, you have to call the install script to fix it :)
 
Just found out that if you install the script in debuggin mode, disable and start it, the debugging is disabled and can't be enabled again, you have to call the install script to fix it :)

One step ahead of you, in such an event you can run the command now present in v4.2.6

Code:
sh /jffs/scripts/firewall debug restart

I try dedicate time to purposely breaking new features after I add them and add appropriate fail-safes :p
 
Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and unban) anything incorrectly on your Blacklist!

1.) Enable Debug Mode via the installer
Code:
sh /jffs/scripts/firewall install

2.) Open the blocked application/website and use the command;

Code:
sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - RAW] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "SRC=" it should look something like this;
Code:
SRC=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault.

Code:
https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

Code:
sh /jffs/scripts/firewall whitelist 175.115.37.52
 
Last edited:
An additional question: How can I completely whitelist a whole domain? I am using a network measuring device from samknows, and now its completely blocked :)

Example address: n1-budapest-hu.samknows.com

sh firewall unban domain samknows.com ?
 
Last edited:
An additional question: How can I completely whitelist a whole domain? I am using a network measuring device from samknows, and now its completely blocked :)

Example address: n1-budapest-hu.samknows.com

sh firewall unban domain samknows.com ?

sh /jffs/scripts/firewall whitelist domain URL
 
What output did the command I posted give? Should be a single number.
Code:
ASUSWRT-Merlin RT-AC3200 380.66-2 Wed May 17 03:01:13 UTC 2017
admin@RT-AC3200-7180:/tmp/home/root# ipset -L BlockedRanges | wc -l
7
admin@RT-AC3200-7180:/tmp/home/root#

my log from yesterday evening to today 14:00....should be
18766 Ranges banned but isn`t?

Code:
May 18 22:00:07 Skynet: [Complete] 142847 IPs / 0 Ranges banned. 2 New IPs / 0 New Ranges Banned. 48 IP / 0 Range Connections Blocked! [7s]
May 18 23:00:06 disk_monitor: Got SIGALRM...
May 18 23:00:07 Skynet: [Complete] 142847 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 74 IP / 0 Range Connections Blocked! [7s]
May 19 00:00:07 Skynet: [Complete] 142847 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 94 IP / 0 Range Connections Blocked! [7s]
May 19 01:00:07 Skynet: [Complete] 142847 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 114 IP / 0 Range Connections Blocked! [7s]
May 19 01:25:02 Skynet: [New Version Detected - Updating To v4.2.6]... ... ...
May 19 01:25:02 Skynet: [Skynet Sucessfully Updated - Restarting Firewall]
May 19 01:25:02 rc_service: service 6471:notify_rc restart_firewall
May 19 01:25:02 start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!
May 19 01:25:03 custom script: Running /jffs/scripts/firewall-start (args: ppp0)
May 19 01:25:04 Skynet: [IP Banning Started] ... ... ...
May 19 01:25:06 Skynet: [Complete] 142847 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [3s]
May 19 02:00:07 Skynet: [Complete] 142847 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 14 IP / 0 Range Connections Blocked! [7s]
May 19 03:00:07 Skynet: [Complete] 142848 IPs / 0 Ranges banned. 1 New IPs / 0 New Ranges Banned. 52 IP / 0 Range Connections Blocked! [7s]
May 19 04:00:08 Skynet: [Complete] 142848 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 87 IP / 0 Range Connections Blocked! [7s]
May 19 05:00:08 Skynet: [Complete] 142848 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 102 IP / 0 Range Connections Blocked! [8s]
May 19 06:00:07 Skynet: [Complete] 142849 IPs / 0 Ranges banned. 1 New IPs / 0 New Ranges Banned. 120 IP / 0 Range Connections Blocked! [7s]
May 19 07:00:08 Skynet: [Complete] 142849 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 139 IP / 0 Range Connections Blocked! [7s]
May 19 08:00:07 Skynet: [Complete] 142850 IPs / 0 Ranges banned. 1 New IPs / 0 New Ranges Banned. 157 IP / 0 Range Connections Blocked! [7s]
May 19 09:00:08 Skynet: [Complete] 142851 IPs / 0 Ranges banned. 1 New IPs / 0 New Ranges Banned. 181 IP / 0 Range Connections Blocked! [8s]
May 19 10:00:08 Skynet: [Complete] 142851 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 203 IP / 0 Range Connections Blocked! [7s]
May 19 11:00:08 Skynet: [Complete] 142851 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 224 IP / 0 Range Connections Blocked! [7s]
May 19 12:00:07 Skynet: [Complete] 142852 IPs / 0 Ranges banned. 1 New IPs / 0 New Ranges Banned. 252 IP / 0 Range Connections Blocked! [7s]
May 19 13:00:07 Skynet: [Complete] 142852 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 275 IP / 0 Range Connections Blocked! [7s]
May 19 14:00:07 Skynet: [Complete] 142853 IPs / 0 Ranges banned. 1 New IPs / 0 New Ranges Banned. 297 IP / 0 Range Connections Blocked! [7s]
 
