What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Please post the output of;

Code:
sh /jffs/scripts/firewall debug info

I got it working by doing a reinstall. Now the malware and country lists are loaded as expected.

Thanks.
 
On the external device topic - if and as applicable - I would consider Raspberry Pi. Right, no USB 3.0 (4 USB 2.0 ports) on-board, but still an amazingly affordable native Linux option. I use many of those for VoIP applications for several years now and they're very reliable and easy to maintain (Linux, after all.)
 
rt-3100 merlin 384.7 diversion 4.03
the cpu was running under 5%
installed skynet with 1gb swap file
the cpu is now running at 50% avg
even in the middle of the night with
nobody active. did i install it wrong?

i fresh rebooted the router and same %
also the cpu temp is running hotter.

update: i went into putty to check
diversion, and saw the skynet hosts merge dialog,
once i let that run, the cpu calmed down after a
fresh reboot.

so i guess my remaining questions are;
if i find skynet interferes too much with my
normal online activity, how do i remove it?
is it bound too much to diversion,
so i'll have to uninstall both and then
reinstall diversion alone?

the reason i ask is because diversion's
"medium" file caused me too much trouble
so i have to downgrade to "small" hosts file.

also, i see a lot of discussion about adding
a range of whitelists, presumably these are
known retail referral hosts that if blocked
may interfere too much with browsing.
so where can i find these popular whitelist domain ranges?
i see people on this thread discussing them, but no actual
faq or reference to their common "approved" source.

also, once diversion+skynet is running correctly,
do i still need to keep aiprotection running from asus?
or like merlin compliments asus stock,
so does skynet compliments aiprotection.

when you answer, please know i have zero linux experience,
i just know how to use tools such as WinSCP and PuTTY.
 
Last edited:
Open an ssh session and use top (or htop - which you can install from entware) to see what's causing this high cpu load).
 
rt-3100 merlin 384.7 diversion 4.03
the cpu was running under 5%
installed skynet with 1gb swap file
the cpu is now running at 50% avg
even in the middle of the night with
nobody active. did i install it wrong?

Skynets functions last at most 20-40 seconds depending on your device model, beyond that it has an almost unmeasureable effect on CPU operations.

if i find skynet interferes too much with my
normal online activity, how do i remove it?

It can be uninstall via the uninstall command or from the menu .

is it bound too much to diversion,
so i'll have to uninstall both and then
reinstall diversion alone?

Both scripts are independant of eachother, but for the benefit of our collective userbase we intergrade various features to inhance functionality.

also, i see a lot of discussion about adding
a range of whitelists, presumably these are
known retail referral hosts that if blocked
may interfere too much with browsing.
so where can i find these popular whitelist domain ranges?
i see people on this thread discussing them, but no actual
faq or reference to their common "approved" source.

Skynet by default whitelists required addresses for system services to prevent locking yourself out or any other connectivity issues. It also whitelists domains using a format created for intergration between scripts located in the files "/jffs/shared-*-Whitelist". Common CDN providors are also whitelisted by default to help with any false positives.

also, once diversion+skynet is running correctly,
do i still need to keep aiprotection running from asus?
or like merlin compliments asus stock,
so does skynet compliments aiprotection.

The latter, Skynet was designed to compliment the built in protection mechanisisms provided by the firmware. We actually tap into AiProtect and make it even better.
 
Getting this now?
Oct 24 12:28:31 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/sda/skynet )
Oct 24 12:28:51 Skynet: [#] 178 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [20s]
 
Can I update banmalware not only daily but, let's say every 6-12h?
I always lose IPs during nighly update and have to manually update banmalware to get the numbers back up.

Code:
Oct 25 02:00:08 Skynet: [#] 129685 IPs (+0) -- 4880 Ranges Banned (+0) || 4923 Inbound -- 103 Outbound Connections Blocked! [save] [8s]
Oct 25 02:26:20 Skynet: [#] 128794 IPs (-891) -- 4702 Ranges Banned (-178) || 4965 Inbound -- 103 Outbound Connections Blocked! [banmalware] [80s]
Oct 25 03:00:08 Skynet: [#] 128794 IPs (+0) -- 4702 Ranges Banned (+0) || 5023 Inbound -- 103 Outbound
.........
Oct 25 10:26:20 Skynet: [#] 130552 IPs (+1758) -- 4702 Ranges Banned (+0) || 5846 Inbound -- 103 Outbound Connections Blocked! [banmalware] [42s]
 
I always lose IPs during nighly update and have to manually update banmalware to get the numbers back up.

The sourced lists are dynamic and constantly being modified, its not unusual for list numbers to fluctuate.
 
That’s a funny looking Skynet :p. Please try with Skynet, that way I know exactly what’s going on based on the output.

