Skynet Skynet - Router Firewall & Security Enhancements

[Viktor Jaep]

sh /jffs/scripts/firewall update -f

Then wait about 30s until Skynet restarts check to see if you are still receiving the error.

That seems to have done the trick! Thank you very much!

 

[Jack Yaz]

Its a more permanent solution as the router by default has no real way for this. If you are caught port-scanning/brute-forcing once, there's a good chance (usually bots) will try it again in future, nor are they the type of traffic you want on your router.

sh /jffs/scripts/firewall whitelist domain xxxxx.com

Thanks. I know about the white list, I was going to save her the trouble of using putty etc and making something that takes domain input and sends it off over ssh

 

[skeal]

This script is the bomb!!! No others necessary I used to run almost 5 different scripts to accomplish what this does in one!! I highly recommend installing this script. The support by @Adamm is outstanding!!

 

[Builder71]

This script is the bomb!!! No others necessary I used to run almost 5 different scripts to accomplish what this does in one!! I highly recommend installing this script. The support by @Adamm is outstanding!!

Wish I could, but my ancient RT-N66U router doesn't support IPSet v6.
(But the ya-malware-block script works great on my RT-N66U !)

 

[Jack Yaz]

Is there a way to see the whitelist used in Skynet? I found /jffs/scripts/shared-Skynet2-whitelist but this only seems to show domains. Is there a way of finding the IPs that I have whitelisted?

 

[Jack Yaz]

For ease of use, I've added the following line to /jffs/configs/profile.add

alias skynet='/jffs/scripts/firewall'

Now I can invoke skynet commands using things like below. Hopefully this won't cause any conflicts with the script!

skynet debug info

 

[Adamm]

Is there a way to see the whitelist used in Skynet?

Ipset -L Whitelist

Now I can invoke skynet commands using things like below.

This is already done by default in a much safer way if you have entware installed. The script can be executed by simply using the command "firewall".

 

[Jack Yaz]

Ipset -L Whitelist

This is already done by default in a much safer way if you have entware installed. The script can be executed by simply using the command "firewall".

Fair enough, post #1 seemed to reference the full script path, so I assumed it wasn't in there. I'll take a look at the entware approach in the source, I'd like to see how I can utilise it in other scripts.
EDIT:
Ah, it installs into /opt/bin.

 

[thelonelycoder]

Fair enough, post #1 seemed to reference the full script path, so I assumed it wasn't in there. I'll take a look at the entware approach in the source, I'd like to see how I can utilise it in other scripts.
EDIT:
Ah, it installs into /opt/bin.

You just add a symlink, or place the script there.
AB-Solution adds one as well: ab-solution
All you have to type is ab, then use the TAB key to complete it.

 

[Jack Yaz]

You just add a symlink, or place the script there.
AB-Solution adds one as well: ab-solution

Can it be done without entware, since entware isn't a Skynet requirement and it would be nice for all users to get a consistent script call.
Out of interest, what makes the alias in profile.add "unsafe"?

 

[thelonelycoder]

Can it be done without entware?

Nope, unless optware is installed.
Or some other way such as manually add the physical directory everytime the router boots.

 

[Adamm]

Out of interest, what makes the alias in profile.add "unsafe"?

Maybe unsafe was the wrong word, but I don't want to recommend modifications to users which aren't handled directly by the script. I try to make sure that no third party modifications are required as it leaves the potential for people to make mistakes (and for me to troubleshoot in future).

Fair enough, post #1 seemed to reference the full script path

That's more for consistency, I don't want to write instructions that only apply to some users and confuse others as optware/entware are not requirements for this script.

 

[Jack Yaz]

Maybe unsafe was the wrong word, but I don't want to recommend modifications to users which aren't handled directly by the script. I try to make sure that no third party modifications are required as it leaves the potential for people to make mistakes (and for me to troubleshoot in future).



That's more for consistency, I don't want to write instructions that only apply to some users and confuse others as optware/entware are not requirements for this script.

Could the script not add the line in (and create the file if missing), much like it does with firewall-start?

 

[thelonelycoder]

Could the script not add the line in (and create the file if missing), much like it does with firewall-start?

