Skynet Skynet - Router Firewall & Security Enhancements

[RMerlin]

I assume this is the issue? @RMerlin @john9527

I specifically tested ipset recently as I finalized its implementation on the RT-AX88U. Works for me, module even gets automatically loaded (no modprobe required):

admin@stargate88ax:/tmp/home/root# ipset create autoban hash:ip
admin@stargate88ax:/tmp/home/root# lsmod | grep set
ip_set_hash_ip         20359  1
ip_set                 28899  1 ip_set_hash_ip

Make sure you do run beta 1 and not an early alpha build from back before I actually added ipset support.

 

[TonyK132]

The command didn’t work because you used it inside the Skynet menu. Anyway, once you create a swap file using the command provided your issue should be resolved.

Skynet can self diagnose almost any issue with itself so just observe the output closely.

No, I ran it from the cmd line.

Here I did it again with all the cmds and output together.

admin@RT-AC86U-1BD0:/tmp/home/root# sh /jffs/scripts/firewall restart
################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) |#
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 18/11/2018 - Asus Firewall Addition By Adamm v6.6.1 #
## https://github.com/Adamm00/IPSet_ASUS #
################################################################################


Saving Changes
Unloading Skynet Components
[%] Restarting Firewall Service


Done.

admin@RT-AC86U-1BD0:/tmp/home/root# sh /jffs/scripts/firewall banmalware
################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) |#
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 18/11/2018 - Asus Firewall Addition By Adamm v6.6.1 #
## https://github.com/Adamm00/IPSet_ASUS #
################################################################################


[*] Skynet Not Running - Exiting

 

[TonyK132]

No, I ran it from the cmd line.

Here I did it again with all the cmds and output together.

admin@RT-AC86U-1BD0:/tmp/home/root# sh /jffs/scripts/firewall restart
################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) |#
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 18/11/2018 - Asus Firewall Addition By Adamm v6.6.1 #
## https://github.com/Adamm00/IPSet_ASUS #
################################################################################


Saving Changes
Unloading Skynet Components
[%] Restarting Firewall Service


Done.

admin@RT-AC86U-1BD0:/tmp/home/root# sh /jffs/scripts/firewall banmalware
################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) |#
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 18/11/2018 - Asus Firewall Addition By Adamm v6.6.1 #
## https://github.com/Adamm00/IPSet_ASUS #
################################################################################


[*] Skynet Not Running - Exiting

Here are the logs for when I did that.

Nov 17 12:58:03 Skynet: [%] Restarting Firewall Service
Nov 17 12:58:03 rc_service: service 6154:notify_rc restart_firewall
Nov 17 12:58:04 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Nov 17 12:58:04 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Nov 17 12:58:04 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/data/skynet )
Nov 17 12:58:04 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

 

[Adamm]

Here are the logs for when I did that.

You found your anwser

[*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

 

[Adamm]

I specifically tested ipset recently as I finalized its implementation on the RT-AX88U. Works for me, module even gets automatically loaded (no modprobe required):

xt_set is the module in question. Here's what lsmod looks like on other devices.

skynet@RT-AC86U-2EE8:/tmp/home/root# lsmod | grep set
ip_set_hash_ip         20375  1
xt_set                  8849 13
ip_set_list_set         8197  2
ip_set_hash_net        24442  4
ip_set                 28859  4 ip_set_hash_ip,xt_set,ip_set_list_set,ip_set_hash_net

There seems to be an issue when modprobing it on the AX88U. This module is responsible for "-m set --match -set" functionality. You can varify this works via;

modprobe xt_set
ipset -N foo iphash
iptables -t raw -I PREROUTING -i br0 -m set --match-set foo dst -j DROP
iptables -L -t raw

I don't have an AX88U yet to confirm this myself, but with the information and output provided I am quite sure there is an issue here specifically with loading that module.

