What's new

Skynet Is default firewall good enough?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Seems like they are different (thanks @Viktor Jaep) and I used to run all 3 as well (plus other things), but reduced to level 1 only before getting to step 7 in post #10. Approximately around this time the suricates pack of 30 got reduced to an older couple with no kids. :)

So, @Tech9 ... From personal experience, I've been able to use my custom filter list including those 3 firehol lists without setting off any alarms, pissing off the rest of my click-happy teens, or dealing with step #7 or beyond. It's gone relatively smooth!
 
Thanks @SomeWhereOverTheRainBow! Question... How did you come across this list, or what source did you use to compile it?
On my github there, a few of the Ad list I use to generate my list from which also add some IP address's to the list, probably the firebog ones, but those IP addresses are compiled IP addresses of elusive servers (meaning the domains change frequently) that just do a combination of nasty such as trackers, cryptominers, malware , and other sorts of bad.
 
I also have my own list that I maintain:


It’s more paranoid but I don’t have any FPs. I feel like at least the lists inside will be useful to some people. In particular, https://threatview.io/Downloads/IP-High-Confidence-Feed.txt is very nice, and also https://raw.githubusercontent.com/stamparm/ipsum/master/levels/2.txt has virtually zero FPs because of the logic with which it’s generated.

I also make sure the lists I’m using are regularly updated. Some of the lists in the default filter.list haven’t been updated in years. My list also blocks TOR which some people might not want. I could make different versions with different policies if anybody wants.

I currently have 3 versions, “paranoid”, which is basically beta. The link I posted is for what I consider to be the stable list, and “level1” is well tested. They’re all identical as of now as I’m sure all the lists are good.
 
Last edited:
I also have my own list that I maintain:


It’s more paranoid but I don’t have any FPs. I feel like at least the lists inside will be useful to some people. In particular, https://threatview.io/Downloads/IP-High-Confidence-Feed.txt is very nice, and also https://raw.githubusercontent.com/stamparm/ipsum/master/levels/2.txt has virtually zero FPs because of the logic with which it’s generated.

I also make sure the lists I’m using are regularly updated. Some of the lists in the default filter.list haven’t been updated in years. My list also blocks TOR which some people might not want. I could make different versions with different policies if anybody wants.

I currently have 3 versions, “paranoid”, which is basically beta. The link I posted is for what I consider to be the stable list, and “level1” is well tested. They’re all identical as of now as I’m sure all the lists are good.

Thanks for the suggestion with threatview... I've added those now as well. ;)
 
Thanks for the heads-up. It seemed to ingest it just fine... probably smart enough to kick out anything that doesn't look like an IP. ;)
can you say

Code:
echo 576747640bbc9e8922cb0c45c7357ccee4ccd36a | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"

or

Code:
 echo 192.168.1.1 | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
192.168.1.1

or what if we want all none local ips only

Code:
echo 192.168.1.1 | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | grep -vE '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'

Code:
printf '14.1.98.226/n192.168.1.1' | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | grep -vE '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
14.1.98.226
 
pfBlockerNG on pfSense in my case.

You have to use custom blocking list in Skynet. The default is this one:


What we use is this one only:


And a description what it is here:

I gave this a go in Skynet. The 33K IP blocks with default lists dropped to a mere 250 (although Firehol 1 contains over 600 million IPs). Do you see something similar?
 
I gave this a go in Skynet. The 33K IP blocks with default lists dropped to a mere 250 (although Firehol 1 contains over 600 million IPs). Do you see something similar?
Haven't used default in quite a while... still using my own custom list. In fact, I had added Firehol 4 and the Firehol_Webserver lists to my blocklist yesterday, and wow... some major blockage going on there. Guess it's not safe for production/family use. I had to back off when it stopped loading regular standard websites, and made my Google Home malfunction, and then the screaming started. ;)
 
Haven't used default in quite a while... still using my own custom list. In fact, I had added Firehol 4 and the Firehol_Webserver lists to my blocklist yesterday, and wow... some major blockage going on there. Guess it's not safe for production/family use. I had to back off when it stopped loading regular standard websites, and made my Google Home malfunction, and then the screaming started. ;)
Here is the filter list i am currently rocking, (and yes any one is welcome to try it.)


1650325620161.png


And I have yet to have a false positive.
 
If I had 300+ outbound blocks I'd check on what was causing it. At worst, something is wrong on my network, but I'd just be concerned about blocking legitimate traffic. :)
Yea majority of the outbound blocks are from Chatty IoT devices. I have multiple IoT devices that like to constantly call home. For no other particular reason than just doing what IoT devices do. However, it has not broke their actual functionality, so I am not concerned.
 
If I had 300+ outbound blocks I'd check on what was causing it. At worst, something is wrong on my network, but I'd just be concerned about blocking legitimate traffic. :)

I typically run a check against it's IP on AlienVault if something looks suspicious or just to spot check...

 
What's the deal with using Unbound along side w/skynet? Does skynet some how messes with the performance? I'm using both with default settings but just wondering what issues may be encounter when using both?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top