What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

From time to time I lose banned IP adresses.
For exampe three week ago system log showed me that about 110.000 IP adresses were banned by skynet. Then, about two weeks ago the number jumped to 112.004 IP adresses. Today at Jul 16 02:28:53 the number went down to 84.814 banned IP adresses.
I had to manually update banmalware through skynet menu to get back to 122.951 bannes IP adresses.
Why is this happening?

As Skeal said, the lists are dynamic, IP's are constantly being removed and added on a daily basis. This means just about every time you run banmalware you will have a different total number of banned addresses, nothing to worry about.
 
Looks like you managed to break the config file :p

What is the output of the following;

Code:
cat /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg
Ermmmmm.... This is EXACTLY what it gives!

Code:
admin@Ainz86U:/tmp/home/root# cat /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg
J▒▒▒▒▒re▒Q#ey;2▒#▒i▒$X▒eվ4      ▒▒▒w▒-pj▒▒]▒▒7[▒▒@▒'▒2xP▒=▒OjT▒▒C/&.&ܐ▒N▒x▒Ԗ▒
Zԡ▒▒B▒m▒▒▒h▒▒>V▒▒
N▒▒,▒▒22E)▒g▒▒[U:▒n▒&"  ▒▒d)X▒▒u▒kX▒^m▒X4▒▒!mJm▒▒->▒Y[/A▒▒▒▒2U&56▒f)e▒@▒▒H▒Iw;KC▒▒H(,
     -C▒u)P▒▒Lr▒![ ▒▒gd)▒▒@P▒>▒▒`h▒▒▒▒Z▒e▒▒ofK▒▒▒▒      t▒▒▒▒P▒S▒n▒a&c$O▒▒ko▒▒▒▒棖▒-▒i▒,6S▒K▒▒▒▒▒]▒F▒▒c▒▒▒)]▒٘▒W]▒s:v▒{
G▒▒H!s▒▒ѱ▒▒+▒Y▒Ü▒▒آ▒▒R▒B▒Q▒F▒▒,▒@ُ▒1▒admin@Ainz86U:/tmp/home/root# PuTTYPuTTY
 
Can anyone help me make sense of this? When Skynet is enabled, FaceTime calls don't work properly. Specifically, the person on the network with Skynet enabled doesn't receive updates to video, but video seems to transmit ok. A lot of time, it's just a frozen image. However, the person on the other end does receives and send video just fine. I've tried to follow the log as it's happening, and these are the only entries I'm seeing:

Jul 17 11:55:27 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=00:22:48:39:42:6e:00:38:df:9b:e8:19:08:00 SRC=178.128.159.xxx DST=174.66.132.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=49559 PROTO=TCP SPT=34318 DPT=23 SEQ=2923594905 ACK=0 WINDOW=41518 RES=0x00 SYN URGP=0

Jul 17 11:55:49 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=00:22:48:39:42:6e:00:38:df:9b:e8:19:08:00 SRC=178.128.159.xxx DST=174.66.132.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=49559 PROTO=TCP SPT=34318 DPT=23 SEQ=2923594905 ACK=0 WINDOW=41518 RES=0x00 SYN URGP=0 MARK=0x81800000

Jul 17 11:55:49 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=00:22:48:39:42:6e:00:38:df:9b:e8:19:08:00 SRC=178.128.159.xxx DST=174.66.132.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=49559 PROTO=TCP SPT=34318 DPT=23 SEQ=2923594905 ACK=0 WINDOW=41518 RES=0x00 SYN URGP=0 MARK=0x81800000

If it's inbound communication being blocked, how do I fix this without whitelisting the IP? Because obviously the IP will change. I appreciate any help I could get with this.
 
Last edited:
Houston, we have a problem! I'll let @Adamm tell ya what to do next... :)
Yep, I thought as much. All I did was install Synet (via AMTM) then after something didn't work down the line, disable it. When I tried to enable again after fault finding... well, you can see!!
 
Ermmmmm.... This is EXACTLY what it gives!

Code:
admin@Ainz86U:/tmp/home/root# cat /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg
J▒▒▒▒▒re▒Q#ey;2▒#▒i▒$X▒eվ4      ▒▒▒w▒-pj▒▒]▒▒7[▒▒@▒'▒2xP▒=▒OjT▒▒C/&.&ܐ▒N▒x▒Ԗ▒
Zԡ▒▒B▒m▒▒▒h▒▒>V▒▒
N▒▒,▒▒22E)▒g▒▒[U:▒n▒&"  ▒▒d)X▒▒u▒kX▒^m▒X4▒▒!mJm▒▒->▒Y[/A▒▒▒▒2U&56▒f)e▒@▒▒H▒Iw;KC▒▒H(,
     -C▒u)P▒▒Lr▒![ ▒▒gd)▒▒@P▒>▒▒`h▒▒▒▒Z▒e▒▒ofK▒▒▒▒      t▒▒▒▒P▒S▒n▒a&c$O▒▒ko▒▒▒▒棖▒-▒i▒,6S▒K▒▒▒▒▒]▒F▒▒c▒▒▒)]▒٘▒W]▒s:v▒{
G▒▒H!s▒▒ѱ▒▒+▒Y▒Ü▒▒آ▒▒R▒B▒Q▒F▒▒,▒@ُ▒1▒admin@Ainz86U:/tmp/home/root# PuTTYPuTTY

Looks very corrupted due to something you've done with Putty. Delete the file and reinstall.

