What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

OK, now what? :oops:

xxxxxxx@RT-AC68U-B088:/tmp/home/root# sh /jffs/scripts/firewall stats search malware 192.124.249.18

Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 184.0K
Monitoring From Dec 15 04:00:56 To Dec 15 09:43:54
407 Block Events Detected
170 Unique IPs
240 Autobans Issued
3 Manual Bans Issued

Exact Matches;

Possible CIDR Matches;


Skynet: [Complete] 157845 IPs / 2015 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 97 Inbound / 0 Outbound Connections Blocked! [9s]


That IP (which I further confirmed myself) isn't currently on any of the standard banmalware filter lists. Potentially it was an autoban? Try the following command;

Code:
sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

That will show you if the IP is currently banned, the reason for it being banned and the most recent logs of it being banned. But with that being said, for this particular IP, banmalware at this point in time isn't the reason for it being blocked (if you're running the latest banmalware update ofcoarse)

And to reiterate your concerns, if you can investigate some of these other blocked IPs you were running into and they all point to a common list, let me know and I'll definitely consider removing it.
 
Last edited:
That IP (which I further confirmed myself) isn't currently on any of the standard banmalware filter lists. Potentially it was an autoban? Try the following command;

Code:
sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

That will show you if the IP is currently banned, the reason for it being banned and the most recent logs of it being banned. But with that being said, for this particular IP, banmalware at this point in time isn't the reason for it being blocked (if you're running the latest banmalware update ofcoarse)
Well it is now in the whitelist since it was being blocked outbound.

Code:
Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 192.0K
Monitoring From Dec 15 04:00:56 To Dec 15 10:02:00
442 Block Events Detected
182 Unique IPs
240 Autobans Issued
3 Manual Bans Issued

192.124.249.18 is in set Whitelist.
192.124.249.18 is NOT in set Blacklist.
192.124.249.18 is NOT in set BlockedRanges.

Whitelist Reason;
 "ManualWlist: Google ?"


192.124.249.18 First Tracked On
192.124.249.18 Last Tracked On
0 Events Total

First Event Tracked From 192.124.249.18;

10 Most Recent Events From 192.124.249.18;

Top 10 Targeted Ports From 192.124.249.18 (Inbound);

Top 10 Sourced Ports From 192.124.249.18 (Inbound);

Skynet: [Complete] 157845 IPs / 2015 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 132 Inbound / 0 Outbound Connections Blocked! [2s]

I found it using the stats commands in the Skynet menu and then added it to the whitelist:

Code:
[1-13]: 12

Select Stat Option:
[1]  --> Display
[2]  --> Search
[3]  --> Reset

[1-3]: 2

Show Top x Results:
[1]  --> 10
[2]  --> 20
[3]  --> 50
[4]  --> Custom

[1-4]: 3

Search Options:
[1]  --> Based On Port x
[2]  --> Entries From Specific IP
[3]  --> Search Malwarelists For IP
[4]  --> Search Autobans
[5]  --> Search Manualbans
[6]  --> Search For Outbound Entries From Local Device

[1-6]: 6

[Local IP]: 192.168.1.5

Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 176.0K
Monitoring From Dec 15 04:00:56 To Dec 15 09:26:11
387 Block Events Detected
163 Unique IPs
240 Autobans Issued
3 Manual Bans Issued

192.168.1.5 is in set Whitelist.
192.168.1.5 is NOT in set Blacklist.
192.168.1.5 is NOT in set BlockedRanges.

Whitelist Reason;


192.168.1.5 First Tracked On Dec 15 08:19:05
192.168.1.5 Last Tracked On Dec 15 08:20:09
14 Events Total

Device Name;
dell-linux-eth

First Event Tracked From 192.168.1.5;
Dec 15 08:19:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29569 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45036A0000000001030307)

