Skynet Skynet - Router Firewall & Security Enhancements

[Marin]

I've pushed v6.8.6

Add toggle for CDN Whitelisting (settings cdnwhitelist enable|disable)

Hi @Adamm,

Thank you for this update! For some of us who are not very well versed in how CDNs work [emoji6] and often have to rely on links like these to get a better understanding: https://www.cloudflare.com/learning/cdn/what-is-a-cdn/, how does this update help in this regards to the CDN function?

Would appreciate any specific info on how Skynet will assist with this.

Thank you!


Sent from my iPhone using Tapatalk

 

[Adamm]

Hi @Adamm,

Thank you for this update! For some of us who are not very well versed in how CDNs work [emoji6] and often have to rely on links like these to get a better understanding: https://www.cloudflare.com/learning/cdn/what-is-a-cdn/, how does this update help in this regards to the CDN function?

Would appreciate any specific info on how Skynet will assist with this.

Thank you!


Sent from my iPhone using Tapatalk

When using banmalware, Skynet whitelists a few popular CDN's to avoid false positives (Apple AS714 | Akamai AS12222 AS16625 | HighWinds AS33438 | Fastly AS54113).

This is simply just a toggle to disable that functionality as a user requested it a few days ago. For 99.9% of people this setting can be ignored and left enabled.

 

[Marin]

When using banmalware, Skynet whitelists a few popular CDN's to avoid false positives (Apple AS714 | Akamai AS12222 AS16625 | HighWinds AS33438 | Fastly AS54113).

This is simply just a toggle to disable that functionality as a user requested it a few days ago. For 99.9% of people this setting can be ignored and left enabled.

Good to know! Thank you so much!


Sent from my iPhone using Tapatalk

 

[j1mb0]

Hello,
the program no longer logs correctly with me, I hardly see any IPs at the stats. And if IPs addresses are displayed, then I don't see the corresponding devices anymore.

 

[Adamm]

Hello,
the program no longer logs correctly with me, I hardly see any IPs at the stats. And if IPs addresses are displayed, then I don't see the corresponding devices anymore.

Whats the output of;

sh /jffs/scripts/firewall debug info

 

[j1mb0]

Whats the output of;

sh /jffs/scripts/firewall debug info

Router Model; RT-AC5300
Skynet Version; v6.8.6 (11/08/2019) (aaf3a1434f6d9cb904e466942b2647e5)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (192.168.0.43)
FW Version; 384.13_0 (Jul 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sda1/skynet (110.2G / 117.4G Space Available)
SWAP File; /tmp/mnt/sda1/myswap.swp (1.0G)
Uptime; 0 days, 4 hours, 30 minutes.
Ram Available; (171M / 503M)


--------------- | ------------ | --------------- | ----------
| Device Name | | | Local IP | | | MAC Address | | | Status |
--------------- | ------------ | --------------- | ----------

Unknown | 192.168.0.1 | XXXXXXXXXXXXXXXXX | Online
XXXXXXXXXXXXXXXXX | 192.168.1.28 | XXXXXXXXXXXXXXXXX | Inactive
XXXXXXXXXXXXXXXXX | 192.168.1.49 | XXXXXXXXXXXXXXXXX | Online
XXXXXXXXXXXXXXXXX | 192.168.1.90 | XXXXXXXXXXXXXXXXX | Inactive
Media-NAS | 192.168.1.133 | XXXXXXXXXXXXXXXXX | Online
XXXXXXXXXXXXXXXXX | 192.168.1.137 | XXXXXXXXXXXXXXXXX | Online
XXXXXXXXXXXXXXXXX | 192.168.1.143 | XXXXXXXXXXXXXXXXX | Online
XXXXXXXXXXXXXXXXX | 192.168.1.164 | XXXXXXXXXXXXXXXXX | Inactive
XXXXXXXXXXXXXXXXX | 192.168.1.196 | XXXXXXXXXXXXXXXXX | Inactive
XXXXXXXXXXXXXXXXX | 192.168.1.251 | XXXXXXXXXXXXXXXXX | Online


-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
SWAP | [Passed]
Cron Jobs | [Passed]
IPSet Comment Support | [Passed]
Log Level 5 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
Inbound Filter Rules | [Passed]
Inbound Debug Rules | [Passed]
Outbound Filter Rules | [Passed]
Outbound Debug Rules | [Passed]
Whitelist IPSet | [Passed]
BlockedRanges IPSet | [Passed]
Blacklist IPSet | [Passed]
Skynet IPSet | [Passed]
Diversion Plus Content | [Passed]


