Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

@Adamm can I recommend a progress indication feature or button function disable, after clicking the "update stats" button on the firewall page. Using my version of Chrome, once you click the button, there is no indication that anything is happening, and then 60 seconds later the page refreshes. I know we are in Beta right now, just a humble suggestion sir.

Not a bad idea, I'll put it on the list

 

[RMerlin]

Yeah, the HND prep script was pointing at a different location (and to make things even more confusing, the RT-AX88U does not use the HND build script used by the RT-AC86U, so that means only the AC86U had a different path). I changed it to match all the others.

 

[JemTheWire]

@JemTheWire, you are running RMerlin 384.15.xx, correct?

No, i'm rocking 384.14.

That is the sound of the penny dropping. I guess that is a prerequisite. Which is why I asked.

Guess I will be giving 384.15 alpha a shot....

Thanks for the heads up!

 

[Adamm]

I've pushed v7.0.4

An accumulation of hotfixes, thanks to all the early adopters for ironing out the kinks!

Fix missing dir on update
Fix missing web files on install
Improve SetCurrentPage()
Unmount webpage on update
Fix cron unloading
Fix cases where dnsmasq logging isn't enabled
readlink /www/user
Use "${var:?}" to ensure this never expands to /*

Note; This may temporarily cause 2 Skynet tabs depending on which version you were running. To correct the issue you can either reboot or issue the following commands;

sh /jffs/scripts/firewall settings webui disable
rm -rf /tmp/menuTree.js /www/user/user*.asp
sh /jffs/scripts/firewall settings webui enable

 

[JemTheWire]

Update:

Skynet WebUi Tab is now present and correct! Looks really good and very informative.

I completely missed the one line that said that it took advantage of the new API in v384.15. My bad.

Sorry for the confusion. But hopefully this will help others that read this thread.

Thanks again.

 

[martinr]

...,

That is the sound of the penny dropping.

Hey, I too heard that sound today.

 

[L&LD]

@JemTheWire, just checking that you've updated to v7.04 too (see @Adamm post just above yours).

 

[Delusion]

v7.04 WORKS! Thanks @Adamm what a great information. Truly awesome!

 

[JemTheWire]

@JemTheWire, just checking that you've updated to v7.04 too (see @Adamm post just above yours).

Yes I have. thanks. All is good.

 

[Butterfly Bones]

Uh, whoopsie!

I have had this ntp server battle intermittently for months. Thought I had whitelised the entire pool.ntp.org domain and solved it - guess not. @XIII this might be something of your issue, seeing your posts on this DNS niggle. @Adamm any comment?

Result of clicking View Details
https://otx.alienvault.com/indicator/ip/23.129.64.159

 

[XIII]

@XIII this might be something of your issue, seeing your posts on this DNS niggle.

Maybe?

If so, it might re-occur if I am able to finish my clean install.

 

[bluepoint]

I've pushed v7.0.4

An accumulation of hotfixes, thanks to all the early adopters for ironing out the kinks!

Fix missing dir on update
Fix missing web files on install
Improve SetCurrentPage()
Unmount webpage on update
Fix cron unloading
Fix cases where dnsmasq logging isn't enabled
readlink /www/user
Use "${var:?}" to ensure this never expands to /*

Note; This may temporarily cause 2 Skynet tabs depending on which version you were running. To correct the issue you can either reboot or issue the following commands;

sh /jffs/scripts/firewall settings webui disable
rm -rf /tmp/menuTree.js /www/user/user*.asp
sh /jffs/scripts/firewall settings webui enable

Is there a way we can collapse(default) source ports inbound or even remove from the page as it's really not significant to show as they are random anyway, that's my understanding.

 

[bluepoint]

Uh, whoopsie!

I have had this ntp server battle intermittently for months. Thought I had whitelised the entire pool.ntp.org domain and solved it - guess not. @XIII this might be something of your issue, seeing your posts on this DNS niggle. @Adamm any comment?


Result of clicking View Details
https://otx.alienvault.com/indicator/ip/23.129.64.159

With alienvault flagging that ip a lot, it might be legitimate to block the ip. It's actually one of the NTP pool server but the restriction is for this one ip or more. Two clients in my network is also hitting that IP outbound.

 

[skeal]

Uh, whoopsie!