50 Most Recent Events From 192.168.1.5;
Dec 15 08:19:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29569 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45036A0000000001030307)
Dec 15 08:19:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25226 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C4503910000000001030307)
Dec 15 08:19:06 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29570 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45046C0000000001030307)
Dec 15 08:19:06 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25227 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45048C0000000001030307)
Dec 15 08:19:08 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29571 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C4506640000000001030307)
Dec 15 08:19:08 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25228 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C4506840000000001030307)
Dec 15 08:19:12 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29572 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C450A5C0000000001030307)
Dec 15 08:19:12 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25229 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C450A9C0000000001030307)
Dec 15 08:19:20 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29573 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45125C0000000001030307)
Dec 15 08:19:20 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25230 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45129C0000000001030307)
Dec 15 08:19:36 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29574 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45221C0000000001030307)
Dec 15 08:19:36 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25231 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45225C0000000001030307)
Dec 15 08:20:09 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25232 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45421C0000000001030307)
Dec 15 08:20:09 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29575 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45421C0000000001030307)

Here is the output after removing from whitelist:
Code:
sh /jffs/scripts/firewall stats search ip 192.124.249.18

Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 196.0K
Monitoring From Dec 15 04:00:56 To Dec 15 10:09:15
451 Block Events Detected
185 Unique IPs
240 Autobans Issued
3 Manual Bans Issued

192.124.249.18 is NOT in set Whitelist.
192.124.249.18 is NOT in set Blacklist.
192.124.249.18 is NOT in set BlockedRanges.


192.124.249.18 First Tracked On
192.124.249.18 Last Tracked On
0 Events Total

First Event Tracked From 192.124.249.18;

10 Most Recent Events From 192.124.249.18;

Top 10 Targeted Ports From 192.124.249.18 (Inbound);

Top 10 Sourced Ports From 192.124.249.18 (Inbound);

Skynet: [Complete] 157845 IPs / 2015 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 141 Inbound / 0 Outbound Connections Blocked! [2s]

The stats search malware is the same as my "now what" post above.
 
Well it is now in the whitelist since it was being blocked outbound.

Code:
Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 192.0K
Monitoring From Dec 15 04:00:56 To Dec 15 10:02:00
442 Block Events Detected
182 Unique IPs
240 Autobans Issued
3 Manual Bans Issued

192.124.249.18 is in set Whitelist.
192.124.249.18 is NOT in set Blacklist.
192.124.249.18 is NOT in set BlockedRanges.

Whitelist Reason;
 "ManualWlist: Google ?"


192.124.249.18 First Tracked On
192.124.249.18 Last Tracked On
0 Events Total

First Event Tracked From 192.124.249.18;

10 Most Recent Events From 192.124.249.18;

Top 10 Targeted Ports From 192.124.249.18 (Inbound);

Top 10 Sourced Ports From 192.124.249.18 (Inbound);

Skynet: [Complete] 157845 IPs / 2015 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 132 Inbound / 0 Outbound Connections Blocked! [2s]

I found it using the stats commands in the Skynet menu and then added it to the whitelist:

Code:
[1-13]: 12

Select Stat Option:
[1]  --> Display
[2]  --> Search
[3]  --> Reset

[1-3]: 2

Show Top x Results:
[1]  --> 10
[2]  --> 20
[3]  --> 50
[4]  --> Custom

[1-4]: 3

Search Options:
[1]  --> Based On Port x
[2]  --> Entries From Specific IP
[3]  --> Search Malwarelists For IP
[4]  --> Search Autobans
[5]  --> Search Manualbans
[6]  --> Search For Outbound Entries From Local Device

[1-6]: 6

[Local IP]: 192.168.1.5

Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 176.0K
Monitoring From Dec 15 04:00:56 To Dec 15 09:26:11
387 Block Events Detected
163 Unique IPs
240 Autobans Issued
3 Manual Bans Issued

192.168.1.5 is in set Whitelist.
192.168.1.5 is NOT in set Blacklist.
192.168.1.5 is NOT in set BlockedRanges.