 

[RMerlin]

xt_set is the module in question. Here's what lsmod looks like on other devices.

skynet@RT-AC86U-2EE8:/tmp/home/root# lsmod | grep set
ip_set_hash_ip         20375  1
xt_set                  8849 13
ip_set_list_set         8197  2
ip_set_hash_net        24442  4
ip_set                 28859  4 ip_set_hash_ip,xt_set,ip_set_list_set,ip_set_hash_net

There seems to be an issue when modprobing it on the AX88U. This module is responsible for "-m set --match -set" functionality. You can varify this works via;

modprobe xt_set
ipset -N foo iphash
iptables -t raw -I PREROUTING -i br0 -m set --match-set foo dst -j DROP
iptables -L -t raw

I don't have an AX88U yet to confirm this myself, but with the information and output provided I am quite sure there is an issue here specifically with loading that module.

CONFIG_NETFILTER_XT_SET is not set in the kernel config. That's odd cause I thought I did compare the config file with that of the AC86U. I will have to check which other module is missing.

 

[TonyK132]

You found your anwser

[*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

Yes that worked, but why is it necessary to run that separately from your install script?

 

[skeal]

Yes that worked, but why is it necessary to run that separately from your install script?

Not sure how you missed it but it is part of the setup of Skynet.

 

[TonyK132]

Yes that worked, but why is it necessary to run that separately from your install script?

Also, I just did a reboot. Here is the debug info that I get. When I ran it right after doing the separate swap file install, all said Passed.

admin@RT-AC86U-1BD0:/tmp/home/root# sh /jffs/scripts/firewall debug info
################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) |#
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 18/11/2018 - Asus Firewall Addition By Adamm v6.6.1 #
## https://github.com/Adamm00/IPSet_ASUS #
################################################################################


Router Model; RT-AC86U
Skynet Version; v6.6.1 (18/11/2018)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
FW Version; 384.8_beta1 (Nov 16 2018) (4.1.27)
Install Dir; /tmp/mnt/data/skynet (25.6G / 27.5G Space Available)
SWAP File; /tmp/mnt/data/myswap.swp (512.5M)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/data/skynet
Banned Countries; pk ir kp cn ru vn ua iq ng in br th id eg
No Lock File Found

---------------- | ------
Test Description | Result
---------------- | ------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
CronJobs | [Failed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
Inbound Filter Rules | [Failed]
Inbound Debug Rules | [Failed]
Outbound Filter Rules | [Failed]
Outbound Debug Rules | [Failed]
Whitelist IPSet | [Failed]
BlockedRanges IPSet | [Failed]
Blacklist IPSet | [Failed]
Skynet IPSet | [Failed]


------- | ------
Setting | Status
------- | ------

Autoupdate | [Enabled]
Auto-Banmalware Update | [Enabled]
Debug Mode | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid | [Disabled]
Ban AiProtect | [Disabled]
Secure Mode | [Enabled]
Fast Switch | [Disabled]

7/16 Tests Sucessful

[#] 161454 IPs (+0) -- 30217 Ranges Banned (+0) || Inbound -- Outbound Connec]

 

[Adamm]

Also, I just did a reboot. Here is the debug info that I get. When I ran it right after doing the separate swap file install, all said Passed.

Every time you restart Skynet and it fails to start it will print a corrisponding error to the syslog. Please restart Skynet and again post the syslog from the restart being initiated to the point of failure.

 

[TonyK132]

Every time you restart Skynet and it fails to start it will print a corrisponding error to the syslog. Please restart Skynet and again post the syslog from the restart being initiated to the point of failure.

OK, I can do it again, but fundamentally, after the install, then a reboot, Skynet has that bad status. Do you want the whole reboot log? If yes, send me a link so I can privately send it to you.

Also, to be clear, when I installed Skynet, I followed all of the prompts. The Swap file got created, and all was good until I did a router reboot.

BTW, after the previous reboot, the logs again showed the Swap file issue.

Nov 18 07:27:28 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/data/skynet )
Nov 18 07:27:28 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

 

[skeal]

OK, I can do it again, but fundamentally, after the install, then a reboot, Skynet has that bad status. Do you want the whole reboot log? If yes, send me a link so I can privately send it to you.

Also, to be clear, when I installed Skynet, I followed all of the prompts. The Swap file got created, and all was good until I did a router reboot.

BTW, after the previous reboot, the logs again showed the Swap file issue.

Nov 18 07:27:28 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/data/skynet )
Nov 18 07:27:28 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

At this point maybe your drive is the point of failure, have you tried re-formatting?

 

[TonyK132]

No, I have not tried that. But Skynet was working with no problems when I had alpha3 inside the 86U, before I loaded beta1.