If automated, that adds complications elsewhere.
AB-Solution relies on optware/entware not being present by testing for binaries.
If not found, /opt/ is force removed and added.
There is no check if someone has added the physical directories in an other way.
Entware also mounts its filestructure to it, removing stuff added outside it.

 

[eclp]

Yes, it's as simple as disabling debug mode during the install process.

The debug mode is disabled.
The script reinstalled already twice, but again and again the drop messages in the syslog. The Firewall setting jumps always again back to dropped.

 

[skeal]

The debug mode is disabled.
The script reinstalled already twice, but again and again the drop messages in the syslog. The Firewall setting jumps always again back to dropped.

My install is working awesome and I have a drop setting in my firewall. This typical behavior for this script.

 

[Adamm]

The debug mode is disabled.
The script reinstalled already twice, but again and again the drop messages in the syslog. The Firewall setting jumps always again back to dropped.

Skynet will force the firewall setting to dropped regardless of the mode you select, that is purely for the fact it changes how IPTables rules are handled.

When debug mode is disabled, I disable the dropped messages via not adding the IPTables rules for them in the first place. So after skynet has completely started up there should be no log messages containing "BLOCKED - OUTGOING" etc.

If you still think Skynet is posting logs incorrectly, post the output of;

"sh /jffs/scripts/firewall debug info"

And I will take a look at it in the morning, but as far as I'm aware this should work as expected unless I recently introduced an bug somewhere.

 

[eclp]

@skeal .... It looks like in your system log?

A few copied lines only:

Aug 24 22:07:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=227226 PROTO=TCP SPT=443 DPT=55125 SEQ=740859260 ACK=1419299069 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABF57BC001AC70C2C)
Aug 24 22:07:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=261576 PROTO=TCP SPT=443 DPT=55168 SEQ=4181769772 ACK=2137326954 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080AB7ECBA001AC71272)
Aug 24 22:07:08 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=304845 PROTO=TCP SPT=80 DPT=55161 SEQ=1572105113 ACK=2879872395 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A3FF658001AC71164)
Aug 24 22:07:08 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=599964 PROTO=TCP SPT=443 DPT=55196 SEQ=2939944409 ACK=1264918734 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080A4031A8011AC7160A)
Aug 24 22:07:09 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=403645 PROTO=TCP SPT=80 DPT=55203 SEQ=3513765726 ACK=2943252120 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A4010C6001AC71719)
Aug 24 22:07:09 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=57 FLOWLBL=450811 PROTO=TCP SPT=80 DPT=55205 SEQ=2195164847 ACK=2995835564 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A6AD42A001AC7177A)
Aug 24 22:07:10 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=523922 PROTO=TCP SPT=80 DPT=55191 SEQ=3473526613 ACK=1725112124 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A50D9EC001AC714DB)
Aug 24 22:07:11 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=57 FLOWLBL=70326 PROTO=TCP SPT=443 DPT=55076 SEQ=2814461830 ACK=1700784977 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080A4010C8001AC70952)
Aug 24 22:07:11 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=483389 PROTO=TCP SPT=443 DPT=55088 SEQ=3046071959 ACK=4048840805 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080A3ED640011AC70A80)
Aug 24 22:09:06 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=108 TC=0 HOPLIMIT=57 FLOWLBL=104858 PROTO=TCP SPT=443 DPT=54927 SEQ=457721307 ACK=3791213383 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABBB59C001AC53ED7)
Aug 24 22:11:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=108 TC=0 HOPLIMIT=57 FLOWLBL=1009280 PROTO=TCP SPT=443 DPT=54927 SEQ=457721307 ACK=3791213383 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABBB612001AC53ED7)
Aug 24 22:13:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=108 TC=0 HOPLIMIT=57 FLOWLBL=415370 PROTO=TCP SPT=443 DPT=54927 SEQ=457721307 ACK=3791213383 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABBB688001AC53ED7)
Aug 24 22:14:14 kernel: DROP IN=eth0 OUT=br0 SRC=2600:3c03:0000:0000:f03c:91ff:fed4:6b53 DST=2003:00da:4bd6:3344:3d34:b66a:ef62:c078 LEN=80 TC=0 HOPLIMIT=52 FLOWLBL=149797 PROTO=TCP SPT=58700 DPT=443 SEQ=547267615 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (0204052C0402080A1C2CAEEB0000000001030307)
Aug 24 22:14:15 kernel: DROP IN=eth0 OUT=br0 SRC=2600:3c03:0000:0000:f03c:91ff:fed4:6b53 DST=2003:00da:4bd6:3344:3d34:b66a:ef62:c078 LEN=80 TC=0 HOPLIMIT=52 FLOWLBL=609914 PROTO=TCP SPT=58700 DPT=443 SEQ=547267615 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (0204052C0402080A1C2CB0180000000001030307)