Whitelist Reason;


192.168.1.5 First Tracked On Dec 15 08:19:05
192.168.1.5 Last Tracked On Dec 15 08:20:09
14 Events Total

Device Name;
dell-linux-eth

First Event Tracked From 192.168.1.5;
Dec 15 08:19:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29569 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45036A0000000001030307)

50 Most Recent Events From 192.168.1.5;
Dec 15 08:19:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29569 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45036A0000000001030307)
Dec 15 08:19:05 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25226 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C4503910000000001030307)
Dec 15 08:19:06 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29570 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45046C0000000001030307)
Dec 15 08:19:06 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25227 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45048C0000000001030307)
Dec 15 08:19:08 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29571 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C4506640000000001030307)
Dec 15 08:19:08 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25228 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C4506840000000001030307)
Dec 15 08:19:12 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29572 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C450A5C0000000001030307)
Dec 15 08:19:12 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25229 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C450A9C0000000001030307)
Dec 15 08:19:20 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29573 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45125C0000000001030307)
Dec 15 08:19:20 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25230 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45129C0000000001030307)
Dec 15 08:19:36 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29574 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45221C0000000001030307)
Dec 15 08:19:36 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25231 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45225C0000000001030307)
Dec 15 08:20:09 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25232 DF PROTO=TCP SPT=33620 DPT=443 SEQ=3553324031 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45421C0000000001030307)
Dec 15 08:20:09 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=192.124.249.18 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29575 DF PROTO=TCP SPT=33618 DPT=443 SEQ=2970450639 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A1C45421C0000000001030307)

Here is the output after removing from whitelist:
Code:
sh /jffs/scripts/firewall stats search ip 192.124.249.18

Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 196.0K
Monitoring From Dec 15 04:00:56 To Dec 15 10:09:15
451 Block Events Detected
185 Unique IPs
240 Autobans Issued
3 Manual Bans Issued

192.124.249.18 is NOT in set Whitelist.
192.124.249.18 is NOT in set Blacklist.
192.124.249.18 is NOT in set BlockedRanges.


192.124.249.18 First Tracked On
192.124.249.18 Last Tracked On
0 Events Total

First Event Tracked From 192.124.249.18;

10 Most Recent Events From 192.124.249.18;

Top 10 Targeted Ports From 192.124.249.18 (Inbound);

Top 10 Sourced Ports From 192.124.249.18 (Inbound);

Skynet: [Complete] 157845 IPs / 2015 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 141 Inbound / 0 Outbound Connections Blocked! [2s]

The stats search malware is the same as my "now what" post above.

Well unfortunately because its not currently banned or listed on any of the banmalware lists I can't give you any clues to where the ban originated (your logs having been reset so recently doesn't help either). I can see maybe two scenarios this could have happened;

1) It briefly appeared in a banmalware list and then was removed upon the next update (thus unbanning it)
2) It was a false positive by the built in SPI firewall and added as an autoban.

So maybe for now its best we focus on the other false positives you have run into. Try assess what lists they are sourced from using the previously mentioned command if you believe it was banmalware causing it. If there is a common denominator, I'm all ears and will work towards a solution.
 
(your logs having been reset so recently doesn't help either).
This happens with almost every action in Skynet, updating, whitelist, ban, stats, listing etc. The hourly compilation also removes the detailed blocks, so if something happens say listening to streaming radio while I do other things, then come back to see why the music stopped just before the hour, I have no chance to see since Skynet does its hourly compilation. I know I can do the "sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx but a quick look on the System Log page is quickest.

Skynet seems to be clearing my AC68U syslog everyday at 23:00 , so trying to go back a day is not possible there either. This has occurred the last three nights. I will disable Skynet tonight to see if it is cleared or not.

Sorry if I sound like I am complaining, just frustrated with all the hands on required of late. I think Skynet is incredibly useful and I am reluctant to disable it. Thanks for all the support.
 
Hi, I have a problem and that is that when I use the Skynet I blocked the connection to an xbox one. He would tell me how to make room for him to take nonexion with Skynet activated. Thanks in advance. regards!!!!

I had the same issue with the Xbox One X. Since I also use AB-solution I wasn't sure if the problem comes from Skynet or AB. So I updated AB-solution and loaded the shared + blocking file. After that I also updated Skynet and loaded the shared white- and black lists from AB-solution and this solved the problem for me.
 
I had the same issue with the Xbox One X. Since I also use AB-solution I wasn't sure if the problem comes from Skynet or AB. So I updated AB-solution and loaded the shared + blocking file. After that I also updated Skynet and loaded the shared white- and black lists from AB-solution and this solved the problem for me. me.

