Skynet Skynet - Router Firewall & Security Enhancements

[skeal]

So its just the IOT rules which are missing that are based in the Forward chain in the FILTER table. During Skynets startup procedure there appears to be a restart 16s prior to it finishing triggered by AiMesh(?) which is flushing the IPTables ruleset;

Jan 19 05:26:02 rc_service: amas_lib 1456:notify_rc restart_firewall

I'll have to investigate further as to what triggers this restart event and the best way to work around it beyond increasing the delay.

I know you didn't ask but I don't use aimesh, but I do have a access point.

 

[skeal]

The issue above has been resolved for me with a hotfix from @Adamm Once again great work sir!

 

[Arrow]

Is anyone else seeing 7.0.8 constantly reporting there’s a new version (7.0.8) of Skynet to install when checking for an update?

Also, I’m noticing Apple Homekit automations contacting shortcuts (scripts) involving motion sensors and lights eventually stop working when running on tvOS 13.3.1 beta (these automations won’t trigger on tvOS 13.3 at all due to a tvOS bug). Apple TV 4K is the Homekit hub, which runs the automations containing shortcuts. As soon as I disable Skynet 7.0.8, the automations containing shortcuts start working again. Unfortunately, I’m dealing with a fever and discomfort, and I’m a bit new to Skynet. However, 7.0.7 seemed to work fine. I’ll have to look at logs when I’m feeling better.

 

[Adamm]

Is anyone else seeing 7.0.8 constantly reporting there’s a new version (7.0.8) of Skynet to install?

There was a hotfix released yesterday with no version change.

Also, I’m noticing Apple Homekit automations contacting shortcuts (scripts) involving motion sensors and lights eventually stop working when using tvOS 13.3.1 beta. Apple TV 4K is the Homekit hub, which runs the automations containing shortcuts. As soon as I disable Skynet 7.0.8, the automations containing shortcuts start working again. Unfortunately, I’m dealing with a fever and discomfort, and I’m a bit new to Skynet. However, 7.0.7 seemed to work fine. I’ll have to look at logs when I’m feeling better.

Skynet logs every connection it blocks, use the following guide as per the second post in this thread;

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Logging

sh /jffs/scripts/firewall settings logmode enable

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[TonyK132]

I too saw the 7.0.8 message. Here are my logs. I was not doing anything at 1:25 am when this happened.

Jan 20 01:25:00 RT-AC86U-1BD0 Skynet: [%] New Version Detected - Updating To v7.0.8 (c3973d7c8aeb17e2af0d10e91e13926f)
Jan 20 01:25:05 RT-AC86U-1BD0 Skynet: [%] Restarting Firewall Service
Jan 20 01:25:05 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 07:16:00 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 08:00:00 RT-AC86U-1BD0 Skynet: [*] Killing Locked Processes (start skynetloc=/tmp/mnt/Data/skynet) (pid=31627)
Jan 20 08:00:00 RT-AC86U-1BD0 Skynet: [*] 31627 admin 4036 S sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/D
Jan 20 08:00:00 RT-AC86U-1BD0 Skynet: [*] Rule Integrity Violation - Restarting Firewall [ #11 #14 #20 ]
Jan 20 08:00:01 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 09:06:43 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 11:00:00 RT-AC86U-1BD0 Skynet: [*] Killing Locked Processes (start skynetloc=/tmp/mnt/Data/skynet) (pid=15624)
Jan 20 11:00:00 RT-AC86U-1BD0 Skynet: [*] 15624 admin 4036 S sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/D
Jan 20 11:00:00 RT-AC86U-1BD0 Skynet: [*] Rule Integrity Violation - Restarting Firewall [ #11 #14 #20 ]
Jan 20 11:00:01 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 12:00:04 RT-AC86U-1BD0 Skynet: [#] 158920 IPs (+0) -- 31435 Ranges Banned (+0) || 239 Inbound -- 355 Outbound Connections Blocked! [save] [4s]
Jan 20 13:00:04 RT-AC86U-1BD0 Skynet: [#] 158920 IPs (+0) -- 31435 Ranges Banned (+0) || 511 Inbound -- 703 Outbound Connections Blocked! [save] [4s]
Jan 20 14:00:04 RT-AC86U-1BD0 Skynet: [#] 158920 IPs (+0) -- 31435 Ranges Banned (+0) || 786 Inbound -- 1051 Outbound Connections Blocked! [save] [4s]


Also, are the Rule Integrity Violation messages anything to worry about?

