Skynet Skynet is blocking github.com?

[protoncek]

As far as i knew what and where to look in logs i didn’t find nothing about this site being blocked.
And, like i already said: it's not the only one. Site www.nlb.si is also blocked here. Same behaviour.

 

[EmeraldDeer]

I have not had a problem with github. I do have a problem with www.nlb.si because Skynet is blocking the IP

193.201.214.49 is NOT in set Skynet-Whitelist.
Warning: 193.201.214.49 is in set Skynet-Blacklist.
193.201.214.49 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
 "BanMalware: normshield_high_bruteforce.ipset"


Associated Domain(s);
nlb.si


[i] IP Location - Slovenia (Nova Ljubljanska Banka, d.d. Ljubljana / AS25059)

[i] 193.201.214.49 First Tracked On Sep 9 19:14:23
[i] 193.201.214.49 Last Tracked On Sep 9 19:14:38
[i] 10 Blocks Total

 

[kernol]

As others have noted ... the problem does not seem to be within the whitelists / blacklists of either Diversion or Skynet - but rather in the fact that after a while [varies] "something" causes Skynet to ignore its own whitelists until Skynet itself is restarted or some other activity [like updating Diversion Blocklist - or simply Processing Whitelist within Diversion] re-initialises whitelist process and GitHub is accessible again.

I leave it to the decoders to figure out - but have noted that @Adamm has not changed any code within Skynet for many months and that he in fact "hardwired" the whitelisting of GitHub with this commit way back in March this year ...
https://github.com/Adamm00/IPSet_ASUS/commit/1a496a006b6a3086abfdf50191a6ca3f944f1fff

I know this issue is frustrating - but abandoning ship on Skynet seems a little drastic ... .

 

[protoncek]

Well, this IS happenning for quite a while to me (many months), but i never posted this problem anywhere unitl now. I have a problem accessing my bank web page for ... well, ages... Problems accessing github started later, when i started my Home Assistant and i began to use github (plugins) for HA.
BTW... www.nlb.si is "nova ljubljanska banka" and it's first and largest slovenian bank, and by no mean anywhere near spam.
I agree that "abandoning ship" is drastic, but sadly it's only way. I'm a bit tired of restarting skynet a couple times per day just to be able to surf normally. And i didn't even mention that on my Sony PS3 no updates on ANY games are possible until i temporary shut down skynet. So, it's another page that it's blocked.

 

[thelonelycoder]

Has the block been confirmed in Skynet or Diversion and, if so, which blocklist?

This is a Skynet issue and needs to be fixed by @Adamm

 

[heysoundude]

I saw a thread on reddit in the past 48-72hrs that indicated github is starting to transition to IPv6, in case that might be some part of the issue.
I suppose people with v6 connections will need to confirm. I'm not currently running SkyNet, so I can't help

 

[Background]

Also having issues with GitHub lately, sometimes it works sometimes it doesn't - odd.

For example: I cannot access: https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy "This site can’t be reached github.com took too long to respond."


Other sites I'm having issues with include Sneakenery, battlebeavercustoms (PS5 controller) and candykittens giving "took too long to respond." disabling Skynet fixes this.

Seem it's a Shopify IP address problem as after whitelisting the IP I can access the sites as normal. Seems the IP belongs to Shopify Inc (Canada DC). (IP Info/Source)

 

[eleVator]

Hi, only ipv4 allowed on my merlinWRT setup and it took me a while back to realize it was skynet blocking github, happily i removed the IP from skynets ban list but forgot to save. Few days later same problem, this time i checked a ping from another machine to github and it turns out that there are two IPs for github, one ending in 3 the other in 4, (there might be more).
This time i unbaned both IPs and the domain name "github.com" and since "gist.github.com" didn't work after saving and restarting skynet i tried whitelisting "*.github.com", save, restart but no dice.

For some to me unkown reason skynet.ipset is listing,

add Skynet-Blacklist 140.82.121.3 comment "BanMalware: firehol_level3.netset"

Why? What am i doing wrong here?

Also weird that it adds the same IP 140.82.121.4 to whitelist just a differnt description, even though i remember skynet pointing out that IP is already whitelisted on a previous attempt but this time it just added it.