Here is what I do if something is blocked by Skynet or AB-Solution

- While you're trying to connect a web site or doing something that's not connecting/not working; follow dnsmasq entries via AB-Solution to see which domain is blocked and follow system log to see which IP address is blocked by Skynet.
- if a domain is blocked by AB-Solution add this domain to whitelist.
- if an IP address is blocked by Skynet, first check dnsmasq logs under "\adblocking\logs" and search for this IP address on "dnsmasq.log" if you find this IP address, you'll also find the domain of this IP address. if you are able to find domain address add it to whilelist of AB-Solution.
- if you can't find the domain of the blocked IP address , unban it via Skynet menu.

just a note; don't forget to apply whitelist on AB-Solution. after applying whitelist, go to Skynet and use "4" and "6" to Refresh Whitelist, so Skynet will whitelist the IP addresses that are belongs to the domains that you've added to AB-Solution's whitelist.

I've fixed too many blocks with this way. I hope this helps :)
 
Here is what I do if something is blocked by Skynet or AB-Solution

- While you're trying to connect a web site or doing something that's not connecting/not working; follow dnsmasq entries via AB-Solution to see which domain is blocked and follow system log to see which IP address is blocked by Skynet.
- if a domain is blocked by AB-Solution add this domain to whitelist.
- if an IP address is blocked by Skynet, first check dnsmasq logs under "\adblocking\logs" and search for this IP address on "dnsmasq.log" if you find this IP address, you'll also find the domain of this IP address. if you are able to find domain address add it to whilelist of AB-Solution.
- if you can't find the domain of the blocked IP address , unban it via Skynet menu.

just a note; don't forget to apply whitelist on AB-Solution. after applying whitelist, go to Skynet and use "4" and "6" to Refresh Whitelist, so Skynet will whitelist the IP addresses that are belongs to the domains that you've added to AB-Solution's whitelist.

I've fixed too many blocks with this way. I hope this helps :)
When you edit the whitelist in AB-Solution and then commit the changes through it, Skynet is auto-run to use the updated shared whitelist to do its whitelisting.
There is no need to manually run Skynet afterwards.
 
Without success I did the steps you told me but I still blocked the xbox, I do not know what I'm doing wrong.
 
This happens with almost every action in Skynet, updating, whitelist, ban, stats, listing etc. The hourly compilation also removes the detailed blocks, so if something happens say listening to streaming radio while I do other things, then come back to see why the music stopped just before the hour, I have no chance to see since Skynet does its hourly compilation. I know I can do the "sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx but a quick look on the System Log page is quickest.

Skynet seems to be clearing my AC68U syslog everyday at 23:00 , so trying to go back a day is not possible there either. This has occurred the last three nights. I will disable Skynet tonight to see if it is cleared or not.

This doesn't mean the logs are erased, they are just moved from the syslog to skynet.log every hour. The only time the logs are partially erased is when the logfile hits 7MB, in my personal usage this takes around 2 weeks, for others this may happen more frequently. The stats command will give you an indication of when they were last erased.

Without success I did the steps you told me but I still blocked the xbox, I do not know what I'm doing wrong.

Make sure you have debug mode enabled via the installer. With that setting every time Skynet blocks a connection it will be logged in the syslog for easier viewing, then follow the steps provided to determine the conflicting IP being blocked if any. If there are no IP's appearing, then possibly something else is responsible for blocking it.
 
This doesn't mean the logs are erased, they are just moved from the syslog to skynet.log every hour. The only time the logs are partially erased is when the logfile hits 7MB, in my personal usage this takes around 2 weeks, for others this may happen more frequently. The stats command will give you an indication of when they were last erased.



Make sure you have debug mode enabled via the installer. With that setting every time Skynet blocks a connection it will be logged in the syslog for easier viewing, then follow the steps provided to determine the conflicting IP being blocked if any. If there are no IP's appearing, then possibly something else is responsible for blocking it.


Thank you very much for the help, and detect the fault now all right funicona.

regards!!!
 
Thank you very much for the help, and detect the fault now all right funicona.

regards!!!