----------- | ----------
| Setting | | | Status |
---------- | ----------

Autoupdate | [Enabled]
Auto-Banmalware Update | [Enabled]
Debug Mode | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid | [Disabled]
Ban AiProtect | [Enabled]
Secure Mode | [Enabled]
Fast Switch | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Enabled]
CDN Whitelisting | [Enabled]

18/18 Tests Sucessful


=============================================================================================================


[#] 228516 IPs (+0) -- 10207 Ranges Banned (+0) || 0 Inbound -- 909 Outbound Connections Blocked! [debug] [3s]

I can't see any stats:

RT-AC5300-9300:/tmp/home/root# /jffs/scripts/firewall stats 10
#############################################################################################################
# _____ _ _ __ #
# / ____| | | | / / #
# | (___ | | ___ _ _ __ ___| |_ __ __/ /_ #
# \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \ #
# ____) | <| |_| | | | | __/ |_ \ V /| (_) | #
# |_____/|_|\_\\__, |_| |_|\___|\__| \_/ \___/ #
# __/ | #
# |___/ #
# #
## - 11/08/2019 - Asus Firewall Addition By Adamm v6.8.6 #
## https://github.com/Adamm00/IPSet_ASUS #
#############################################################################################################


=============================================================================================================


[*] No Debug Data Detected - Give This Time To Generate

 

[Adamm]

18/18 Tests Sucessful

All tests passed so Skynet should be working as expected.

 

[j1mb0]

All tests passed so Skynet should be working as expected.

Blocking works, too, but not logging. He's not showing me anything on the stats.

 

[j1mb0]

All tests passed so Skynet should be working as expected.

https://abload.de/image.php?img=doesntworky8k6z.png

 

[Adamm]

IP Address; (192.168.0.43)

Your public IP address is shown as a private IP, what is your internet setup like?

 

[j1mb0]

Your public IP address is shown as a private IP, what is your internet setup like?

i have connected the asus router behind my actual router

 

[razvanu]

Hello, how can i exclude my local network or a several ip's from firewall? i have no longer communication from Mi Home ecosystem///

---------------                          | ------------     | ---------------      | ----------
| Device Name |                          | | Local IP |     | | MAC Address |      | | Status |
---------------                          | ------------     | ---------------      | ----------
NAS                                      | 192.168.1.3      | 00:11:    | Online
chuangmi-plug-m3_miio119340974           | 192.168.1.224    | 40:31:    | Inactive
iPhone                                   | 192.168.1.225    | Unknown              | Offline
philips-light-bulb_miapb25a              | 192.168.1.241    | 7c:49    | DELAY
Raspberry                                | 192.168.1.250    | b8:27    | Inactive

[i] Unbanning 192.168.1.225
ipset v6.32: Element cannot be deleted from the set: it's not added
[i] Saving Changes

 

[Adamm]

i have connected the asus router behind my actual router

Sounds like a double-nat situation, ideally you should put your "actual router" in bridge mode for things to work smoothly.

Hello, how can i exclude my local network or a several ip's from firewall? i have no longer communication from Mi Home ecosystem///

As per the second post in this thread;

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Debug Mode

sh /jffs/scripts/firewall settings debugmode enable

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[Elmer]

This has probably been discussed before, and I'll apologize in advance, but I just want to understand a certain behavior. If I for instance click on a link in google search/shopping, with Chrome that link is blocked (starts with a googleads moniker), and I get that. It's a third party link being blocked. That's usually good and I don't have any problem with that. I use Merlin's DNS privacy (DOT) with cloudflare, and I have firefox set to handle Encrypted SNI. When I click on those same google search shopping links in firefox, the page appears. Am I correct in assuming that the link is actually encrypted between firefox and cloudflare and can no longer be read by Skynet?

 

[Adamm]

This has probably been discussed before, and I'll apologize in advance, but I just want to understand a certain behavior. If I for instance click on a link in google search/shopping, with Chrome that link is blocked (starts with a googleads moniker), and I get that. It's a third party link being blocked. That's usually good and I don't have any problem with that. I use Merlin's DNS privacy (DOT) with cloudflare, and I have firefox set to handle Encrypted SNI. When I click on those same google search shopping links in firefox, the page appears. Am I correct in assuming that the link is actually encrypted between firefox and cloudflare and can no longer be read by Skynet?

