What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

As I had uninstalled Skynet yesterday while trying to troubleshoot, I had to attempt a fresh installation however I am still being forced to choose between the 4 swap file sizes or the exit option.

Thanks I forgot to also correct that check. I pushed another hotfix
 
Thanks I forgot to also correct that check. I pushed another hotfix

Still the same issue and I think it is related to the regex format and install routine.

I downloaded the firewall.sh file and changed the fstab check, for the 2 instances where it is used, to the same check you used for myswap.swp but substituted the filename to "partition" instead and installation did complete but firewall was not saved to /jffs/scripts.

Code:
if [ -z "$swaplocation" ] && ! grep -qF "myswap.swp" /proc/swaps && ! grep -qF "partition" /proc/swaps 2>/dev/null; then

Code:
if ! grep -qE "^swapon " /jffs/scripts/post-mount && ! grep -qF "partition" /proc/swaps 2>/dev/null; then Create_Swap; fi

After copying and renaming firewall.sh to firewall under jffs/scripts, I was able to run firewall but the service checks are all in red

Code:
Router Model; RT-AC86U
Skynet Version;  (05/11/2018)
iptables v1.4.15 - (ppp0 @ x.x.x.x)
ipset v6.32, protocol version: 6
FW Version; 384.7_2 (Oct 21 2018) (4.1.27)
Install Dir; /tmp/mnt/data/skynet (14.5G / 14.6G Space Available)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/data/skynet

Checking Inbound Filter Rules...            [Failed]
Checking Outbound Filter Rules...            [Failed]
Checking Whitelist IPSet...                [Failed]
Checking BlockedRanges IPSet...                [Failed]
Checking Blacklist IPSet...                [Failed]
Checking Skynet IPSet...                [Failed]

I haven't gone over your entire code but suspect there is another check needed, specifically in the install routine

Code:
elif ! grep -qF "partition" /proc/swaps && [ -z "$swaplocation" ]; then
                                                        Manage_Device
                                                        echo "[i] Saving Changes"
                                                        Save_IPSets
                                                        echo "[i] Unloading Skynet Components"
                                                        Unload_Cron "all"
                                                        Unload_IPTables
                                                        Unload_DebugIPTables
                                                        Unload_IPSets
                                                        logger -t Skynet "[%] Restarting Firewall Service"; echo "[%] Restarting Firewall Service"
                                                        restartfirewall="1"
                                                        nolog="2

While I was able to get Skynet to load after including the above routine, the firewall file is still not saved to /jffs/scripts

Apologies for butchering your code ... Don't trouble yourself if it's too much of a hassle to get fstab swap partitions to be recognized by Skynet.

Thanks again
 
Apologies for butchering your code ... Don't trouble yourself if it's too much of a hassle to get fstab swap partitions to be recognized by Skynet.

Thanks again

I pushed another hotfix, run;

Code:
sh /jffs/scripts/firewall update -f

and let me know if there's any issues.
 
Last edited:
I pushed another hotfix, run;

Code:
sh /jffs/scripts/firewall update -f

and let me know if there's any issues.

Perfectamundo! Many thanks Adamm =)

Edit: just went over the code changes - good stuff!
 
Last edited by a moderator:
I hijack the built in BFD protection Merlin implemented via IPTables, 4 incorrect login attempts within 60seconds will get you Blacklisted. With a dynamic IP I can't think of many great ideas to keep the other devices updated with your current IP beyond taking a small breather between incorrect login attempts :p. I suggest using SSH keys though and disabling password authentication all together, its much more secure especially if you expose SSH to WAN.

I'll report back if I think of any ways to keep your current IP updated.

Hi! Can you give me any pointers, or know any tutorial for setting this up? I'd very much like to blacklist or ban incorrect logins.
 
I've pushed v6.5.7

This version is based on swap file mangement. After about 3 rewrites I got the code how I wanted it so we can fix or atleast diagnose just about any swap related issue. This is hopefully the last time I have to look at that code :p
 
Last edited:
Hi! Can you give me any pointers, or know any tutorial for setting this up? I'd very much like to blacklist or ban incorrect logins.

If Skynet is installed its enabled by default in the background.
 
Is there a reason why the command to run skynet is not skynet?
One reason would be that skynet doesn't require entware.
 
Is there a reason why the command to run skynet is not skynet?

If entware is installed you can create a new command and call it whatever you like.

Code:
ln -s /jffs/scripts/firewall /opt/bin/*****

With ***** being the new command name
 
Adamm,
Any plans to support ipv6?

and how about building our own community blacklist? I don't mind having my skynet data compiled for Good.

In fact, i'd be willing to turn on dropped inbound traffic logging if it helps the cause. Maybe an opt in option?
 
Last edited:
The last two days Siri was not working on my iPad (via WiFi), while it was working fine on my iPhone (WiFi + cellular). Today when I temporarily disabled Skynet Siri immediately started working again on the iPad. Now with Skynet back on, Siri still seems to work on both devices.

What can Skynet have blocked here?

(since Siri is working now I can't reproduce?)
 
The last two days Siri was not working on my iPad (via WiFi), while it was working fine on my iPhone (WiFi + cellular). Today when I temporarily disabled Skynet Siri immediately started working again on the iPad. Now with Skynet back on, Siri still seems to work on both devices.

What can Skynet have blocked here?

(since Siri is working now I can't reproduce?)

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Debug Mode
Code:
sh /jffs/scripts/firewall settings debugmode enable

2.) Open the blocked application/website and use the command;

Code:
sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;
Code:
DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

Code:
https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

Code:
sh /jffs/scripts/firewall whitelist ip 175.115.37.52
 
Any plans to support ipv6?

Blacklisting isn't effective with IPv6. It works with IPv4 because it is address limited. With IPv6 there are 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses up for grabs so blacklisting is useless.
 
Thanks. I have seen that post multiple times before.

Unfortunately I had no clue it was Skynet blocking Siri. I found out by accident (so too late to test) and it does not reproduce now.

If it happens again I’ll try to debug using these instructions.
 
Blacklisting isn't effective with IPv6. It works with IPv4 because it is address limited. With IPv6 there are 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses up for grabs so blacklisting is useless.
Please write the number in words. How do u read the numbers in word. Lol. It needs mathematics genius for this question.
 
I think I've found an unmanaged? situation. If I have an activated swap partition on /dev/sda1 the skynet's installer couldn't finish without errors, so it didn't work. After swapoff /dev/sda1 the installer and skynet works fine. Could you investigate it? As I remember swap partition existence wasn't problem before...It's not a huge problem, because I can use swap file instead of swap partition.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top