my log from yesterday evening to today 14:00....should be
18766 Ranges banned but isn`t?

I apologise, for whatever reason your BlockedRanges list seems to have been cleared, I haven't been able to find a possible situation in the code where this could happen nor able to reproduce it. I'm afraid the only way to get these back will be to run (banmalware/ ban country) again as you did previously. I will definitely keep investigating though
 
I apologise, for whatever reason your BlockedRanges list seems to have been cleared, I haven't been able to find a possible situation in the code where this could happen nor able to reproduce it. I'm afraid the only way to get these back will be to run (banmalware/ ban country) again as you did previously. I will definitely keep investigating though
hmm, i uninstall script and fresh installed....i run banmalware, ban country and then firewall save....everything`s fine until next hourly refresh cycle.....then all baned IP ranges gone....
 
hmm, i uninstall script and fresh installed....i run banmalware, ban country and then firewall save....everything`s fine until next hourly refresh cycle.....then all baned IP ranges gone....

Very strange, I'm trying to reproduce this but am having issues doing so. During my test I did various combinations of running first "banmalware" then "ban country" followed by saving the file and never was my list cleared nor is there any code that could do so in these functions. Can you give me the exact order of commands you're doing then an indication of when the list disappears.

After each command in the logging print it should also tell you exactly how many ranges are currently banned and how many were deleted this hour which will give us a further indication of when the range list is being cleared.
 
Very strange, I'm trying to reproduce this but am having issues doing so. During my test I did various combinations of running first "banmalware" then "ban country" followed by saving the file and never was my list cleared nor is there any code that could do so in these functions. Can you give me the exact order of commands you're doing then an indication of when the list disappears.

After each command in the logging print it should also tell you exactly how many ranges are currently banned and how many were deleted this hour which will give us a further indication of when the range list is being cleared.
here is my install log....
https://pastebin.com/gRFZAnyP

here is syslog which is fine at the moment.....
Code:
May 20 18:13:59 Skynet: [Complete] 140080 IPs / 16060 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [7s]

EDIT: at 20:00 baned IP ranges are gone.....
Code:
May 20 20:00:07 Skynet: [Complete] 140080 IPs / 0 Ranges banned. 0 New IPs / -16060 New Ranges Banned. 24 IP / 0 Range Connections Blocked! [7s]
 
Last edited:
here is my install log....

Okay thanks, I have uninstalled the script completely and run the exact commands you did. Ill keep an eye over it the next few hours and see if the same thing happens to me.

Also another question, do you have other scripts installed from this forum? There is always the possibility another script is interfering with a list it shouldn't be
 
I'm running Skynet 4.0.4 and just started and enabled debug.. when I run stats I notice my cable-modem's WAN ip in the "Last 10 Connections Blocked;", "Last Autobans", and in the "Top 10 Attackers"

3x https://otx.alienvault.com/indicator/ip/xxx.xxx.xxx.xxx

So while going over the code, I found the reason your WAN IP was showing in stats. There was a bug I patched yesterday that incorrectly was showing a users WAN IP from an ICMP packet as an attack source. Although it was never actually being banned, the way I was grabbing data from the logs didn't account for this and was throwing it into the mix. As of v4.2.8 this has now been fixed.

I've also sped up various functions today, the major one being banmalware which the execution time has been halved. Like always if there are any suggestions, feel free to post.
 
Okay thanks, I have uninstalled the script completely and run the exact commands you did. Ill keep an eye over it the next few hours and see if the same thing happens to me.

Also another question, do you have other scripts installed from this forum? There is always the possibility another script is interfering with a list it shouldn't be
I have just ab-solution with pixel-serv installed....nothing else....