ufo@router:/tmp/mnt/RTAC86U/skynet# less skynet.ipset |grep 140.82.121.
add Skynet-Whitelist 140.82.121.4 comment "ManualWlist: github-121-4"
add Skynet-Blacklist 140.82.121.3 comment "BanMalware: firehol_level3.netset"
ufo@router:/tmp/mnt/RTAC86U/skynet# less skynet.ipset |grep github
add Skynet-Whitelist 140.82.112.4 comment "ManualWlistD: github.com"
add Skynet-Whitelist 185.199.109.153 comment "Shared-Whitelist: maurerr.github.io"
add Skynet-Whitelist 185.199.109.133 comment "Shared-Whitelist: raw.githubusercontent.com"
add Skynet-Whitelist 140.82.121.4 comment "ManualWlist: github-121-4"
add Skynet-Whitelist 140.82.112.9 comment "Shared-Whitelist: codeload.github.com"
add Skynet-Whitelist 185.199.108.133 comment "Shared-Whitelist: raw.githubusercontent.com"
add Skynet-Whitelist 185.199.110.153 comment "Shared-Whitelist: maurerr.github.io"
add Skynet-Whitelist 185.199.108.153 comment "Shared-Whitelist: maurerr.github.io"
add Skynet-Whitelist 185.199.111.133 comment "Shared-Whitelist: raw.githubusercontent.com"
add Skynet-Whitelist 185.199.110.133 comment "Shared-Whitelist: raw.githubusercontent.com"
add Skynet-Whitelist 185.199.111.153 comment "Shared-Whitelist: maurerr.github.io"
ufo@router:/tmp/mnt/RTAC86U/skynet#

After whitelisting 140.82.121.3 again, another IP was automatically whitelisted by skynet 140.82.121.9

# less skynet.ipset |grep 140.82.121.
add Skynet-Whitelist 140.82.121.4 comment "ManualWlist: github-121-4"
add Skynet-Whitelist 140.82.121.3 comment "ManualWlist: github-121-3"
add Skynet-Whitelist 140.82.121.9 comment "Shared-Whitelist: codeload.github.com"

How did 140.82.121.3 end up back to the Blacklist and is this a normal thing of skynet to add IPs on its own to "my" whitelist? (going to brush up on the skynet Manual/FAQ about shared-whitelist now)

 

[thelonelycoder]

After whitelisting 140.82.121.3 again, another IP was automatically whitelisted by skynet 140.82.121.9

codeload.github.com is part of the hard coded whitelist in Diversion, and maybe in Skynet too. AFAIK only Skynet and Diversion share their whitelist automatically.
I am pretty sure my whitelist and blacklist functions work flawless in Diversion. As others have found, I am not so sure about Skynet as it seems to "forget" these lists during some operations it does.

 

[protoncek]

codeload.github.com is part of the hard coded whitelist in Diversion, and maybe in Skynet too. AFAIK only Skynet and Diversion share their whitelist automatically.
I am pretty sure my whitelist and blacklist functions work flawless in Diversion. As others have found, I am not so sure about Skynet as it seems to "forget" these lists during some operations it does.

I guess you’re right. I’ve never had any problems since i have skynet uninstalled. Diversion is running, and it’s doing it’s job more than perfectly. Either skynet in some way “forgots” whitelist entries or it uses some weird blacklist (or combination of both…).

 

[eleVator]

codeload.github.com is part of the hard coded whitelist in Diversion, and maybe in Skynet too. AFAIK only Skynet and Diversion share their whitelist automatically.
I am pretty sure my whitelist and blacklist functions work flawless in Diversion. As others have found, I am not so sure about Skynet as it seems to "forget" these lists during some operations it does.

would you say that if i whitelist in Diversion skynet would have to obey the diversion WL?

edit: actually i should have checked before posting github.com is on the diversion WL ...

github.com #(forced-entry)

 is already in whitelist

 

[thelonelycoder]

would you say that if i whitelist in Diversion skynet would have to obey the diversion WL?

edit: actually i should have checked before posting github.com is on the diversion WL ...

github.com #(forced-entry)

is already in whitelist

During a manual or scheduled blocking list update or when making changes in el, Diversion restarts Skynet for it to load and apply the (new) shared whitelist. This operation works fine in Skynet. However, I believe some other operations Skynet runs on its own do not properly include the whitelist. Hence our grievances.

 

[SomeWhereOverTheRainBow]

During a manual or scheduled blocking list update or when making changes in el, Diversion restarts Skynet for it to load and apply the (new) shared whitelist. This operation works fine in Skynet. However, I believe some other operations Skynet runs on its own do not properly include the whitelist. Hence our grievances.

All due respect, you dev amtm, and you forked skynet, if @Adamm does not provide a solution, when do you step in? We all understand @Adamm distain for the past snbforum changes, but what is to come of all this? Would you advise users to uninstall skynet or do you have something in the works because I see you previously tried tagging @Adamm with no response.

 

[thelonelycoder]

All due respect, you dev amtm, and you forked skynet, if @Adamm does not provide a solution, when do you step in? We all understand @Adamm distain for the past snbforum changes, but what is to come of all this? Would you advise users to uninstall skynet or do you have something in the works because I see you previously tried tagging @Adamm with no response.

