Skynet Skynet - Router Firewall & Security Enhancements

[dave14305]

That is the basis of my main question. How in the world do simple little add-ons like Mikoto/UBlock/ABP block YT ads 100% of the time and why can't THAT technology be scaled up to a home network? What is the magic they are doing? Some sort of man-in-the-middle function!?

Browsers have the advantage of being able to read the URL of the site before it is encrypted (assuming an HTTPS site). A router-based solution cannot see the URL, it can only block based on domain names (Diversion) or IP (SkyNet). But you can't watch videos on youtube.com if you're blocking the domain youtube.com. That would throw the baby out with the bath water.
kvic is teasing some potential new feature of pixelserv-tls to block YouTube ads, which would prove valuable.

With the prevalence of HTTPS everywhere, your best fine-grained controls will always be at the browser level (pre-encryption). Again, kvic has some new ideas in this area and you may want to hang out more in the Pixelserv thread.

 

[road hazard]

Browsers have the advantage of being able to read the URL of the site before it is encrypted (assuming an HTTPS site). A router-based solution cannot see the URL, it can only block based on domain names (Diversion) or IP (SkyNet). But you can't watch videos on youtube.com if you're blocking the domain youtube.com. That would throw the baby out with the bath water.
kvic is teasing some potential new feature of pixelserv-tls to block YouTube ads, which would prove valuable.

With the prevalence of HTTPS everywhere, your best fine-grained controls will always be at the browser level (pre-encryption). Again, kvic has some new ideas in this area and you may want to hang out more in the Pixelserv thread.

Thanks for the explanation, you're the very first person (out of many websites) that finally went into details as to what's going on!! I still can't comprehend why somebody hasn't developed some sort of proxy that you can run on a PC that ALL home network traffic will flow through and take care of the ads that way. Guess that is where the teased Pixel feature comes in? I'll go hang out in that thread, thanks you for the info!

 

[RMerlin]

I still can't comprehend why somebody hasn't developed some sort of proxy that you can run on a PC that ALL home network traffic will flow through and take care of the ads that way.

Because you need an application (i.e. a browser) to be able to handle the full context, meaning a browser actually processing and rendering the whole page, and executing all the Javscript code. A proxy operates at the network layer, it has none of the context that a browser at the application layer would have.

 

[el pescador]

Got problem.
Trying to ban an ip which starts with 3.***.***.*** but skynet wont block it.

 

[zerowalker]

This site isn't blocked for me. Are you sure you haven't got country blocking?

Okay will have to recheck, seems weird if you and that other guy didn't have it blocked.
Might have looked at the wrong place, or i have something activated which i didn't know.

EDIT:

Okay seems to be blocked after i clear the non-default whitelisted, must be some setting.
Will reinstall it.

EDIT2:

Weird, reinstalling worked.. odd, what did i do to cause it to block in the first place,
maybe the country as suggested, not even sure how, will have to keep track on this.

 

[Adamm]

Okay will have to recheck, seems weird if you and that other guy didn't have it blocked.
Might have looked at the wrong place, or i have something activated which i didn't know.

EDIT:

Okay seems to be blocked after i clear the non-default whitelisted, must be some setting.
Will reinstall it.

EDIT2:

Weird, reinstalling worked.. odd, what did i do to cause it to block in the first place,
maybe the country as suggested, not even sure how, will have to keep track on this.

The following command will tell you why an IP is listed in either the black or whitelist, you can then use this information for further debugging.

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

 

[zerowalker]

The following command will tell you why an IP is listed in either the black or whitelist, you can then use this information for further debugging.

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

Ah, well it's not blocked again, not sure why it wasn't at first:s

And the reason is "BanMalware".

Blacklist Reason;
 "BanMalware"


[i] IP Location - Germany (AS14061)

[i] 167.99.129.42 First Tracked On Dec 27 01:50:31
[i] 167.99.129.42 Last Tracked On Dec 27 06:01:36
[i] 49 Blocks Total

 

[Adamm]

And the reason is "BanMalware".

So assuming an IP is currently blocked and the reason is listed as BanMalware, you can then use the following to see which list its sourced from and further your investigation.