 

[skeal]

@skeal .... It looks like in your system log?

A few copied lines only:

Aug 24 22:07:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=227226 PROTO=TCP SPT=443 DPT=55125 SEQ=740859260 ACK=1419299069 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABF57BC001AC70C2C)
Aug 24 22:07:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=261576 PROTO=TCP SPT=443 DPT=55168 SEQ=4181769772 ACK=2137326954 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080AB7ECBA001AC71272)
Aug 24 22:07:08 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=304845 PROTO=TCP SPT=80 DPT=55161 SEQ=1572105113 ACK=2879872395 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A3FF658001AC71164)
Aug 24 22:07:08 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=599964 PROTO=TCP SPT=443 DPT=55196 SEQ=2939944409 ACK=1264918734 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080A4031A8011AC7160A)
Aug 24 22:07:09 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=403645 PROTO=TCP SPT=80 DPT=55203 SEQ=3513765726 ACK=2943252120 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A4010C6001AC71719)
Aug 24 22:07:09 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=57 FLOWLBL=450811 PROTO=TCP SPT=80 DPT=55205 SEQ=2195164847 ACK=2995835564 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A6AD42A001AC7177A)
Aug 24 22:07:10 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=523922 PROTO=TCP SPT=80 DPT=55191 SEQ=3473526613 ACK=1725112124 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A50D9EC001AC714DB)
Aug 24 22:07:11 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=57 FLOWLBL=70326 PROTO=TCP SPT=443 DPT=55076 SEQ=2814461830 ACK=1700784977 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080A4010C8001AC70952)
Aug 24 22:07:11 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=483389 PROTO=TCP SPT=443 DPT=55088 SEQ=3046071959 ACK=4048840805 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080A3ED640011AC70A80)
Aug 24 22:09:06 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=108 TC=0 HOPLIMIT=57 FLOWLBL=104858 PROTO=TCP SPT=443 DPT=54927 SEQ=457721307 ACK=3791213383 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABBB59C001AC53ED7)
Aug 24 22:11:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=108 TC=0 HOPLIMIT=57 FLOWLBL=1009280 PROTO=TCP SPT=443 DPT=54927 SEQ=457721307 ACK=3791213383 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABBB612001AC53ED7)
Aug 24 22:13:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=108 TC=0 HOPLIMIT=57 FLOWLBL=415370 PROTO=TCP SPT=443 DPT=54927 SEQ=457721307 ACK=3791213383 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABBB688001AC53ED7)
Aug 24 22:14:14 kernel: DROP IN=eth0 OUT=br0 SRC=2600:3c03:0000:0000:f03c:91ff:fed4:6b53 DST=2003:00da:4bd6:3344:3d34:b66a:ef62:c078 LEN=80 TC=0 HOPLIMIT=52 FLOWLBL=149797 PROTO=TCP SPT=58700 DPT=443 SEQ=547267615 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (0204052C0402080A1C2CAEEB0000000001030307)
Aug 24 22:14:15 kernel: DROP IN=eth0 OUT=br0 SRC=2600:3c03:0000:0000:f03c:91ff:fed4:6b53 DST=2003:00da:4bd6:3344:3d34:b66a:ef62:c078 LEN=80 TC=0 HOPLIMIT=52 FLOWLBL=609914 PROTO=TCP SPT=58700 DPT=443 SEQ=547267615 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (0204052C0402080A1C2CB0180000000001030307)

I would have to say no my logs don't look like that. It would seem skynet is only sort of working. The output from skynet would be something like: kernel: [BLOCKED - NEW BAN] blah blah blah.

