Skynet Skynet - Router Firewall & Security Enhancements

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Adamm

Part of the Furniture
This does not work.
The menu starts to load, "waiting for ntp sync" and then exits.

Sounds like you need to resolve your NTP issues then as Skynet will fail to function without an accurate clock (and have you wait 5 minutes on what appears to be a blank screen while constantly rechecking).
 

Ubimo

Senior Member
I can't resolve ntp due to no internet connection. My ISP has a connection problem.
It has to be possible to stop or uninstall skynet on a router without an internet connection!?
 

Adamm

Part of the Furniture
Code:
[email protected]:/tmp/home/root# echo "AgMAAAAAAAAADzE0OS4xNTQuMTUzLjE1MyA-GhoPbFPz6XpJLVcIS1uYBwWe4FerFQWHb9g_2j24OBhhZGZyZWUudXNhYmxlcHJpdmFjeS5uZXQKL2Rucy1xdWVyeQ" | openssl enc -a -d
[email protected]:/tmp/home/root#

This is not standard Base64, but URL safe Base64, encoding is simple:
replace + with -
replace / with _
and delete trailing =
Decoding is more difficult, because the = need to be reconstructed.
Below I will post my PHP solution, witch could be rewritten for Shell script:

Code:
//  +------------------------------------------------------------------------+
//  | base64url encode                                                       |
//  +------------------------------------------------------------------------+
function base64url_encode($string) {
    // http://www.ietf.org/rfc/rfc4648.txt
    return rtrim(strtr(base64_encode($string), '+/', '-_'), '=');
}


//  +------------------------------------------------------------------------+
//  | base64url decode                                                       |
//  +------------------------------------------------------------------------+
function base64url_decode($string) {
    // Thanks gutzmer at usa dot net
    // http://php.net/manual/en/function.base64-encode.php#103849
    return base64_decode(str_pad(strtr($string, '-_', '+/'), strlen($string) % 4, '=', STR_PAD_RIGHT));
}

I guess my workaround was unnecessarily lazy at the time :p

https://github.com/Adamm00/IPSet_ASUS/commit/cd872ad4c22490c7fe271d6d22f6bdfed0cc381d

I can't resolve ntp due to no internet connection. My ISP has a connection problem.
It has to be possible to stop or uninstall skynet on a router without an internet connection!?

If there is no internet connection, Skynet will time out and not complete its startup procedure after 5 minutes. With that being said, I've added a ntp sync exception for the uninstall and disable commands;

https://github.com/Adamm00/IPSet_ASUS/commit/0166a908d49f7b7c7b180bc92cd4d9d33d883766
 

Ubimo

Senior Member
Ok, thanks for that, but how can I disable or uninstall Skynet in my situation now?
I don't have an internet connection.
Edit:
Disabling JFFS custom scripts and configs did not work?
Will format JFFS disable or uninstall Skynet?
 
Last edited:

Adamm

Part of the Furniture
Ok, thanks for that, but how can I disable or uninstall Skynet in my situation now?
I don't have an internet connection.

Reboot and it will time out after 5 mins during startup
 

Ubimo

Senior Member
Did that, but in syslog I still see lots of kernel DROP IN=eth0 .....
I thought this is still Skynet blocking something?
 

Adamm

Part of the Furniture
Did that, but in syslog I still see lots of kernel DROP IN=eth0 .....
I thought this is still Skynet blocking something?

No, that is the default SPI firewall dropped logging messages that Skynet would normally hijack and manage.
 

Chuckles67

Regular Contributor
I have a question about Skynet IOT blocking versus [AiProtection > Parental Control > Time Scheduling > deny internet access] for specific devices. Is Skynet's IOT blocking somehow different from using AiProtection to deny internet access? Perhaps Skynet enables logging so you can investigate what the IOT devices are doing on the internet? Good idea to disable AiProtection, when using Skynet IOT blocking - or use both at the same time?

Background: I have blocked several IOT devices using AiProtection's Time Scheduling. I have not added these devices to the IOT blocking feature of Skynet. I did try a search on this thread, but "IOT" is so common the search wasn't useful.
 

martinr

Part of the Furniture
I have a question about Skynet IOT blocking versus [AiProtection > Parental Control > Time Scheduling > deny internet access] for specific devices. Is Skynet's IOT blocking somehow different from using AiProtection to deny internet access? Perhaps Skynet enables logging so you can investigate what the IOT devices are doing on the internet? Good idea to disable AiProtection, when using Skynet IOT blocking - or use both at the same time?

Background: I have blocked several IOT devices using AiProtection's Time Scheduling. I have not added these devices to the IOT blocking feature of Skynet. I did try a search on this thread, but "IOT" is so common the search wasn't useful.
While you’re waiting for a more detailed addressing of your questions, if you haven’t already seen it, here’s Adamm’s intro to the IOT feature.