Glad to hear you fixed it. Would you mind sharing the IP that was causing the issues so I can investigate further? Thanks
 
Is there auto update option (if not, in the future version)? Instagram has the problem of showing graphic, just blurry with a white circle in the middle. I then updated Skynet and problem is gone.
 
Is there auto update option (if not, in the future version)? Instagram has the problem of showing graphic, just blurry with a white circle in the middle. I then updated Skynet and problem is gone.

Yes, both Skynet itsself and the banmalware function have an autoupdate feature. Re-run the install command to configure it.
 
Without success I did the steps you told me but I still blocked the xbox, I do not know what I'm doing wrong.
Here is a list of Xbox links that should be white-listed:

attestation.xboxlive.com
cert.mgt.xboxlive.com
ctldl.windowsupdate.com def-vef.xboxlive.com
device.auth.xboxlive.com
eds.xboxlive.com
help.ui.xboxlive.com
licensing.xboxlive.com
notify.xboxlive.com
title.auth.xboxlive.com
title.mgt.xboxlive.com
www.msftncsi.com
www.xboxlive.com
xbox.ipv6.microsoft.com
xboxexperiencesprod.experimentation.xboxlive.com
xflight.xboxlive.com
xkms.xbolive.com
xsts.auth.xboxlive.com
 
Glad to hear you fixed it. Would you mind sharing the IP that was causing the issues so I can investigate further? Thanks


Sorry, I remember they were like 3 different ip's. I wrote them down in the notebook and added them, I did not save them. If it happens again, I will share them. Excuse me for my English I am Spanish and I write through a Google translator. regards!!!

PDT: ( Mutzli )
Thanks I will add them
 
Sorry, I remember they were like 3 different ip's. I wrote them down in the notebook and added them, I did not save them. If it happens again, I will share them. Excuse me for my English I am Spanish and I write through a Google translator. regards!!!

You can use the following command to list manually whitelisted IP's;

Code:
sh /jffs/scripts/firewall whitelist list ips
 
Ok here we go again. Please don't think I'm complaining or blaming Skynet. I'm just seeking a deeper understanding of how things work. :)

This IP 173.194.166.231 for Google Play Music got an outbound block after playing just fine for 5 hours or so.
I ran "sh /jffs/scripts/firewall stats search malware 173.194.166.231" and nothing as before, so not in a list.
Code:
Exact Matches;
Possible CIDR Matches;
Then I ran "sh /jffs/scripts/firewall stats search ip 173.194.166.231"

Code:
Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 908.0K
Monitoring From Dec 15 04:00:56 To Dec 16 11:08:40
3125 Block Events Detected
843 Unique IPs
242 Autobans Issued
3 Manual Bans Issued

173.194.166.231 is NOT in set Whitelist.
173.194.166.231 is in set Blacklist.
173.194.166.231 is NOT in set BlockedRanges.

Blacklist Reason;

173.194.166.231 First Tracked On Dec 16 10:57:34
173.194.166.231 Last Tracked On Dec 16 10:59:56
134 Events Total

First Event Tracked From 173.194.166.231;
Dec 16 10:57:34 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=173.194.166.231 DST=75.128.66.165 LEN=1472 TOS=0x00 PREC=0x00 TTL=56 ID=13745 PROTO=TCP SPT=443 DPT=37566 SEQ=2645267603 ACK=3434604900 WINDOW=123 RES=0x00 ACK URGP=0 OPT (0101080AB5A63D3C6A72EE17)