This is a symptom of Diversion blocking the domain, not Skynet. In which case DOH (DNS over HTTPS) is bypassing your local DNS configuration (aka Diversion).

 

[Elmer]

This is a symptom of Diversion blocking the domain, not Skynet. In which case DOH (DNS over HTTPS) is bypassing your local DNS configuration (aka Diversion).

Got it, thanks!

 

[InkyRag]

Adamm, I am having to whitelist a lot of benign websites here lately. A couple of examples: 123filter.com, ispringwatersystem.com and aclj.org. What is going on?

 

[Adamm]

Adamm, I am having to whitelist a lot of benign websites here lately. A couple of examples: 123filter.com, ispringwatersystem.com and aclj.org. What is going on?

None of those websites are on the default blacklist, two of them being whitelisted by default.

skynet@RT-AX88U-DC28:/tmp/home/root# nslookup 123filter.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      123filter.com
Address 1: 34.202.68.87 support.123filter.com
skynet@RT-AX88U-DC28:/tmp/home/root# firewall stats search ip 34.202.68.87
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 11/08/2019 -           Asus Firewall Addition By Adamm v6.8.6                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/USB/skynet/skynet.log - 5.3M
[i] Monitoring From Aug 7 12:00:05 To Aug 14 02:43:57
[i] 23501 Block Events Detected
[i] 3502 Unique IPs
[i] 0 Manual Bans Issued

34.202.68.87 is in set Skynet-Whitelist.
34.202.68.87 is NOT in set Skynet-Blacklist.
34.202.68.87 is NOT in set Skynet-BlockedRanges.

skynet@RT-AX88U-DC28:/tmp/home/root# nslookup ispringwatersystem.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      ispringwatersystem.com
Address 1: 23.110.43.92
skynet@RT-AX88U-DC28:/tmp/home/root# firewall stats search ip 23.110.43.92
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 11/08/2019 -           Asus Firewall Addition By Adamm v6.8.6                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/USB/skynet/skynet.log - 5.3M
[i] Monitoring From Aug 7 12:00:05 To Aug 14 02:44:34
[i] 23504 Block Events Detected
[i] 3502 Unique IPs
[i] 0 Manual Bans Issued

23.110.43.92 is NOT in set Skynet-Whitelist.
23.110.43.92 is NOT in set Skynet-Blacklist.
23.110.43.92 is NOT in set Skynet-BlockedRanges.

skynet@RT-AX88U-DC28:/tmp/home/root# nslookup aclj.org
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      aclj.org
Address 1: 34.226.162.105 ec2-34-226-162-105.compute-1.amazonaws.com
Address 2: 34.200.144.76 ec2-34-200-144-76.compute-1.amazonaws.com
skynet@RT-AX88U-DC28:/tmp/home/root# firewall stats search ip 34.226.162.105
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 11/08/2019 -           Asus Firewall Addition By Adamm v6.8.6                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/USB/skynet/skynet.log - 5.3M
[i] Monitoring From Aug 7 12:00:05 To Aug 14 02:45:21
[i] 23505 Block Events Detected
[i] 3502 Unique IPs
[i] 0 Manual Bans Issued

34.226.162.105 is in set Skynet-Whitelist.
34.226.162.105 is NOT in set Skynet-Blacklist.
34.226.162.105 is NOT in set Skynet-BlockedRanges.

 

[InkyRag]

hmm, I could not reach them and my router log showed them being blocked. I whitelisted them and was able to reach them. Should I uninstall and reinstall Skynet?

Edit: I uninstalled and reinstalled and those websites are now reachable without having to add them to the whitelist. I also noticed that the swap file is being used which it was not before. Odd.

Edit 2: After a reboot the swap file is not being used but everything is working.

 

[TonyK132]

Hi Adam - Is there anyway to know why a specific website was blocked, whether by country, and if yes, what country, or malware, or for some other reason? I was trying to get to www.springsparade.com but it would not go to that site. But when I whitelisted it, it was fine. I am currently blocking a bunch of countries and the normal malware list.

Also as a future enhancement to your whitelisting procedures, it would save me a step if I could enter a website like the one above, and you would figure out its IP address and add it to the whitelist.