I'll get back to you soon. My iMac got destroyed by a power surge during a thunderstorm. Luckily we have content insurance. i'm


Sent from my iPad using Tapatalk Pro
 
Thanks Adamm, Been spending a bit of time on the analysis of the logs.
I have blocked countries ru kr kp ir cn.
My stats show tons of outgoing blocks to loads of pool.ntp.org IP's. I assume these are from blocked countries and I can whitelist this domain ? :

12x https://otx.alienvault.com/indicator/ip/203.217.204.135 - [asia.pool.ntp.org pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.84.186 - [pool.ntp.org]
11x https://otx.alienvault.com/indicator/ip/211.233.40.78 - [pool.ntp.org]
7x https://otx.alienvault.com/indicator/ip/185.105.186.198 - [pool.ntp.org]
5x https://otx.alienvault.com/indicator/ip/195.78.244.50 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/91.198.10.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/85.21.78.23 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/80.240.216.155 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/79.142.192.4 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/195.210.189.106 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.211 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/193.27.209.20 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/185.103.110.248 - [pool.ntp.org]
2x https://otx.alienvault.com/indicator/ip/144.217.181.221 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/94.247.111.10 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/91.218.89.74 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.221.207.113 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/89.175.20.7 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/85.93.216.115 - [pool.ntp.org]
1x http://otx.alienvault.com/indicator/ip/85.21.78.91 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/79.142.192.130 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/78.140.251.2 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/46.173.6.142 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/195.78.244.34 - [pool.ntp.org]
1x https://otx.alienvault.com/indicator/ip/193.27.208.100 - [pool.ntp.org]

Hey, I got those exact url's being blocked in skynet on my 86u


Sent from my iPad using Tapatalk Pro
 
I pushed v6.5.3

Added passed test amount to "debug info"
Print config with new command "debug info extended"
wm has been appropriately renamed fs (fast-switch) and rebranded accordingly
Banmalware lists are checked for content before procreeding (this should eliminiate ban lists dropping to 0 due to connectivitity issues)
Is_IPRange() for internal use
 
Getting alot of after update to v6.5.3
Code:
Oct 27 19:07:59 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=213.112.x.x DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=27230 SEQ=0
like every 10-15sec (Dont use 1.1.1.1 as DNS)
Code:
Oct 27 19:13:35 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=213.112.x.x DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=40544 SEQ=0
Oct 27 19:13:45 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=213.112.x.x DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=44384 SEQ=0
Oct 27 19:13:55 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=213.112.x.x DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=53088 SEQ=0
Oct 27 19:14:05 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=213.112.x.x DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=62304 SEQ=0
 
Last edited:
Why have you got cloudflare dns blocked?
I have not added cloudflare to any list..
Happend after update
And i Dont use 1.1.1.1 for any devices or router
 
I have not added cloudflare to any list..
Happend after update
And i Dont use 1.1.1.1 for any devices or router

I suggest looking at the ban reason for the entry and removing it.

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Debug Mode
Code:
sh /jffs/scripts/firewall settings debugmode enable

2.) Open the blocked application/website and use the command;

Code:
sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;
Code:
DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

Code:
https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

Code:
sh /jffs/scripts/firewall whitelist ip 175.115.37.52
 
I suggest looking at the ban reason for the entry and removing it.
I had the same block occur after updating. I resolved by white listing 1.1.1.1 and 1.0.0.1.
 
Did not whitelist cloudflare(1.1.1.1)
Added my own cron jobs for banmalware update
After my 07.45 banmalware update today the block of 1.1.1.1 was gone
 
I just wanted to share my custom filter list:
Code:
https://pastebin.com/raw/iFqeTvkF
I added
https://hosts.ubuntu101.co.za/ips.list from https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist, now skynet says it reached it's limit with 500.000 blocked ips. :-D
Code:
Oct 28 12:08:23 kernel: Set Skynet-Blacklist is full, maxelem 500000 reached
Oct 28 12:08:51 Skynet: [#] 500000 IPs (+369267) -- 0 Ranges Banned (-4708) || 1983 Inbound -- 12 Outbound Connections Blocked! [banmalware] [126s]

@Adamm Can you cancel the limit? And why are the ranges gone?
I think this is a sophisticated list and should be added?
 
Last edited:
I just wanted to share my custom filter list:
Code:
https://pastebin.com/raw/iFqeTvkF
I added
https://hosts.ubuntu101.co.za/ips.list from https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist, now skynet says it reached it's limit with 500.000 blocked ips. :-D
Code:
Oct 28 12:08:23 kernel: Set Skynet-Blacklist is full, maxelem 500000 reached
Oct 28 12:08:51 Skynet: [#] 500000 IPs (+369267) -- 0 Ranges Banned (-4708) || 1983 Inbound -- 12 Outbound Connections Blocked! [banmalware] [126s]

@Adamm Can you cancel the limit? And why are the ranges gone?
That’s crazy. By right, firehol lvl 1-3 is more than enough and unauthorised entry would have been blocked by router own firewall.
Having so much IPs will put your router to more stress as all the traffic need to go thru the Long list of IPs and you may also have a lot of false positives and surfing experience will suffer from lag or false positives.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top