10 Most Recent Events From 173.194.166.231;
Dec 16 10:58:55 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32192 DF PROTO=TCP SPT=37592 DPT=443 SEQ=1916905432 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A733C7F0000000001030307)
Dec 16 10:58:55 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59475 DF PROTO=TCP SPT=37594 DPT=443 SEQ=1853108972 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A733C7F0000000001030307)
Dec 16 10:58:58 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34293 DF PROTO=TCP SPT=37716 DPT=443 SEQ=1763611605 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A733FBF0000000001030307)
Dec 16 10:59:06 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34294 DF PROTO=TCP SPT=37716 DPT=443 SEQ=1763611605 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A7347BF0000000001030307)
Dec 16 10:59:07 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61727 DF PROTO=TCP SPT=37684 DPT=443 SEQ=1968633428 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A73487F0000000001030307)
Dec 16 10:59:09 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26765 DF PROTO=TCP SPT=37630 DPT=443 SEQ=1003454907 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A734A7F0000000001030307)
Dec 16 10:59:22 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34295 DF PROTO=TCP SPT=37716 DPT=443 SEQ=1763611605 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A73577F0000000001030307)
Dec 16 10:59:25 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55318 DF PROTO=TCP SPT=37662 DPT=443 SEQ=950739100 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A735A7F0000000001030307)
Dec 16 10:59:40 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61728 DF PROTO=TCP SPT=37684 DPT=443 SEQ=1968633428 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A7368800000000001030307)
Dec 16 10:59:56 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34296 DF PROTO=TCP SPT=37716 DPT=443 SEQ=1763611605 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A73787F0000000001030307)

Top 10 Targeted Ports From 173.194.166.231 (Inbound);
80x https://www.speedguide.net/port.php?port=37566

Top 10 Sourced Ports From 173.194.166.231 (Inbound);
80x https://www.speedguide.net/port.php?port=443

Skynet: [Complete] 157419 IPs / 2000 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2152 Inbound / 112 Outbound Connections Blocked! [3s]

I do not understand the why the ban:
Dec 16 10:57:34 kernel: [BLOCKED - NEW BAN]

Here is the OTX result.
https://otx.alienvault.com/indicator/ip/173.194.166.231

The really crazy part is that by the time I did all this research and saved to a text file, Play Music started playing again, even though that IP shows banned and I changed nothing in Skynet. Mind boggled.
 
Ok here we go again. Please don't think I'm complaining or blaming Skynet. I'm just seeking a deeper understanding of how things work. :)

This IP 173.194.166.231 for Google Play Music got an outbound block after playing just fine for 5 hours or so.
I ran "sh /jffs/scripts/firewall stats search malware 173.194.166.231" and nothing as before, so not in a list.
Code:
Exact Matches;
Possible CIDR Matches;
Then I ran "sh /jffs/scripts/firewall stats search ip 173.194.166.231"

Code:
Debug Data Detected in /tmp/mnt/SNB/skynet/skynet.log - 908.0K
Monitoring From Dec 15 04:00:56 To Dec 16 11:08:40
3125 Block Events Detected
843 Unique IPs
242 Autobans Issued
3 Manual Bans Issued

173.194.166.231 is NOT in set Whitelist.
173.194.166.231 is in set Blacklist.
173.194.166.231 is NOT in set BlockedRanges.

Blacklist Reason;

173.194.166.231 First Tracked On Dec 16 10:57:34
173.194.166.231 Last Tracked On Dec 16 10:59:56
134 Events Total

First Event Tracked From 173.194.166.231;
Dec 16 10:57:34 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=70:8b:cd:2f:b0:88:00:01:5c:6d:22:46:08:00 SRC=173.194.166.231 DST=75.128.66.165 LEN=1472 TOS=0x00 PREC=0x00 TTL=56 ID=13745 PROTO=TCP SPT=443 DPT=37566 SEQ=2645267603 ACK=3434604900 WINDOW=123 RES=0x00 ACK URGP=0 OPT (0101080AB5A63D3C6A72EE17)