I am not as smart as @Adamm is and would not want to interfere with his own plans for the future of Skynet.
My knowledge of understanding firewall rules is at best average when looking at a command.
I cloned his Github project at the time he decided to vacate his presence on this board, to preserve the status quo at the time - in case of the unthinkable. I communicated this to @Adamm then, just to let him know why.

I am good at reading code and make it do what it’s supposed to. If I were to adopt a third party project, it would be Skynet for the single reason that Diversion and Skynet complement each other. That has always been my thinking ever since Elvis left the building.
Reading the comments here and knowing of the ‘forgetfulness’ of Skynet for some time, one would expect an update by its developer, addressing this. The pressure mounts, for me and @Adamm to act.

I have not talked to him since nor did he provide any other form to contact him besides this forum when I asked.
I hope he is well, but a decision has to be made at some time in the near future.

 

[protoncek]

I hope that you and @Adamm don't mean this "complaints" offensive, by all means, please don't! You are doing a great job and i'm very thankfull for this "plugin" since it saves me from painfull commercials, while (if i understand correct) Skynet aditionally protects from intrusions, break-ins etc...
I did read somewhere that Adam "left" the ship, yes. I don't know the reason, i hope it's not health issue (Covid?) and that it's well. It's his right to do so, after all none of this work is paid...

Hopefully he will explain his part at certain point...

 

[Jack Yaz]

I suppose it would be useful next time it "forgets", to get a dump of:

iptables , using something like iptables-save > /tmp/firewall.txt (or even just the raw table with iptables -t raw -S)
Skynet files from /jffs/addons/shared-whitelists/
skynets ipsets from wherever it's installed to, usually a folder called skynet in a USB partition

 

[SomeWhereOverTheRainBow]

I am not as smart as @Adamm is and would not want to interfere with his own plans for the future of Skynet.
My knowledge of understanding firewall rules is at best average when looking at a command.
I cloned his Github project at the time he decided to vacate his presence on this board, to preserve the status quo at the time - in case of the unthinkable. I communicated this to @Adamm then, just to let him know why.

I am good at reading code and make it do what it’s supposed to. If I were to adopt a third party project, it would be Skynet for the single reason that Diversion and Skynet complement each other. That has always been my thinking ever since Elvis left the building.
Reading the comments here and knowing of the ‘forgetfulness’ of Skynet for some time, one would expect an update by its developer, addressing this. The pressure mounts, for me and @Adamm to act.

I have not talked to him since nor did he provide any other form to contact him besides this forum when I asked.
I hope he is well, but a decision has to be made at some time in the near future.

Thank you for your elegant response, at least hopefully now other users can find this in the forum and know that skynets development is "up in the air" at best. Thank you for maintaining your active role and maintaining of your brain child-i.e. amtm and diversion. I cannot speak for the other devs that do not maintain an active role. All we can hope is @Adamm is listening and continues to maintain an active role developing skynet.

 

[SomeWhereOverTheRainBow]

I suppose it would be useful next time it "forgets", to get a dump of:

iptables , using something like iptables-save > /tmp/firewall.txt (or even just the raw table with iptables -t raw -S)
Skynet files from /jffs/addons/shared-whitelists/
skynets ipsets from wherever it's installed to, usually a folder called skynet in a USB partition

Thank you for your wisdom. That is a good start.

 

[dave14305]

It would also be interesting to display the ipset headers to see if the set has reached the maximum number of elements allowed.

ipset list -t

It also must be reinforced that whitelisting “github.com” in Skynet is not the same as whitelisting all *.github.com domains.

Maybe an idea for the future is to have a Diversion manage a separate ipset that dnsmasq populates automatically, and Skynet will include in its whitelist ipset.

ipset=/github.com/snbforums.com/Diversion-Whitelist

Or maybe they could be added directly to Skynet’s whitelist ipset, but without Adamm’s involvement that could prove equally unpredictable in outcome as the current situation.

 

[TheStork]

I am not as smart as @Adamm is and would not want to interfere with his own plans for the future of Skynet.
My knowledge of understanding firewall rules is at best average when looking at a command.
I cloned his Github project at the time he decided to vacate his presence on this board, to preserve the status quo at the time - in case of the unthinkable. I communicated this to @Adamm then, just to let him know why.

I am good at reading code and make it do what it’s supposed to. If I were to adopt a third party project, it would be Skynet for the single reason that Diversion and Skynet complement each other. That has always been my thinking ever since Elvis left the building.
Reading the comments here and knowing of the ‘forgetfulness’ of Skynet for some time, one would expect an update by its developer, addressing this. The pressure mounts, for me and @Adamm to act.

I have not talked to him since nor did he provide any other form to contact him besides this forum when I asked.
I hope he is well, but a decision has to be made at some time in the near future.

I reported the issue in his IPSet_ASUS repository on GitHub (after rebooting the router so that I again had access to Github, at least until the next time it blocks it...)
Fingers crossed.