Skynet Skynet - Router Firewall & Security Enhancements

[Diamond67]

I think Skynet and the swap should be on the same partition. IMHO

I have my Skynet install dir and my swap file on totally different flash drives. Works fine.

 

[Adamm]

Adam
I received comments from Martineau - not sure if this is useful to you

Not really. I searched through 8 pages to find the script in question, had a brief look at where "the creator of Skynet deems it acceptable to silently cripple intrinsic iptables diagnostic functionality", and let me tell you, I'm quite a monster for the drastic changes I made completely crippling router functionality.

Before;

iptables -I logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options

After;

iptables -I logdrop -m state --state NEW -j LOG --log-prefix "[BLOCKED - INVALID] " --log-tcp-sequence --log-tcp-options --log-ip-options

So there's the question, why am I such a terrible person who crippled functionality by changing the prefix on a log entry? So Skynet can organise, purge and make these logs fully searchable.

It future I would appreciate @Martineau contact me if there's some sort of conflicting issue with Skynet which we can discuss accordingly, rather then make passive agressive comments which in this case ended up being unwarranted.

 

[Adamm]

Thanks, but I only have 1 drive. 2 partitions but 1 drive. I could try putting that swap file in the other partition, and eliminating that other partition completely since I only have entware in case I find something I'd want in the future.

I highly suggest starting over with just 1 partition for everything. Its become clear theres some sort of issue between the time Skynets partition mounts and the secondary partition thats unique to your setup.

 

[TonyK132]

I think Skynet and the swap should be on the same partition. IMHO

Currently both are on the same partition, but still there are problems.

 

[visortgw]

Currently both are on the same partition, but still there are problems.

View attachment 15170

Isn't owner of swap supposed to be root?

 

[TonyK132]

Currently both are on the same partition, but still there are problems.

View attachment 15170

I may have solved this issue for now. I copied the line from the /jffs/scripts/firewall-start file and put it into the post-mount file after the swapon line, then rebooted. Now all is OK. Then just to be sure, I rebooted twice more, and both times, Skynet is OK, with firewall debug info telling me I have 16/16 Tests Successful.

 

[DonnyJohnny]

@Adamm Unable to add s2.mp4upload.com as domain whitelist.
Error states “[*] Domain Not Valid - Please Try Again”

Is there some validation done on the domain we trying to add? Coding error?

 

[Adamm]

@Adamm Unable to add s2.mp4upload.com as domain whitelist.
Error states “[*] Domain Not Valid - Please Try Again”

Is there some validation done on the domain we trying to add? Coding error?

I've pushed v6.6.2 to address this.

Add client list w/ status to "debug info"
Rewrite menu tests
Delay swap file check by 10s if entry exists but isnt loaded
General code cleanup and aesthetics

 

[talon_262]

Just want to say, long-time Merlin user that just recently looked into at-depth about Skynet (and Diversion); installed both tonight on my AC56U, disabled Adblock Origin in my browser, refreshed everything and:

OMFG...why did I wait so long to do this?

Kudos to Adamm and thelonelycoder for their respective programs; as long as they are around and updated, I will be definitely using them on any Asus router I have with Merlin on it in the future.

 

[tronbar]

I can't seem to get it to work on my AC86U.

After successfully running the install script prior to doing a factory reset, flashing latest Merlin (2018-10-20), formatting my USB 3.0 Sandisk stick (ext2), I receive this as soon as I reboot the router. I haven't yet changed a single setting on the router besides configuring the Wireless NIC:s and enabled SSH+jffs scripts.

Router Model; RT-AC2900
Skynet Version; v6.6.2 (20/11/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.7_2 (Oct 21 2018) (4.1.27)
Install Dir; /tmp/mnt/usbdata/skynet (11.3G / 14.1G Space Available)
SWAP File; /tmp/mnt/usbdata/myswap.swp (2.0G)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/usbdata/skynet
Inbound Filter Rules                | [Failed]
Outbound Filter Rules               | [Failed]
Whitelist IPSet                     | [Failed]
BlockedRanges IPSet                 | [Failed]
Blacklist IPSet                     | [Failed]
Skynet IPSet                        | [Failed]

Here's a log:

--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
CronJobs                            | [Failed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
Inbound Filter Rules                | [Failed]
Inbound Debug Rules                 | [Failed]
Outbound Filter Rules               | [Failed]
Outbound Debug Rules                | [Failed]
Whitelist IPSet                     | [Failed]
BlockedRanges IPSet                 | [Failed]
Blacklist IPSet                     | [Failed]
Skynet IPSet                        | [Failed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Autoupdate                          | [Enabled]
Auto-Banmalware Update              | [Enabled]
Debug Mode                          | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid                         | [Disabled]
Ban AiProtect                       | [Disabled]
Secure Mode                         | [Enabled]
Fast Switch                         | [Disabled]

7/16 Tests Sucessful

Fdisk -l output:

Disk /dev/sda: 15.3 GB, 15376000000 bytes
64 heads, 32 sectors/track, 14663 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes

   Device Boot      Start         End      Blocks  Id System
/dev/sda1               1       14663    15014896  83 Linux

When I try "Show Debug Entries as they appear" I receive:

[*] Skynet Not Running - Exiting

Where might the problem be located? I've tried doing everything from scratch twice, but keep receiving the same error. Any help would sure be much appreciated

 

[Adamm]

Where might the problem be located? I've tried doing everything from scratch twice, but keep receiving the same error. Any help would sure be much appreciated

Issue the following command then check your syslog;

sh /jffs/scripts/firewall restart

If Skynet fails to start, it will print the reason why there.

 

[tronbar]

Issue the following command then check your syslog;

sh /jffs/scripts/firewall restart

If Skynet fails to start, it will print the reason why there.