10 Most Recent Events From 173.194.166.231;
Dec 16 10:58:55 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32192 DF PROTO=TCP SPT=37592 DPT=443 SEQ=1916905432 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A733C7F0000000001030307)
Dec 16 10:58:55 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59475 DF PROTO=TCP SPT=37594 DPT=443 SEQ=1853108972 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A733C7F0000000001030307)
Dec 16 10:58:58 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34293 DF PROTO=TCP SPT=37716 DPT=443 SEQ=1763611605 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A733FBF0000000001030307)
Dec 16 10:59:06 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34294 DF PROTO=TCP SPT=37716 DPT=443 SEQ=1763611605 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A7347BF0000000001030307)
Dec 16 10:59:07 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61727 DF PROTO=TCP SPT=37684 DPT=443 SEQ=1968633428 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A73487F0000000001030307)
Dec 16 10:59:09 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26765 DF PROTO=TCP SPT=37630 DPT=443 SEQ=1003454907 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A734A7F0000000001030307)
Dec 16 10:59:22 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34295 DF PROTO=TCP SPT=37716 DPT=443 SEQ=1763611605 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A73577F0000000001030307)
Dec 16 10:59:25 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55318 DF PROTO=TCP SPT=37662 DPT=443 SEQ=950739100 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A735A7F0000000001030307)
Dec 16 10:59:40 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61728 DF PROTO=TCP SPT=37684 DPT=443 SEQ=1968633428 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A7368800000000001030307)
Dec 16 10:59:56 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=70:8b:cd:2f:b0:88:d0:67:e5:35:c6:f2:08:00 SRC=192.168.1.5 DST=173.194.166.231 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34296 DF PROTO=TCP SPT=37716 DPT=443 SEQ=1763611605 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A6A73787F0000000001030307)

Top 10 Targeted Ports From 173.194.166.231 (Inbound);
80x https://www.speedguide.net/port.php?port=37566

Top 10 Sourced Ports From 173.194.166.231 (Inbound);
80x https://www.speedguide.net/port.php?port=443

Skynet: [Complete] 157419 IPs / 2000 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2152 Inbound / 112 Outbound Connections Blocked! [3s]

I do not understand the why the ban:
Dec 16 10:57:34 kernel: [BLOCKED - NEW BAN]

Here is the OTX result.
https://otx.alienvault.com/indicator/ip/173.194.166.231

The really crazy part is that by the time I did all this research and saved to a text file, Play Music started playing again, even though that IP shows banned and I changed nothing in Skynet. Mind boggled.

Sure I get you, maybe my replies come off the wrong way also. We all have the same goal in mind which is to improve Skynet so we all have a safer browsing experience with minimal interference needed.

So these logs help, it seems the autoban function is the issue here rather then banmalware (atleast for this case in particular). The IP in question sent in invalid TCP ACK request on port 443 and was banned accordingly. The strange part is I configured rules specifically for port 443 (https) so that invalid packets are only dropped not banned. I will work on this in the morning and see why for this particular case the rule wasn't followed.

Can you also provide the output of the following commands;

Code:
iptables -L logdrop
sh /jffs/scripts/firewall stats search autobans
 
Sure I get you, maybe my replies come off the wrong way also. We all have the same goal in mind which is to improve Skynet so we all have a safer browsing experience with minimal interference needed.

So these logs help, it seems the autoban function is the issue here rather then banmalware (atleast for this case in particular). The IP in question sent in invalid TCP ACK request on port 443 and was banned accordingly. The strange part is I configured rules specifically for port 443 (https) so that invalid packets are only dropped not banned. I will work on this in the morning and see why for this particular case the rule wasn't followed.

Can you also provide the output of the following commands;

Code:
iptables -L logdrop
sh /jffs/scripts/firewall stats search autobans
Your replies have been fine, no worry there, but thank you. This firewall stuff is just really new to me.

Looks to firewall-noobie-me like your suspicions are correct if I read the LOG and SET lines correctly. Here is the result:

Code:
Chain logdrop (8 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             match-set Whitelist src
DROP       tcp  --  anywhere             anywhere             multiport sports www,https,imap2,imaps,pop3,pop3s,smtp,ssmtp state INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,ACK
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,ACK
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/RST
ACCEPT     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/RST,ACK
LOG        all  --  anywhere             anywhere             state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - NEW BAN] "
SET        all  --  anywhere             anywhere             state INVALID add-set Skynet src
DROP       all  --  anywhere             anywhere
 
Your replies have been fine, no worry there, but thank you. This firewall stuff is just really new to me.

Looks to firewall-noobie-me like your suspicions are correct if I read the LOG and SET lines correctly. Here is the result:

All looks fine, very strange as by IPTables logic this should have been DROP'ed at the second rule as the source port matched the defined list, but maybe I'm missing something obvious here. So I'll spend tomorrow looking at possible causes/solutions.

Would you mind also running the second command I posted so I can see if this is happening frequently on your setup on ports that it shouldn't.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top