Skynet Skynet - Router Firewall & Security Enhancements

[Billy Chaney]

I noticed that with the alpha build that my ram usage spikes to 97% when installing skynet. Usually that doesn't happen until after 3 or 4 days of not rebooting. After a reboot my ram usage normally goes back down to 47% or 50%. Ram usage is normal when using 384.14.

 

[Adamm]

I noticed that with the alpha build that my ram usage spikes to 97% when installing skynet. Usually that doesn't happen until after 3 or 4 days of not rebooting. After a reboot my ram usage normally goes back down to 47% or 50%. Ram usage is normal when using 384.14.

https://www.linuxatemyram.com/

 

[Billy Chaney]

https://www.linuxatemyram.com/

Thanks for the link, I think I've read this before. I was just wondering since usually after a reboot ram usage goes back down to about half of what it is now. I ran skynet with the previous alpha build for 14 days without rebooting with the ram at 97% without any problems. Thank you for a great program.

 

[JaimeZX]

So...............

???????????
I just noticed this when my wife followed a link to the site and it loaded. Alibaba doesn't load, so not sure what's going on here. Unless ChinaDaily.com.cn is hosted on some other country's IP space?

 

[SMS786]

So...............

???????????
I just noticed this when my wife followed a link to the site and it loaded. Alibaba doesn't load, so not sure what's going on here. Unless ChinaDaily.com.cn is hosted on some other country's IP space?

Blocking a country's IP in Skynet blocks all of the known malware IPs from that country, not all of the internet traffic from that country period.

 

[JaimeZX]

Um. Not accurate. It's supposed to block *.traffic from that country's IPs.

 

[SMS786]

Perhaps @Adamm can chime in?

 

[EmeraldDeer]

So...............

???????????
I just noticed this when my wife followed a link to the site and it loaded. Alibaba doesn't load, so not sure what's going on here. Unless ChinaDaily.com.cn is hosted on some other country's IP space?

When I ping global.chinadaily.com.cn it is 15 msec away. So it is definitely being hosted close by.

Skynet is based upon IP addresses not DNS names. It can only block countries by where IP address blocks are registered.

 

[ScottW]

At least for me (in US, using Comcast DNS), global.chinadaily.com.cn resolves to 153.185.145.162. That IP is hosted in the US, according to iplocation.net info.

 

[JaimeZX]

Yeah, I figured it was something like that, but with two small children I didn't have the bandwidth to chase it down. lol

 

[Adamm]

So...............

???????????
I just noticed this when my wife followed a link to the site and it loaded. Alibaba doesn't load, so not sure what's going on here. Unless ChinaDaily.com.cn is hosted on some other country's IP space?

Most likely hosted on a CDN with servers world wide.

 

[skeal]

[RESOLVED] So I'm still having startup issues, at least I know what it is now. I have a race condition preventing skynet from starting. It always in the end detects a locked file and stops trying to start. If I ssh in and run the restart skynet from the ssh menu it will work. So I know it's a race condition, with what I have no idea the logs don't show anything wrong. Just after a reboot when I can login I see locked file detected.

 

[skeal]

My software environment is Skynet, Diversion and AMTM. I have the latest Alpha installed on my AX88U. I use DNSSEC and DoT, no time server, I use my ISP DNS at startup, I don't have a dnsmasq.conf.add file (not required here). I can't figure it out. I have a OVPN Server and OVPN Client set to start at reboot.

 

[skeal]

I should add that Skynet starts but has problems. SSH access shows that IPtables failed. I'm thinking because of a time sync in the race condition situation. As I said if i wait until Skynet half starts (without IPtables) then I ssh in and restart and it all works.

 

[Adamm]

I should add that Skynet starts but has problems. SSH access shows that IPtables failed. I'm thinking because of a time sync in the race condition situation. As I said if i wait until Skynet half starts (without IPtables) then I ssh in and restart and it all works.

Please post or pm an extract of your syslog. There are only 3 places Skynet can fail during startup and all three have syslog output (NTP failure, USB error or connection error).

Please also post the full output of debug info while its "broken".

 

[skeal]

@Adamm sent you a PM

 

[skeal]

Hre is the Skynet ssh menu after the reboot before the restart of Skynet.

Router Model; RT-AX88U
Skynet Version; v7.0.8 (15/01/2020) (77570f3f9a8860b9094830827d9e14cf)
iptables v1.4.15 - (eth0 @ 192.168.50.1)
ipset v6.32, protocol version: 6
IP Address; (204.83.xxx.xxx)
FW Version; 384.15_alpha1-g95c8d4370f (Jan 14 2020) (4.1.51)
Install Dir; /tmp/mnt/tito/skynet (12.1G / 14.0G Space Available)
SWAP File; /tmp/mnt/tito/myswap.swp (1.0G)
Banned Countries; bg cn ir kp nl ru ua

IPTables Rules                      | [Failed]

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Malware Blacklist
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]:

 

[skeal]

Here are the debug logs.

--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Failed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]
Diversion Plus Content              | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Ban AiProtect                       | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

16/17 Tests Sucessful

[*] Rule Integrity Violation - [ #11 #14 #20 ]

 

[Adamm]

Here are the debug logs.

--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Failed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]
Diversion Plus Content              | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Ban AiProtect                       | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

16/17 Tests Sucessful

[*] Rule Integrity Violation - [ #11 #14 #20 ]

So its just the IOT rules which are missing that are based in the Forward chain in the FILTER table. During Skynets startup procedure there appears to be a restart 16s prior to it finishing triggered by AiMesh(?) which is flushing the IPTables ruleset;

Jan 19 05:26:02 rc_service: amas_lib 1456:notify_rc restart_firewall

I'll have to investigate further as to what triggers this restart event and the best way to work around it beyond increasing the delay.

 

[skeal]

So its just the IOT rules which are missing that are based in the Forward chain in the FILTER table. During Skynets startup procedure there appears to be a restart 16s prior to it finishing triggered by AiMesh(?) which is flushing the IPTables ruleset;

Jan 19 05:26:02 rc_service: amas_lib 1456:notify_rc restart_firewall

I'll have to investigate further as to what triggers this restart event and the best way to work around it beyond increasing the delay.

Gotcha, thanks @Adamm for your hard work.