What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Gosh, these blocklists are dynamic. Just in the last few hours youtube has been blocked. Yesterday it was CNN and the New York Times site. Also, tropicaltidbits.com, a really good hurricane site.

Whitelisting them immediately restores access, except youtube because of an ad site.
 
Just in the last few hours youtube has been blocked. Yesterday it was CNN and the New York Times site. Also, tropicaltidbits.com, a really good hurricane site.

I have the latest version of these lists and every site mentioned works as expected. What IP's were being blocked and what lists did they appear on?
 
Maybe I'm misunderstanding the behavior and something else is going on. But when I would go to a site--say tropicaltidbits.com, I would get a "took too long to respond" message. I would go to skynet, whitelist the domain, get a response that "-1" IP was blocked, and the site would immediately start responding again. I'l poke at this some more.
 
Maybe I'm misunderstanding the behavior and something else is going on. But when I would go to a site--say tropicaltidbits.com, I would get a "took too long to respond"

Totally possible, I'm just saying for the examples listed I couldn't see any blocked IP's when checking as of this post. In future if you get lots of false positives, use the following command on the afflicting IP's.

Code:
sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx

This should show what lists the IP is listed on. If I get reports that too many false positives are coming from a specific list, I will remove it.
 
Gosh, these blocklists are dynamic. Just in the last few hours youtube has been blocked. Yesterday it was CNN and the New York Times site. Also, tropicaltidbits.com, a really good hurricane site.

Whitelisting them immediately restores access, except youtube because of an ad site.
I did experience something similar with hosts file I use with AB-Solution and pfBlockerNG on my pfSense appliance. CBS stopped working and videos were blocked. I gave it the boy scout effort in trying to identify the domain that was impacted. I ended up working my way from AB-Max and working my way backwards until I found the shooter40sw hosts file worked. I then made the corresponding change on pfSense.

One idea is to use the MatchIP utility here.
https://github.com/RMerl/asuswrt-me...t-installation-instructions#iblocklist-loader

You can do a nslookup command on the domain name that is being blocked to determine the IP address. Then use MatchIP command to identify what IPSET list is blocking it.
 
Then use MatchIP command to identify what IPSET list is blocking it.


This functionality is already built into Skynet.

Code:
sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

and

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx
 
This functionality is already built into Skynet.

Code:
sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

and

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx
Does the ip command search malware at same time as the banlists? If not, can I request this as a feature/enhancement please?
 
Does the ip command search malware at same time as the banlists? If not, can I request this as a feature/enhancement please?


For now no it doesn't, the only reason why being that the search malware command takes around 20+ seconds because it has to download and process each list individually etc. Whereas the search ip command is almost instant.
 
For now no it doesn't, the only reason why being that the search malware command takes around 20+ seconds because it has to download and process each list individually etc. Whereas the search ip command is almost instant.
I'll make myself a little script for now that lets me choose if I want to include malware, and run the search commands you've already provided accordingly.
 
Not sure what is going on here, but I could not connect to vault.netdocuments.com. I didn't find it in the blocklists or malware, but as soon as I disabled skynet I connected.
 
Not sure what is going on here, but I could not connect to vault.netdocuments.com. I didn't find it in the blocklists or malware, but as soon as I disabled skynet I connected.


Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and unban) anything incorrectly on your Blacklist!

1.) Enable Debug Mode via the installer
Code:
sh /jffs/scripts/firewall install
2.) Open the blocked application/website and use the command;

Code:
sh /jffs/scripts/firewall debug watch
Now look for a flood of [BLOCKED - RAW] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "SRC=" it should look something like this;
Code:
SRC=175.115.37.52
4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault.

Code:
https://otx.alienvault.com/indicator/ip/175.115.37.52/
5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

Code:
sh /jffs/scripts/firewall whitelist 175.115.37.52
 
Sorry to be overly cryptic. I did follow these steps. I reinstalled skynet and can go to this site without anything showing up in the log, and it isn't in the blocklist or malware check.

It's just that, I couldn't get to it before, and immediately on disabling skynet I could. So it isn't that the site is being blacklisted, but something else hinky is going on.
 
So it isn't that the site is being blacklisted, but something else hinky is going on.

Any time Skynet blocks something if debug mode is enabled it will be logged, there is no bypassing it. So not sure what to tell you.
 
well.. we need new blacklists <.<

The maintainer of those lists does a pretty good job, I'm sure it will be back online soon once he sorts out bandwidth usage with github.
 
The maintainer of those lists does a pretty good job, I'm sure it will be back online soon once he sorts out bandwidth usage with github.

Github shouldn't be used to host constantly downloaded data files, it's meant to host development stuff, and maybe installation packages. He should probably get a VPS to host these files, possibly behind Cloudflare to ease on bandwidth usage. Otherwise, he'll keep running into this.

That's how I do it for hosting the firmware manifest for new version checks.
 
Github shouldn't be used to host constantly downloaded data files, it's meant to host development stuff, and maybe installation packages. He should probably get a VPS to host these files, possibly behind Cloudflare to ease on bandwidth usage. Otherwise, he'll keep running into this.

That's how I do it for hosting the firmware manifest for new version checks.
A CDN is what I would have thought best to host these files, I didn't realise it was being hosted directly from GitHub!
 
A CDN is what I would have thought best to host these files, I didn't realise it was being hosted directly from GitHub!
For this and other reasons I moved completely away from GitHub. It's great an all but if users constantly pull files then a better way has to be used.
Since AB-Solution files are small, I can run it on one of my VPS.
 
Bandwidth usage can grow quickly. Just for Asuswrt-Merlin's update server (which contains two small text files that are less than 5 KB each), this is enough to generate 11.55 GB of traffic during last month. Of that, 11.49 GB was provided by Cloudflare, and never reached my VPS.

For these kind of static files, CDNs are great.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top