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx

 

[zerowalker]

So assuming an IP is currently blocked and the reason is listed as BanMalware, you can then use the following to see which list its sourced from and further your investigation.

sh /jffs/scripts/firewall stats search malware xxx.xxx.xxx.xxx

167.99.137.12        | https://iplists.firehol.org/files/coinbl_hosts_browser.ipset

 

[Adamm]

167.99.137.12        | https://iplists.firehol.org/files/coinbl_hosts_browser.ipset

So there's the answer, the IP was blacklisted for coin mining at some point. You can whitelist it accordingly if you believe its a false positive.

 

[zerowalker]

But couldn't other ppl get to the site for some reason, why am only i having it blocked?

babeljs.io

Tried different DNS servers, even with different IPs resolved, they are all banned by default for me.
Is BanMalware not on by default?

 

[Eric22]

Hi,

I am new to Asus routers so apologies in advance if what I am saying does not make sense. I have recently installed Skynet on my X88U router and I really admire it and appreciate the effort has been put to develop it. I got a few minor comments which I would be glad if you could help me to address.
1. it would be really useful we could have a sort of comment/tooltip/inline documentation for each item in the menu/sub menus similar to what we have in diversion. That said, I can easily understand what each item/sub item does particularly if I am new to the script. The description should not be necessarily long. Only one sentence or phrase works.
2. it would be useful to have an exit/cancel option throughout the menu (in all items/sub items) similar to diversion. This is really helpful when you want to navigate in the menu.
3. This is indeed a question. How can I access to the log to see what IPs have been blocked (all in a period of time not just top x)? Is it possible to backup the log frequently or save/archive them somewhere for future reference?
4. I can see that my RAM usage has increased to almost 100% after I installed Skynet with all the recommended settings. Is it normal? I have set a 1GB swap file.

Thanks,
Eric

 

[wyldstallyn]

Hi there,

got a funny one that I can't decrypt, Skynet seems to block the "Check in-store availability" module on the ae.com website and won't churn up anything in debug mode.

For example, go to https://www.ae.com/men-clearance-ae...od/2151_1343_600?cm=sCA-cCAD&catId=cat8750002 , select a size from the drop down menu and add a postal code into the search field... nothing happens.

Temporary disable Skynet and store search results load as expected.

 

[Adamm]

Hi there,

got a funny one that I can't decrypt, Skynet seems to block the "Check in-store availability" module on the ae.com website and won't churn up anything in debug mode.

For example, go to https://www.ae.com/men-clearance-ae...od/2151_1343_600?cm=sCA-cCAD&catId=cat8750002 , select a size from the drop down menu and add a postal code into the search field... nothing happens.

Temporary disable Skynet and store search results load as expected.

Follow the guide below and you should be able to track down the IP in question.

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Debug Mode

sh /jffs/scripts/firewall settings debugmode enable

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[wyldstallyn]

Follow the guide below and you should be able to track down the IP in question.

Thank you for your efforts, unfortunately that does not yield any result, all I see are blocked INBOUND entries. :/

 

[Adamm]

Thank you for your efforts, unfortunately that does not yield any result, all I see are blocked INBOUND entries. :/

I personally tried the website, after putting in a size for the item and clicking add to bag, the checkout seemed to work fine up until the point I was required to add payment details.

 

[wyldstallyn]

I personally tried the website, after putting in a size for the item and clicking add to bag, the checkout seemed to work fine up until the point I was required to add payment details.

You sir, are a gem, thank you for going through the trouble of testing it.. it's not actually the shopping cart feature that doesn't work, but locating the item in a nearby store (trivial, I know), sorry I should have provided this screenshot from the start. The highlighted yellow section, when you click the "Search" button after entering a postal code, the module disappears and the store inventories do not load when skynet is active.

 

[dave14305]

Skynet also blocks bad style choices.

 

[Adamm]

You sir, are a gem, thank you for going through the trouble of testing it.. it's not actually the shopping cart feature that doesn't work, but locating the item in a nearby store (trivial, I know), sorry I should have provided this screenshot from the start. The highlighted yellow section, when you click the "Search" button after entering a postal code, the module disappears and the store inventories do not load when skynet is active.

View attachment 15628

This is Diversion related I believe (nothing being blocked from that website via Skynet). Add the following to your Diversion whitelist;

liveapi.yext.com

 

[thelonelycoder]

This is Diversion related I believe (nothing being blocked from that website via Skynet). Add the following to your Diversion whitelist;

liveapi.yext.com

This also might be relevant for Diversion users:
https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-80#post-455689