Skynet Skynet - Router Firewall & Security Enhancements

[Jack Yaz]

+ is a wildcard in IPTables so it should cover all tun interfaces.

So if you policy route your IoT device it'll still be able to connect out to the net? Cool - I would assume anyone that does that would not then expect Skynet to block it, since they've gone through the trouble to set up the policy routing!

 

[Adamm]

So if you policy route your IoT device it'll still be able to connect out to the net? Cool - I would assume anyone that does that would not then expect Skynet to block it, since they've gone through the trouble to set up the policy routing!

This actually seems like a bug I overlooked and it should be tun2+ to cover server instances only, unless there's a good reason to keep it as is.

 

[Adamm]

Second question, I use YazFi and want to add a device to the IoT list, that is routed by YazFi. When I add it to the block list, I can still access the device from the WAN side. I have removed all allowed ports, so it should block but doesn't. So the device I want blocked is on another subnet. Example: 192.168.1.0/24 and 192.168.2.0/24

I've pushed v6.7.7

This version will correct an oversight in IOT blocking rules when routed via OpenVPN clients.

 

[skeal]

Code:
sh /jffs/scripts/firewall debug info extended

Strange this collects loads of info but doesn't list blocked devices. Was this by design sir?

 

[Adamm]

Strange this collects loads of info but doesn't list blocked devices. Was this by design sir?

( sh /jffs/scripts/firewall settings iot list ) List Currently Banned IOT Devices

 

[skeal]

( sh /jffs/scripts/firewall settings iot list ) List Currently Banned IOT Devices

Ok so I need some clarification please. If I have an IP configured with YazFi can it be blocked as an IoT device? When I ban the IP (in IoT settings) it does nothing I can still access the camera from. If I'm seeing what is in the cloud, why isn't it blocked from said cloud? I don't fully understand what is going on here.

 

[Jack Yaz]

Ok so I need some clarification please. If I have an IP configured with YazFi can it be blocked as an IoT device? When I ban the IP (in IoT settings) it does nothing I can still access the camera from. If I'm seeing what is in the cloud, why isn't it blocked from said cloud? I don't fully understand what is going on here.

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-208#post-467915

 

[skeal]

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-208#post-467915

I'm still confused...I'm not using a vpn client anymore. Can you explain again only in terms I can understand? The link above doesn't reveal any more information to me. I don't know what to do with those instructions. Sorry to be a bother.

 

[Jack Yaz]

I'm still confused...I'm not using a vpn client anymore. Can you explain again only in terms I can understand? The link above doesn't reveal any more information to me. I don't know what to do with those instructions. Sorry to be a bother.

No problem! To test they work ad-hoc (i.e. won't survive a firewall restart), try the below in SSH to the router

iptables -I FORWARD -i wl0.1 ! -o tun2+ -m set --match-set Skynet-IOT src -j LOG --log-prefix "[BLOCKED - IOT] " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -I FORWARD -i wl0.1 ! -o tun2+ -m set --match-set Skynet-IOT src -j DROP

Replace wl0.1 with your actual guest. wl0.1 translates to 2.4ghz guest 1, wl0.2 is 2.4ghz guest 2, wl1.1 is 5ghz guest 1 (and so on)

Then try to access your camera from the WAN again - it should fail

 

[skeal]

No problem! To test they work ad-hoc (i.e. won't survive a firewall restart), try the below in SSH to the router

iptables -I FORWARD -i wl0.1 ! -o tun2+ -m set --match-set Skynet-IOT src -j LOG --log-prefix "[BLOCKED - IOT] " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -I FORWARD -i wl0.1 ! -o tun2+ -m set --match-set Skynet-IOT src -j DROP

Replace wl0.1 with your actual guest. wl0.1 translates to 2.4ghz guest 1, wl0.2 is 2.4ghz guest 2, wl1.1 is 5ghz guest 1 (and so on)

Then try to access your camera from the WAN again - it should fail

This does in fact work....too well though. I try to open ports in Skynet IoT settings and I cannot access the camera from any network. I do not have YazFi isolation setting, just disable lan access is set. So it sounds like it's either or right?

 

[skeal]

As a matter of fact the camera can no longer join my wifi guest network. Now I'm really confused. Sorry, maybe I don't understand what was accomplished by those two commands.

 

[Adamm]

This does in fact work....too well though. I try to open ports in Skynet IoT settings and I cannot access the camera from any network. I do not have YazFi isolation setting, just disable lan access is set. So it sounds like it's either or right?

Can't say I've personally used YazFi, but Skynets rules all only apply to the br0 interface, so for now without manually editing all related rules (or duplicating them) the two features are incompatible. The lines above essentially duplicate Skynets functionality on the wl0.1 interface.

I'll have to investigate further when I get some free time the best way to approach it (if any).

 

[Jack Yaz]

As a matter of fact the camera can no longer join my wifi guest network. Now I'm really confused. Sorry, maybe I don't understand what was accomplished by those two commands.

If you PM me your

iptables -S

I can take a look at the YazFi side of things

 

[Zonkd]

Hey @Adamm is there a way to view the Top n Outbound Blocked Entries from a Local Device? If not anyone have suggestions for the easiest way to do it myself? I can see I gotta make time to learn scripting someday real soon

 

[Adamm]

Hey @Adamm is there a way to view the Top n Outbound Blocked Entries from a Local Device? If not anyone have suggestions for the easiest way to do it myself? I can see I gotta make time to learn scripting someday real soon

( sh /jffs/scripts/firewall stats search device 192.168.1.134 ) Search For All Outbound Entries From Local Device 192.168.1.134

 

[Zonkd]

For me that command shows:
1. First block tracked from 192.168.x.x
2. 10 most recent blocks from 192.168.x.x
But it won’t show the most frequently blocked unique IP addresses. For me the 10 most recent blocks are usually to same IP address.

 

[Adamm]

For me that command shows:
1. First block tracked from 192.168.x.x
2. 10 most recent blocks from 192.168.x.x
But it won’t show the most frequently blocked unique IP addresses. For me the 10 most recent blocks are usually to same IP address.

I'll look at improving this in the next update.

 

[Zonkd]

I'll look at improving this in the next update.

Thanks mate

 

[Adamm]

Thanks mate

I've pushed v6.7.8

Improve 'stats search device' and 'stats search iot'
Aesthetics

I hope this doesn't make you a saaad panda (pun intended )

 

[sone]

Hi all, got a question maybe someone could help me out with. Ever since v6.6.2 the output display for firewall stats changed to where I get weird characters when I send the output to a file. I have this set up to where it emails me this output file but it's starting to get harder to read. Although console displays correctly I'm thinking it could this "wait animation" that's causing it. What do you think and is there a way to fix this?

The command I use is: sh /jffs/scripts/firewall stats >>/tmp/mail.txt

Below underline in red is the weird characters that gets included in my output file that get's emailed.

Thanks,
sone