Poslano z mojega EVA-L09 z uporabo Tapatalk
 
I have just ab-solution with pixel-serv installed....nothing else....

Poslano z mojega EVA-L09 z uporabo Tapatalk

Very strange, I also use ab-solution so there is definitely no conflicts there. Just to make sure, please run the following commands (which I've also just run right now) and we can both see if this problem reoccurs.

Code:
sh /jffs/scripts/firewall uninstall
wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
chmod +x /jffs/scripts/firewall
sh /jffs/scripts/firewall install
sh /jffs/scripts/firewall banmalware
sh /jffs/scripts/firewall ban country "cn ua mk"
sh /jffs/scripts/firewall save

This will remove all traces of the script, and then preform the actions you were previously doing. That should leave you with around 125253 IPs / 16105 Ranges banned. I've once again done just that and will monitor the BlockedRanges set. Beyond that I'm still a little confused as to why only the BlockedRanges set is being wiped as there's literally no code which does this, but will keep looking into it. Let me know if the issue reoccurs.
 
Very strange, I also use ab-solution so there is definitely no conflicts there. Just to make sure, please run the following commands (which I've also just run right now) and we can both see if this problem reoccurs.

Code:
sh /jffs/scripts/firewall uninstall
wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
chmod +x /jffs/scripts/firewall
sh /jffs/scripts/firewall install
sh /jffs/scripts/firewall banmalware
sh /jffs/scripts/firewall ban country "cn ua mk"
sh /jffs/scripts/firewall save

This will remove all traces of the script, and then preform the actions you were previously doing. That should leave you with around 125253 IPs / 16105 Ranges banned. I've once again done just that and will monitor the BlockedRanges set. Beyond that I'm still a little confused as to why only the BlockedRanges set is being wiped as there's literally no code which does this, but will keep looking into it. Let me know if the issue reoccurs.

installed again like you said....i see double starting? or is just first time? what about if i add another ban country? i think the script replace all older entries and add entries just for last ban country? would be better if just add new entries and not replace all?
Code:
May 21 11:08:22 Skynet: [Complete] 123908 IPs / 16080 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 0 IP / 0 Range Connections Blocked! [11s]
May 21 11:08:22 Skynet: [Complete] 123908 IPs / 16080 Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 0 IP / 0 Range Connections Blocked! [56970470s]
i am sure that baned IP ranges will gone at 12:00......

EDIT: at 12:00 and 13:00 is still ok....probably will now be ok....
Code:
May 21 12:00:07 Skynet: [Complete] 123957 IPs / 16080 Ranges banned. 49 New IPs / 0 New Ranges Banned. 16 0 IP / 20 Range Connections Blocked! [7s]
May 21 13:00:07 Skynet: [Complete] 123958 IPs / 16080 Ranges banned. 1 New IPs / 0 New Ranges Banned. 31 0 IP / 35 Range Connections Blocked! [7s]
 
Last edited:
what about if i add another ban country

Every time you use the ban country command you have to write the full list of countries you want banned. The script before adding new bans removes all the old bans of that category.

i am sure that baned IP ranges will gone at 12:00......

We will see, but there should be no reason for it to, I've been running the same setup all day without issues.
 
Feature suggestion:

As your script runs every hour and removes all entrys from the syslog which are related to new banned ips, can you perhaps add a additional listing with the hourly based status massage that shows the new banned ips + the dns of them? Would be very cool :)

PS: And perhaps you should change the date here too :D ;)

-## - 19/05/2017 - Asus Firewall Addition By Adamm v4.3.0 #
+## - 19/05/2017 - Asus Firewall Addition By Adamm v4.3.1 #

PS: Okay, just found the last 10 autobans @ the stats. But it would be clearer if you see what was blocked every hour with the corresponding dns if available :D
 
Last edited:
Feature suggestion:

As your script runs every hour and removes all entrys from the syslog which are related to new banned ips, can you perhaps add a additional listing with the hourly based status massage that shows the new banned ips + the dns of them? Would be very cool :)

PS: And perhaps you should change the date here too :D ;)

-## - 19/05/2017 - Asus Firewall Addition By Adamm v4.3.0 #
+## - 19/05/2017 - Asus Firewall Addition By Adamm v4.3.1 #

PS: Okay, just found the last 10 autobans @ the stats. But it would be clearer if you see what was blocked every hour with the corresponding dns if available :D

Also separating UDP and TCP bans would help!
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top