I have had this ntp server battle intermittently for months. Thought I had whitelised the entire pool.ntp.org domain and solved it - guess not. @XIII this might be something of your issue, seeing your posts on this DNS niggle. @Adamm any comment?

Result of clicking View Details
https://otx.alienvault.com/indicator/ip/23.129.64.159

Is it wise to whitelist pool.ntp.org? Isn't that a little drastic? I have a doorbell that repeatedly tries to contact a server in Russian Federation over the ntp port. I live in Saskatchewan on the other side of the globe from there, what would be the point in allowing that communication if firehol doesn't like it?

 

[Rhialto]

The fact you mentioned having to "redo your usb" makes me believe its usb related rather then a bug in the code.

Whats the output of the following;

sh /jffs/scripts/firewall debug info

I created/formatted to NTFS to clear out previous ext2 then deleted partition and did a clean ext2.

I have removed the devices section in paste below...

Router Model; RT-AC1900P
Skynet Version;  (04/01/2020) (261a3ffac493975e67c86db6970e2133)
iptables v1.4.15 - (eth0 @ 192.168.x.x)
ipset v6.32, protocol version: 6
FW Version; 384.14_2 (Dec 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sdc5/skynet (3.0G / 3.7G Space Available)
SWAP File; /tmp/mnt/sdc5/myswap.swp (512.5M)
Uptime; 0 days, 20 hours, 13 minutes.
Ram Available; (181M / 249M)


--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
SWAP                                | [Passed]
Cron Jobs                           | [Failed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Failed]
Duplicate Rules In RAW              | [Passed]
Inbound Filter Rules                | [Failed]
Inbound Logging Rules               | [Failed]
Outbound Filter Rules               | [Failed]
Outbound Logging Rules              | [Failed]
Whitelist IPSet                     | [Failed]
BlockedRanges IPSet                 | [Failed]
Blacklist IPSet                     | [Failed]
Skynet IPSet                        | [Failed]
Diversion Plus Content              | [Failed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Disabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Ban AiProtect                       | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Disabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Disabled]

7/18 Tests Sucessful

Should I try to format JFFS partition at next boot?

 

[martinr]

... I have a doorbell that repeatedly tries to contact a server in Russian Federation over the ntp port. I live in Saskatchewan on the other side of the globe from there, ...?

Don’t your visitors get fed up waiting for the Russians to send someone over to open the door? If I had a doorbell like that, I’d kill it with a hammer.

 

[John Fitzgerald]

You could try EXT4 with Journaling turned ON and see if that yields better results.

I created/formatted to NTFS to clear out previous ext2 then deleted partition and did a clean ext2.

I have removed the devices section in paste below...

Router Model; RT-AC1900P
Skynet Version;  (04/01/2020) (261a3ffac493975e67c86db6970e2133)
iptables v1.4.15 - (eth0 @ 192.168.x.x)
ipset v6.32, protocol version: 6
FW Version; 384.14_2 (Dec 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/sdc5/skynet (3.0G / 3.7G Space Available)
SWAP File; /tmp/mnt/sdc5/myswap.swp (512.5M)
Uptime; 0 days, 20 hours, 13 minutes.
Ram Available; (181M / 249M)



[B][B]Should I try to format JFFS partition at next boot?[/QUOTE]
[/B][/B]

 

[Butterfly Bones]

Is it wise to whitelist pool.ntp.org? Isn't that a little drastic? I have a doorbell that repeatedly tries to contact a server in Russian Federation over the ntp port. I live in Saskatchewan on the other side of the globe from there, what would be the point in allowing that communication if firehol doesn't like it?

Yes, drastic. Back when RMerlin added the ntp server and the intercept client ntp requests, I had sooo much trouble with ntp sync failure during reboot, I kept tracking them down, finally got frustrated and whitelisted the entire pool. Basic assumption that ntp servers can be trusted.

If not for the new Skynet graphic stats page, I would never have known this one is blocked, it has no obvious effect on my network. Just thought it might help others.

 

[Mutzli]

I've pushed v7.0.4

I hope this update still works fine on older firmware? I'm not ready to install .15 just yet. I'll wait for beta1

 

[L&LD]

@Mutzli, it should. You just won't be able to see the stats in the GUI.

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-278#post-538023