 

[Adamm]

@skeal .... It looks like in your system log?

A few copied lines only:

Aug 24 22:07:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=227226 PROTO=TCP SPT=443 DPT=55125 SEQ=740859260 ACK=1419299069 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABF57BC001AC70C2C)
Aug 24 22:07:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=261576 PROTO=TCP SPT=443 DPT=55168 SEQ=4181769772 ACK=2137326954 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080AB7ECBA001AC71272)
Aug 24 22:07:08 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=304845 PROTO=TCP SPT=80 DPT=55161 SEQ=1572105113 ACK=2879872395 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A3FF658001AC71164)
Aug 24 22:07:08 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=599964 PROTO=TCP SPT=443 DPT=55196 SEQ=2939944409 ACK=1264918734 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080A4031A8011AC7160A)
Aug 24 22:07:09 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=403645 PROTO=TCP SPT=80 DPT=55203 SEQ=3513765726 ACK=2943252120 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A4010C6001AC71719)
Aug 24 22:07:09 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=57 FLOWLBL=450811 PROTO=TCP SPT=80 DPT=55205 SEQ=2195164847 ACK=2995835564 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A6AD42A001AC7177A)
Aug 24 22:07:10 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=523922 PROTO=TCP SPT=80 DPT=55191 SEQ=3473526613 ACK=1725112124 WINDOW=55 RES=0x00 ACK URGP=0 OPT (0101080A50D9EC001AC714DB)
Aug 24 22:07:11 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=57 FLOWLBL=70326 PROTO=TCP SPT=443 DPT=55076 SEQ=2814461830 ACK=1700784977 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080A4010C8001AC70952)
Aug 24 22:07:11 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=136 TC=0 HOPLIMIT=56 FLOWLBL=483389 PROTO=TCP SPT=443 DPT=55088 SEQ=3046071959 ACK=4048840805 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080A3ED640011AC70A80)
Aug 24 22:09:06 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=108 TC=0 HOPLIMIT=57 FLOWLBL=104858 PROTO=TCP SPT=443 DPT=54927 SEQ=457721307 ACK=3791213383 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABBB59C001AC53ED7)
Aug 24 22:11:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=108 TC=0 HOPLIMIT=57 FLOWLBL=1009280 PROTO=TCP SPT=443 DPT=54927 SEQ=457721307 ACK=3791213383 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABBB612001AC53ED7)
Aug 24 22:13:07 kernel: DROP IN=eth0 OUT=br0 SRC=2a04:4e42:001b:0000:0000:0000:0000:0403 DST=2003:00da:4bd6:3344:5cd7:18fb:bc56:c52a LEN=108 TC=0 HOPLIMIT=57 FLOWLBL=415370 PROTO=TCP SPT=443 DPT=54927 SEQ=457721307 ACK=3791213383 WINDOW=57 RES=0x00 ACK URGP=0 OPT (0101080ABBB688001AC53ED7)
Aug 24 22:14:14 kernel: DROP IN=eth0 OUT=br0 SRC=2600:3c03:0000:0000:f03c:91ff:fed4:6b53 DST=2003:00da:4bd6:3344:3d34:b66a:ef62:c078 LEN=80 TC=0 HOPLIMIT=52 FLOWLBL=149797 PROTO=TCP SPT=58700 DPT=443 SEQ=547267615 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (0204052C0402080A1C2CAEEB0000000001030307)
Aug 24 22:14:15 kernel: DROP IN=eth0 OUT=br0 SRC=2600:3c03:0000:0000:f03c:91ff:fed4:6b53 DST=2003:00da:4bd6:3344:3d34:b66a:ef62:c078 LEN=80 TC=0 HOPLIMIT=52 FLOWLBL=609914 PROTO=TCP SPT=58700 DPT=443 SEQ=547267615 ACK=0 WINDOW=28800 RES=0x00 SYN URGP=0 OPT (0204052C0402080A1C2CB0180000000001030307)

That rule should be removed during Skynet startup regardless of the mode (and old logs purged), this makes me believe Skynet is failing to start possibly. Please post the output of the debug info command.