Code:
rm -rf /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg
 
Can anyone help me make sense of this? When Skynet is enabled, FaceTime calls don't work properly. Specifically, the person on the network with Skynet enabled doesn't receive updates to video, but video seems to transmit ok. A lot of time, it's just a frozen image. However, the person on the other end does receives and send video just fine. I've tried to follow the log as it's happening, and these are the only entries I'm seeing:

Jul 17 11:55:27 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=00:22:48:39:42:6e:00:38:df:9b:e8:19:08:00 SRC=178.128.159.xxx DST=174.66.132.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=49559 PROTO=TCP SPT=34318 DPT=23 SEQ=2923594905 ACK=0 WINDOW=41518 RES=0x00 SYN URGP=0

Jul 17 11:55:49 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=00:22:48:39:42:6e:00:38:df:9b:e8:19:08:00 SRC=178.128.159.xxx DST=174.66.132.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=49559 PROTO=TCP SPT=34318 DPT=23 SEQ=2923594905 ACK=0 WINDOW=41518 RES=0x00 SYN URGP=0 MARK=0x81800000

Jul 17 11:55:49 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=00:22:48:39:42:6e:00:38:df:9b:e8:19:08:00 SRC=178.128.159.xxx DST=174.66.132.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=49559 PROTO=TCP SPT=34318 DPT=23 SEQ=2923594905 ACK=0 WINDOW=41518 RES=0x00 SYN URGP=0 MARK=0x81800000

If it's inbound communication being blocked, how do I fix this without whitelisting the IP? Because obviously the IP will change. I appreciate any help I could get with this.

I personally have no issues with Facetime, I used it as recently as yesterday. The IP you posted is from greece so not sure if its related. All I can suggest is follow the usual troubleshooting guide.
 
I personally have no issues with Facetime, I used it as recently as yesterday. The IP you posted is from greece so not sure if its related. All I can suggest is follow the usual troubleshooting guide.
Thank you for your response Adamm. I appreciate you taking the time to reply to me, especially when my info may seem confusing or misleading.

That being said, the destination IP is Cox in San Diego (my network), but the source IP doesn't seem to be from my LTE provider (looks like it's from digital ocean in NY), so you're probably right, but strangely enough, those are the only blocks that were showing up. As soon as I turn Skynet off, FaceTime works perfectly, so I'm not sure how to proceed.
 
Last edited:
Thank you for your response Adamm. I appreciate you taking the time to reply to me, especially when my info may seem confusing or misleading.

That being said, the destination IP is Cox in San Diego (my network), but the source IP doesn't seem to be from my LTE provider (looks like it's from digital ocean in NY), so you're probably right, but strangely enough, those are the only blocks that were showing up. As soon as I turn Skynet off, FaceTime works perfectly, so I'm not sure how to proceed.

Not sure what to tell you. Skynet will log every connection blocked as long as debug mode is enabled, there is no exceptions to this rule. So either Skynet is blocking facetime and will log the event as such, or its just a coincidence and unrelated to Skynet. I think it goes without saying to make sure you are on the latest firmware (and Skynet version) and give the router a fresh reboot to rule out other potential causes.

FWIW; The source IP is from Greece and is listed by multiple providers as malicious.

Code:
Exact Matches;
https://iplists.firehol.org/files/alienvault_reputation.ipset - 178.128.159.57
https://iplists.firehol.org/files/firehol_level3.netset - 178.128.159.57
https://iplists.firehol.org/files/taichung.ipset - 178.128.159.57
 
Looks very corrupted due to something you've done with Putty. Delete the file and reinstall.

Code:
rm -rf /tmp/mnt/AC86U_SPARE/skynet/skynet.cfg
All good thanks. Ended up creating a new partition for it and it's all good now :)
 
How would one track down why a certain ip is being blocked? I see the ip for 17.173.254.223 is being blocked and it belongs to apple and most likely for imessages or facetime.

Code:
Jul 18 19:12:11 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=14091 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:12:16 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=20758 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:12:21 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=11721 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:12:29 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=2629 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:12:45 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=1009 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:33:56 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=12724 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:33:58 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=62667 PROTO=UDP SPT=16403 DPT=16386 LEN=24
 
How would one track down why a certain ip is being blocked? I see the ip for 17.173.254.223 is being blocked and it belongs to apple and most likely for imessages or facetime.


Use the following command to get an indication of what list its sourced from, then you can make decisions from there accordingly.

