Skynet Is default firewall good enough?

[UoFruitE]

So later I will put your theory to the test and process each list together for duplicates. I will generate my own ip list doing the wc before and after.

The following table is copied directly from: https://github.com/firehol/blocklist-ipsets

firehol_level1​	A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: bambenek_c2 dshield feodo fullbogons spamhaus_drop spamhaus_edrop sslbl ransomware_rw)​	ipv4 hash:net​	2094 subnets, 613957376 unique IPs​	updated every 1 min​
firehol_level2​	An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow)​	ipv4 hash:net​	15225 subnets, 28990 unique IPs​	updated every 1 min​
firehol_level3​	An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter vxvault)​	ipv4 hash:net​	17878 subnets, 30610 unique IPs​	updated every 1 min​

 

[SomeWhereOverTheRainBow]

The following table is copied directly from: https://github.com/firehol/blocklist-ipsets

firehol_level1​	A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: bambenek_c2 dshield feodo fullbogons spamhaus_drop spamhaus_edrop sslbl ransomware_rw)​	ipv4 hash:net​	2094 subnets, 613957376 unique IPs​	updated every 1 min​
firehol_level2​	An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow)​	ipv4 hash:net​	15225 subnets, 28990 unique IPs​	updated every 1 min​
firehol_level3​	An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter vxvault)​	ipv4 hash:net​	17878 subnets, 30610 unique IPs​	updated every 1 min​

Yea I am not in a disagreement. My curiosity is whether the firehol list is kept up-to-date with all the latest entries from each list they include, or is it lagging behind. Also, I am curious to see if firehol removes things they consider to be "false positives" when generating their list.

 

[Viktor Jaep]

Yea I am not in a disagreement. My curiosity is whether the firehol list is kept up-to-date with all the latest entries from each list they include, or is it lagging behind. Also, I am curious to see if firehol removes things they consider to be "false positives" when generating their list.

I'm also pretty certain that if Skynet encounters any dupes, it will handle them appropriately.

 

[SomeWhereOverTheRainBow]

I'm also pretty certain that if Skynet encounters any dupes, it will handle them appropriately.

If I remember correctly the script uses some simple awk magic to purge duplicates as well. I simply include those lists in my setup incase they get updated before firehole. Atleast entries would be more up to date. There is also no telling if firehole removes anything from the list that they deem to be false positives.

 

[SomeWhereOverTheRainBow]

Anyone want to look at a pretty comprehensive method of generating your own ip block feeds here is a good one.

Comprehensive2 - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

 

[BreakingDad]

Will do when i'm home, remind me if I forget in a pm. Was a false positive I got ages ago.

@Kingp1n

Probably an anti climax, but this one.

37.244.54.10 comment "ManualWlist: roblox"

Here are my others, these have all had false postives in the past. With the exception of the dns servers which are precautionary.

Whitelist
9.9.9.9 comment "ManualWlist: quad 9 dns"
1.1.1.1 comment "ManualWlist: cloudflare dns"
8.8.4.4 comment "ManualWlist: google dns"
37.244.54.10 comment "ManualWlist: roblox"
23.227.38.74 comment "ManualWlist: govee lights (shopify)"
128.116.119.3 comment "ManualWlist: battlenet2"
37.244.28.102 comment "ManualWlist: battlenet1"
91.199.81.1/24 comment "ManualWlist: phasmophobia full range"
http://mirror.ossplanet.net (rpi/linux update)
https://www.animal.co.uk/ (clothing website)

 

[Andrewuk_78]

hi, cant post to skynet thread, its older than 6 months

is there any way i can disable the whitelist fully? i dont want it.
i remove comments containing CDN, it removed them all
it re-downloads at some point, usually after adding a blocked domain / country i think
i have disabled auto update too
i have also disabled CDN whitelisting

i need to block countries, regardless of CDN servers

Example
i block netherlands
i can still see google and amazon servers connecting to it because of the whitelist.

i know it can break youtube and legit services
i dont care, its only temporary.