 

[skeal]

No, I have not tried that. But Skynet was working with no problems when I had alpha3 inside the 86U, before I loaded beta1.

Then along with a reformat of the drive I would reset the router to defaults and manually configure.

 

[visortgw]

No, I have not tried that. But Skynet was working with no problems when I had alpha3 inside the 86U, before I loaded beta1.

Some devices don't reliably remount USB 3 drives on the USB 3 port following a reboot. If your flash drive is using the USB 3 port, try moving it to USB 2.

 

[TonyK132]

I just experimented by moving my USB drive from the USB 3 port to the USB 2 port. I powered down, moved it, then powered it back on. After it settled down, I rebooted again. Then I did firewall debug info, and have the same errors as before. So then I looked at the logs. Here's what I found.

Skynet initially tries to use the USB drive before it is mounted by the kernel. See this sequence. Then it tries again 10 secs later. It's at that time when it gives up and says the Sway file is needed. My Swap file is located at /tmp/mnt/data which was available 8 secs before Skynet tried to get it the 2nd time.

Nov 18 13:07:34 Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 1 Of 10 )
Nov 18 13:07:34 kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
Nov 18 13:07:35 kernel: scsi 0:0:0:0: Direct-Access Samsung Flash Drive FIT 1100 PQ: 0 ANSI: 6
Nov 18 13:07:35 kernel: sd 0:0:0:0: Attached scsi generic sg0 type 0
Nov 18 13:07:35 kernel: sd 0:0:0:0: [sda] 62656641 512-byte logical blocks: (32.1 GB/29.9 GiB)
Nov 18 13:07:35 kernel: sd 0:0:0:0: [sda] Write Protect is off
Nov 18 13:07:35 kernel: sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
Nov 18 13:07:35 kernel: sda: sda1 sda2
Nov 18 13:07:35 kernel: sd 0:0:0:0: [sda] Attached SCSI removable disk
Nov 18 13:07:35 disk_monitor: Finish
Nov 18 13:07:35 disk_monitor: be idle
Nov 18 13:07:36 kernel: EXT4-fs (sda2): mounting ext2 file system using the ext4 subsystem
Nov 18 13:07:36 kernel: EXT4-fs (sda2): warning: mounting unchecked fs, running e2fsck is recommended
Nov 18 13:07:36 hotplug[1376]: USB ext2 fs at /dev/sda2 mounted on /tmp/mnt/data
Nov 18 13:07:36 usb: USB ext2 fs at /dev/sda2 mounted on /tmp/mnt/data.
Nov 18 13:07:36 kernel: EXT4-fs (sda2): mounted filesystem without journal. Opts: user_xattr
:
Nov 18 13:07:45 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/data/skynet )
Nov 18 13:07:45 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

For grins, I may try moving it back to USB3 and see what the logs say.

 

[john9527]

Nov 18 13:07:35 kernel: sda: sda1 sda2
Nov 18 13:07:35 kernel: sd 0:0:0:0: [sda] Attached SCSI removable disk
...
Nov 18 13:07:36 hotplug[1376]: USB ext2 fs at /dev/sda2 mounted on /tmp/mnt/data
Nov 18 13:07:36 usb: USB ext2 fs at /dev/sda2 mounted on /tmp/mnt/data.

How is the USB partitioned? What is the first partition?

 

[TonyK132]

How is the USB partitioned? What is the first partition?

/dev/sda1 mounted on /tmp/mnt/entware
/dev/sda2 mounted on /tmp/mnt/data

Looks like the kernel mounts sda2 before sda1.

 

[john9527]

/dev/sda1 mounted on /tmp/mnt/entware
/dev/sda2 mounted on /tmp/mnt/data

Looks like the kernel mounts sda2 before sda1.

And I'm guessing the swap is installed on the first partition.....

 

[Diamond67]

My Swap file is located at /tmp/mnt/data which was available 8 secs before Skynet tried to get it the 2nd time.

You should see a line telling your swap file is added.

I have my swap file created by Diversion Ad Blocker, and my syslog shows:

Nov 18 22:29:41 kernel: Adding 262140k swap on /tmp/mnt/DT_1/myswap.swp.  Priority:-1 extents:67 across:266504k