 

[Adamm]

I too saw the 7.0.8 message. Here are my logs. I was not doing anything at 1:25 am when this happened.

Jan 20 01:25:00 RT-AC86U-1BD0 Skynet: [%] New Version Detected - Updating To v7.0.8 (c3973d7c8aeb17e2af0d10e91e13926f)
Jan 20 01:25:05 RT-AC86U-1BD0 Skynet: [%] Restarting Firewall Service
Jan 20 01:25:05 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 07:16:00 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 08:00:00 RT-AC86U-1BD0 Skynet: [*] Killing Locked Processes (start skynetloc=/tmp/mnt/Data/skynet) (pid=31627)
Jan 20 08:00:00 RT-AC86U-1BD0 Skynet: [*] 31627 admin 4036 S sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/D
Jan 20 08:00:00 RT-AC86U-1BD0 Skynet: [*] Rule Integrity Violation - Restarting Firewall [ #11 #14 #20 ]
Jan 20 08:00:01 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 09:06:43 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 11:00:00 RT-AC86U-1BD0 Skynet: [*] Killing Locked Processes (start skynetloc=/tmp/mnt/Data/skynet) (pid=15624)
Jan 20 11:00:00 RT-AC86U-1BD0 Skynet: [*] 15624 admin 4036 S sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/D
Jan 20 11:00:00 RT-AC86U-1BD0 Skynet: [*] Rule Integrity Violation - Restarting Firewall [ #11 #14 #20 ]
Jan 20 11:00:01 RT-AC86U-1BD0 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Data/skynet )
Jan 20 12:00:04 RT-AC86U-1BD0 Skynet: [#] 158920 IPs (+0) -- 31435 Ranges Banned (+0) || 239 Inbound -- 355 Outbound Connections Blocked! [save] [4s]
Jan 20 13:00:04 RT-AC86U-1BD0 Skynet: [#] 158920 IPs (+0) -- 31435 Ranges Banned (+0) || 511 Inbound -- 703 Outbound Connections Blocked! [save] [4s]
Jan 20 14:00:04 RT-AC86U-1BD0 Skynet: [#] 158920 IPs (+0) -- 31435 Ranges Banned (+0) || 786 Inbound -- 1051 Outbound Connections Blocked! [save] [4s]


Also, are the Rule Integrity Violation messages anything to worry about?

Interesting that it seems the startup process is getting stuck at some point (hence the kill message). The rule violations you can ignore for now those are just the IOT rules and will eventually automatically correct themselves, looks similar to the issue skeal was having. In any case I've noted it and will look into it when I get some free time.

 

[Arrow]

There was a hotfix released yesterday with no version change.

Thanks

Skynet logs every connection it blocks

After getting out of Emerg yesterday, I finally had a chance to look into this, and the problem has nothing to do with Skynet. Homekit automations containing shortcuts are run locally on an Apple TV 4K. Local IPs weren’t blocked. It was coincidental that the automations stopped working after updating to 7.0.8. Once I updated all iOS devices in my household to the latest iOS beta (and tvOS beta), the automations containing shortcuts started working again.

 

[randomName]

Does the 86U need 384.15 for the new graphical interface to work? I just checked my log and it said it needed WebUI integration needs Logging to be enabled. Does it need both or just the one?

EDIT: NM, just scrolled a few pages back and 384.15 is needed for the 86U for the graphical interface, sorry, thanks

 

[TCoreX]

Hello I have the problem that after I installed or uninstalled skynet, I no longer have access to the router via app. how can I solve the problem?

 

[dave14305]

Hello I have the problem that after I installed or uninstalled skynet, I no longer have access to the router via app. how can I solve the problem?

SkyNet securemode disables Remote Web access via WAN, which is very smart for security consciousness. If that's how the app connects to the router, you can disable Skynet secure mode (NOT RECOMMENDED):

sh /jffs/scripts/firewall settings securemode disable

and then enable "Enable Web Access from WAN" on the Administration / System page (NOT RECOMMENDED).