 

[Mogsy]

hi, cant post to skynet thread, its older than 6 months

is there any way i can disable the whitelist fully? i dont want it.
i remove comments containing CDN, it removed them all
it re-downloads at some point, usually after adding a blocked domain / country i think
i have disabled auto update too
i have also disabled CDN whitelisting

i need to block countries, regardless of CDN servers

Example
i block netherlands
i can still see google and amazon servers connecting to it because of the whitelist.

i know it can break youtube and legit services
i dont care, its only temporary.

Do you have Diversion installed? If yes maybe check the hardcoded setting from there or sf for shared whitelist etc.

From Diversion menu I believe it is el > 1 >8 (hard coded whitelist setting)

 

[BreakingDad]

Interestingly I just ran a load of speed tests with skynet on and skynet off.

With it off I average about 1050 download, with it on I average about 900 download.

Now I have the dilemma of speed vs security.

 

[Mogsy]

Interestingly I just ran a load of speed tests with skynet on and skynet off.

With it off I average about 1050 download, with it on I average about 900 download.

Now I have the dilema of speed vs security.

I'd understand your dilemma if the speed differences are huge. Security. lol

 

[BreakingDad]

I'd understand your dilemma if the speed differences are huge. Security. lol

150 is huge imo,I put it back on anyway, probably out of paranoia.

 

[Ubimo]

I don't see, how skynet could throttle download speed?

Skynet shouln't have any impact in traffic speed, right?

 

[Viktor Jaep]

I remember various articles in the past that address why bandwidth takes a hit when skynet is running (many blaming AIProtection, Flow Cache or other settings), but I don't think anyone has come up with any real solutions... Oh, someone else said that by changing Skynet to monitor only inbound connections vs. both inbound and outbound may have an effect as well.

Examples:
Speedtest giving strange value
Unbound Manager COUNTRY exclusion to play nice with Skynet?

 

[SomeWhereOverTheRainBow]

I remember various articles in the past that address why bandwidth takes a hit when skynet is running (many blaming AIProtection, Flow Cache or other settings), but I don't think anyone has come up with any real solutions... Oh, someone else said that by changing Skynet to monitor only inbound connections vs. both inbound and outbound may have an effect as well.

Examples:
Speedtest giving strange value
Unbound Manager COUNTRY exclusion to play nice with Skynet?

It only happens when you run skynet to block outbound and the third party services disclaimer is accepted. It is a combination of both. Essentially whenever the trendmicro engine is running and skynet blocks outbound the router himself will use the routers cpu partly on speed tests while clients are not impacted on speedtests.

 

[chongnt]

It only happens when you run skynet to block outbound and the third party services disclaimer is accepted. It is a combination of both. Essentially whenever the trendmicro engine is running and skynet blocks outbound the router himself will use the routers cpu partly on speed tests while clients are not impacted on speedtests.

If NAT acceleration is disabled, will client speed impacted?

 

[Tech9]

With NAT acceleration disabled your AC86U router can do about 350Mbps WAN-LAN throughput.

 

[Andrewuk_78]

Do you have Diversion installed? If yes maybe check the hardcoded setting from there or sf for shared whitelist etc.

From Diversion menu I believe it is el > 1 >8 (hard coded whitelist setting)

no i dont,
installed it, and its just for smallnetbuilder i believe.
it still populates all the CDN's once i delete them anyway

anyone know how i can post to the proper skynet forum?

 

[SomeWhereOverTheRainBow]

no i dont,
installed it, and its just for smallnetbuilder i believe.
it still populates all the CDN's once i delete them anyway

anyone know how i can post to the proper skynet forum?

"Proper" skynet forum?

 

[Andrewuk_78]

"Proper" skynet forum?

this one thats 380 odd pages long

Skynet - Skynet - Router Firewall & Security Enhancements

For support requests and questions please use the Github Issue Tracker where this script is actively maintained Skynet - Router Firewall & Security Enhancements Elevate your home network security with Skynet, a robust firewall and security tool meticulously crafted for ASUS routers running...

www.snbforums.com

 

[BreakingDad]

It only happens when you run skynet to block outbound and the third party services disclaimer is accepted. It is a combination of both. Essentially whenever the trendmicro engine is running and skynet blocks outbound the router himself will use the routers cpu partly on speed tests while clients are not impacted on speedtests.

Do you think it would be ok to just run trend and forget skynet? Or are you saying it's a false speed check reading on the router side, just due to cpu usage.