Thanks.

There seems to be a problem with the swap file according to the syslog:

Nov 20 15:10:54 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/usbdata/skynet )
Nov 20 15:10:54 Skynet: [*] Skynet Requires A SWAP File - Install One By Running ( /jffs/scripts/firewall debug swap install )

I can't figure out what I'm doing wrong though. The USB stick is connected and seems accessible, and the swap file is there etc.

ls -s:

admin@RT-AC2900-A290:/tmp/mnt/usbdata#
    16 drwx------    2 admin    root         16384 Nov 20 14:56 lost+found
524804 -rw-rw-rw-    1 admin    root     536870912 Nov 20 15:05 myswap.swp
     4 drwxrwxrwx    2 admin    root          4096 Nov 20 15:06 skynet

Followed this guide (only created one full partition though, not two separate ones): https://www.snbforums.com/threads/configuring-syslog-ng-with-merlin-firmware.35095/


If I try and reinstall the swap file it does work until next reboot.

 

[Adamm]

Followed this guide (only created one full partition though, not two separate ones): https://www.snbforums.com/threads/configuring-syslog-ng-with-merlin-firmware.35095/


If I try and reinstall the swap file it does work until next reboot.

I couldn't find the exact guide you were referring to. Can you run a forced update then run the debug info command again (and any related syslog output), I've added an additional test that will give me more insight to what the issue is with your swap file.

sh /jffs/scripts/firewall update -f

# wait 30 seconds

sh /jffs/scripts/firewall debug info extended

 

[TonyK132]

This was my issue also. I got it to work by copying the line from file /jffs/scripts/firewall-start into /jffs/scripts/post-mount, then rebooting. You now may need to reinstall the swap file, I do not remember if that was necessary. Before the mod, the post-mount file only contains the #!/bin/sh line. After the reboot, for me, it now contains:

#!/bin/sh line
swapon /tmp/mnt/data/myswap.swp # Skynet Firewall Addition
sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/data/skynet # Skynet Firewall Addition

This mod seems to survive a reboot, but occasionally I will run this line just to verify that all is OK by getting the result that 16/16 Tests were successful.

sh /jffs/scripts/firewall debug info

I hope Adam will find the issue and fix it so that this sequence is not necessary.

 

[Adamm]

This was my issue also. I got it to work by copying the line from file /jffs/scripts/firewall-start into /jffs/scripts/post-mount, then rebooting. You now may need to reinstall the swap file, I do not remember if that was necessary. Before the mod, the post-mount file only contains the #!/bin/sh line. After the reboot, for me, it now contains:

#!/bin/sh line
swapon /tmp/mnt/data/myswap.swp # Skynet Firewall Addition
sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/data/skynet # Skynet Firewall Addition

This mod seems to survive a reboot, but occasionally I will run this line just to verify that all is OK by getting the result that 16/16 Tests were successful.

sh /jffs/scripts/firewall debug info

I hope Adam will find the issue and fix it so that this sequence is not necessary.

Thanks I was able to track down the issue (I was incorrectly assuming the post-mount entry was being properly generated previously).

The issue was when Skynet generates a swap file, it replaces the second line of post-mount with the swapon entry. But if the file is fresh, there is no second line to replace so the swapon entry was never saved. By you adding another line to your post-mount file, you inadvertedly fixed the issue by adding a second line for Skynet to replace with the (correct) fix.

For any affected users. Please remove any manual modifications and run a forced update. Skynet should proceed to generate Swap files properly in future (generate a new one if asked).

sh /jffs/scripts/firewall update -f

@TonyK132 @tronbar

 

[tronbar]

I couldn't find the exact guide you were referring to. Can you run a forced update then run the debug info command again (and any related syslog output), I've added an additional test that will give me more insight to what the issue is with your swap file.

sh /jffs/scripts/firewall update -f

# wait 30 seconds

sh /jffs/scripts/firewall debug info extended

Sorry. I added the wrong URL; this guide: http://www.algissalys.com/how-to/format-and-partition-usb-asuswrt-routers

I figured out what caused it. It doesn't work if I try and label the partition as they do in the guide above by issuing this command: tune2fs -L usbdata /dev/sda1.


I tried once more without labeling the partition, and now it works perfectly fine after reboot. \o/

 

[Twiglets]

Adamm,
Just performed a forced update and getting a syntax error.

/jffs/scripts/firewall: line 264: syntax error: unexpected "fi" (expecting "then")

 

[HardCat]

Thanks I was able to track down the issue (I was incorrectly assuming the post-mount entry was being properly generated previously).

The issue was when Skynet generates a swap file, it replaces the second line of post-mount with the swapon entry. But if the file is fresh, there is no second line to replace so the swapon entry was never saved. By you adding another line to your post-mount file, you inadvertedly fixed the issue by adding a second line for Skynet to replace with the (correct) fix.

For any affected users. Please remove any manual modifications and run a forced update. Skynet should proceed to generate Swap files properly in future (generate a new one if asked).

sh /jffs/scripts/firewall update -f

@TonyK132 @tronbar

@Adamm after the update starting the firewall generated the following syntax error:

/jffs/scripts/firewall: line 264: syntax error: unexpected "fi" (expecting "then")

Thanks...

 

[skeal]

When I booted @Adamm my Skynet is screwed. The error on the ssh terminal session says:

/jffs/scripts/firewall: line 264: syntax error: unexpected "fi" (expecting "then")

I uninstalled manually and still I get the same error. Before the removal skynet after the reboot would get:

Nov 20 09:24:57 Skynet: [*] USB Not Found - Sleeping For 10 Seconds ( Attempt 4 Of 10 )

And would not start. No error in the syslog after the usb try above.

 

[skeal]

I get the same error when trying to re-install.