I've never used the app, but I'm assuming how it works.

 

[JaimeZX]

Hello I have the problem that after I installed or uninstalled skynet, I no longer have access to the router via app. how can I solve the problem?

Unless you have a very specific need to access the router via app, I would leave it disabled. There are a lot of reported instances of routers being hacked via WAN access.

 

[Inrumpo]

Hello SNB!
First of all, I'd like to thank Adamm for creating Skynet. I really like it so far.
Today I encountered a problem though:

I'm on the latest WRT Merlin and Skynet releases. I've set up a permanent VPN connection on my Asus AC86u via OpenVPN. Today I wanted to change that VPN server since the one I was using stopped working for whatever reason. I did not manage to connect to a new one though (SSL/TLS error).
Then I had a look at the log file: The connection to my VPN IP was blocked. Resulting in messages like "write UDP: Operation not permitted (code=1)".

The solution was/is adding the VPN IP to my whitelist in Skynet. Is there a better, more flexible and adaptive solution to this than manually adding every VPN IP I'm planning to use to the whitelist?

 

[Adamm]

Hello SNB!
First of all, I'd like to thank Adamm for creating Skynet. I really like it so far.
Today I encountered a problem though:

Im on the latest WRT Merlin and Skynet releases. I've set up a permanent VPN connection on my Asus AC86u via OpenVPN. Today I wanted to change that VPN server since the one I was using stopped working for whatever reason. I did not manage to connect to a new one though (SSL/TLS error).
Then I had a look at the log file: The connection to my VPN IP was blocked. Resulting in messages like "write UDP: Operation not permitted (code=1)".

The solution was/is adding the VPN IP to my whitelist in Skynet. Is there a better, more flexible and adaptive solution to this than manually adding every VPN IP I'm planning to use to the whitelist?

Skynet automatically does this during startup and the malware update function, that's about the best we can do with the service hooks available. Personally though I haven't had any issues with PIA and blocked servers, but perhaps your provider is different.

 

[Inrumpo]

Skynet automatically does this during startup and the malware update function, that's about the best we can do with the service hooks available. Personally though I haven't had any issues with PIA and blocked servers, but perhaps your provider is different.

Thanks for the quick response. I'm using NordVPN.
Selecting the refresh VPN whitelist option did help too. Therefore I might have to run that after activating a new VPN connection.

 

[dave14305]

Thanks for the quick response. I'm using NordVPN.
Selecting the refresh VPN whitelist option did help too. Therefore I might have to run that after activating a new VPN connection.

Are you considering to run:

sh /jffs/scripts/firewall whitelist vpn

in /jffs/scripts/openvpn-event? I've never done it but don't do it manually if you can avoid it.

 

[Inrumpo]

Are you considering to run:

sh /jffs/scripts/firewall whitelist vpn

in /jffs/scripts/openvpn-event? I've never done it but don't do it manually if you can avoid it.

I was not considering this. I didn't know this existed. What's the difference compared to running "refresh VPN whitelist" via the menu?

 

[dave14305]

I was not considering this. I didn't know this existed. What's the difference compared to running "refresh VPN whitelist" via the menu?

You have to remember to do it. Many of the SkyNet menu commands can be run via command line. See examples here: https://github.com/Adamm00/IPSet_ASUS/blob/master/README.md#help

The VPN script can trigger the command when something changes in the VPN client, if you set it up.

 

[Adamm]

I've pushed v7.0.9

Check_Files() after device selection
Generate stats on startup before IPTables rules
Only create IOT rules if blocking enabled
Change informational output to [i]
Add log size to WebUI
Remove broken WebUI support for Johns fork

 

[dave14305]

Remove broken WebUI support for Johns fork

FWIW, the changelog for John's latest unofficial 41E6 release says it implements the am_addons rc_support flag, so in the future, if anyone volunteers to solve the ASP page layout differences on the older firmware, support will be detected with the same code as Merlin's.

 

[Jack Yaz]

FWIW, the changelog for John's latest unofficial 41E6 release says it implements the am_addons rc_support flag, so in the future, if anyone volunteers to solve the ASP page layout differences on the older firmware, support will be detected with the same code as Merlin's.

If someone wants to share a copy of state.js (or whichever file @RMerlin said hardcoded them), I could have a look