Code:
admin@RT-AC86U-2EE8:/tmp/home/root# firewall stats search malware 17.173.254.223
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 15/07/2018 -           Asus Firewall Addition By Adamm v6.3.1                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


Debug Data Detected in /tmp/mnt/Elements/skynet/skynet.log - 7.9M
Monitoring From Jul 7 19:00:01 To Jul 19 14:47:35
35119 Block Events Detected
4994 Unique IPs
0 Manual Bans Issued

Exact Matches;
https://iplists.firehol.org/files/firehol_level3.netset - 17.173.254.223


Possible CIDR Matches;


Skynet: [Complete] 117395 IPs / 1747 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2146 Inbound / 79 Outbound Connections Blocked! [stats] [11s]

As you can see its listed by firehol level 3 (which itsself is a combination of multiple lists). So I'd say its most likely a false positive, alienvault shows the IP was port scanning (or seemed like it was port scanning) for whatever reason and was probably listed incorrectly.
 
Use the following command to get an indication of what list its sourced from, then you can make decisions from there accordingly.

Code:
admin@RT-AC86U-2EE8:/tmp/home/root# firewall stats search malware 17.173.254.223
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 15/07/2018 -           Asus Firewall Addition By Adamm v6.3.1                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


Debug Data Detected in /tmp/mnt/Elements/skynet/skynet.log - 7.9M
Monitoring From Jul 7 19:00:01 To Jul 19 14:47:35
35119 Block Events Detected
4994 Unique IPs
0 Manual Bans Issued

Exact Matches;
https://iplists.firehol.org/files/firehol_level3.netset - 17.173.254.223


Possible CIDR Matches;


Skynet: [Complete] 117395 IPs / 1747 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2146 Inbound / 79 Outbound Connections Blocked! [stats] [11s]

As you can see its listed by firehol level 3 (which itsself is a combination of multiple lists). So I'd say its most likely a false positive, alienvault shows the IP was port scanning (or seemed like it was port scanning) for whatever reason and was probably listed incorrectly.

Many thanks!
 
Why your script block the IP that my ISP gives me once a day (sometimes it takes a week)?, this blocks me access to the internet and to fix that error I have to restart the router.

Too I use the scripts AB-Solution, Pixelserv-tls, amtm, DNSCrypt Version 2 and FreshJR Adaptive QOS.
 
Why your script block the IP that my ISP gives me once a day (sometimes it takes a week)?, this blocks me access to the internet and to fix that error I have to restart the router.

Too I use the scripts AB-Solution, Pixelserv-tls, amtm, DNSCrypt Version 2 and FreshJR Adaptive QOS.

Skynet updates its whitelist with your public IP every time the restart_firewall event is run. I'm not sure why anyones whole ISP would be blocked (and without logs I can't even say for certian its Skynet causing the issue).

If this is actually the case, you can just go ahead and manually whitelist your ISP's IP space.
 
@Adamm I'm sure 50% is for AiProtection, and that's why your script blocks my IP. (it's just a guess)

In System Log -> General Log appears that skynet blocked my IP, something like this:
How would one track down why a certain ip is being blocked? I see the ip for 17.173.254.223 is being blocked and it belongs to apple and most likely for imessages or facetime.

Code:
Jul 18 19:12:11 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=14091 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:12:16 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=20758 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:12:21 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=11721 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:12:29 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=2629 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:12:45 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=1009 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:33:56 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=12724 PROTO=UDP SPT=16403 DPT=16386 LEN=24
Jul 18 19:33:58 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=2c:4d:54:21:17:f0:1c:b7:2c:c7:3b:74:08:00 SRC=192.168.1.130 DST=17.173.254.223 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=62667 PROTO=UDP SPT=16403 DPT=16386 LEN=24
 
Last edited:
@Adamm I'm sure 50% is for AiProtection, and that's why your script blocks my IP. (it's just a guess)

In System Log -> General Log appears that skynet blocked my IP, something like this:
Please provide examples of your own logs. In this instance my devices were only being blocked trying to access very specific ip addresses that were blacklisted. That does not appear to be your use case.
 
I can not give examples because I uninstalled the script more than a month ago and I never had that problem again.

I just wanted to know if it was normal and if there is some way to fix it to try to use the script again.
 
I can not give examples because I uninstalled the script more than a month ago and I never had that problem again.

I just wanted to know if it was normal and if there is some way to fix it to try to use the script again.


If there is indeed an issue, I would need logs to investigate. Please remember there are thousands of people using Skynet and everyones setup is different, so what may be an issue for you could be non existent for others.

So yeah, if theres an issue with the latest version of Skynet, please post a log snippet of it occuring, otherwise we all are just playing the hyperthetical game which makes it much harder for me to investigate.
 
I don't mean to hijack here quick question can I use skynet on openwrt?

Sent from my SAMSUNG-SM-G920AZ using Tapatalk
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top