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-198#post-461835
 
Last edited:

Chuckles67

Regular Contributor
While you’re waiting for a more detailed addressing of your questions, if you haven’t already seen it, here’s Adamm’s intro to the IOT feature.

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-198#post-461835
Thanks - that's really helpful.

Not so relevant to my question - but looks like the command to list unblocked/blocked devices may have changed from the guidance on the intro web page: from this
Code:
/jffs/scripts/firewall settings iot list
to
Code:
/jffs/scripts/firewall settings iot view
 

randomName

Very Senior Member
Just occurred to me while browsing through my router settings, and in the firewall settings 'Respond ICMP Echo (ping) Request from WAN' is an option, and I've had it set to 'No' In my QoS settings I'm running 'Traditional QoS' and under the drop-down 'user-defined priorities' ICMP is one of the options to help a game run smooth. And I do have it checked. So are these conflicting, with the way I have it set up?

Thanks
 

Skillz

Occasional Visitor
Hi, I've recently started using Skynet and would like to know if Skynet for whatever reason doesn't load/upgrade properly (or even crashes), will the default firewall settings of the router always be active?
And another question, if an external IP is pounding my firewall and it's not in any of the known ip lists, will it then automatically be blocked (because of brute force protection?)

thank you for reading
 

Adamm

Part of the Furniture

Adamm

Part of the Furniture
Not so relevant to my question - but looks like the command to list unblocked/blocked devices may have changed from the guidance on the intro web page: from this
Code:
/jffs/scripts/firewall settings iot list
to
Code:
/jffs/scripts/firewall settings iot view

Correct, the command changed at some point and was updated accordingly in the readme which is more up-to-date then that post.

Hi, I've recently started using Skynet and would like to know if Skynet for whatever reason doesn't load/upgrade properly (or even crashes), will the default firewall settings of the router always be active?

We enhance existing functionality, so even when Skynet is disabled you are still covered by the basic stock functionality.

And another question, if an external IP is pounding my firewall and it's not in any of the known ip lists, will it then automatically be blocked (because of brute force protection?)

Assuming you disable the securemode setting and expose SSH access (which is a terrible idea), yes that is correct.
 

wbartels

Occasional Visitor
I'm not sure padding is required in our use case, nor does the provided example work with the stamps below;

https://tools.ietf.org/html/rfc4648

https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md

openssl does not use the standard base64 encoding and decoding without the -A option:
https://stackoverflow.com/a/35296674/7484547

With the examples below, you see that without the padding the last character is missing.
In your case padding is not strict required.

Without padding
Code:
#!/bin/sh
base64=$(echo 'sdns://AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20' | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g")
echo "Base64: $base64"
echo "Decode: $(echo $base64 | openssl enc -base64 -d)"
Output:
Code:
Base64: AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR/JS3PLCu/iZEIbq95zkSV2LFsigxDIuUso/OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20
Decode: 176.103.130.130:5443 ?+G?R??»???????I]?Ƞ?2.R??s"2.dnscrypt.default.ns1.adguard.c
With trailing padding:
Code:
#!/bin/sh
base64=$(echo 'sdns://AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20' | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g")
base64="$base64$(echo '====' | cut -c-$(($(echo -n "$base64" | wc -m) % 4)))"
echo "Base64: $base64"
echo "Decode: $(echo $base64 | openssl enc -base64 -d -A)"
Output:
Code:
Base64: AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR/JS3PLCu/iZEIbq95zkSV2LFsigxDIuUso/OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20===
Decode: 176.103.130.130:5443 ?+G?R??»???????I]?Ƞ?2.R??s"2.dnscrypt.default.ns1.adguard.com
 

Skillz

Occasional Visitor
@Adamm thank you for answering my questions.

Assuming you disable the securemode setting and expose SSH access (which is a terrible idea), yes that is correct

hmm I am actually using ssh tunneling, different port and only with 2048bit RSA key (with passphrase) access, should be quite save right? Password ssh access is ofc turned off in router options.

But I guess that means I don't have brute force protection because I needed to turn off secure mode. Why can't brute force protection be active with ssh access enabled?
 

Adamm

Part of the Furniture
hmm I am actually using ssh tunneling, different port and only with 2048bit RSA key (with passphrase) access, should be quite save right? Password ssh access is ofc turned off in router options.

Safer then a password? Sure, but you are still exposing the service to the world, so in the event of a 0 day dropbear exploit you would be vulnerable. That's why using OpenVPN to access your lan is the recommended method.

But I guess that means I don't have brute force protection because I needed to turn off secure mode. Why can't brute force protection be active with ssh access enabled?

BFD is always enabled so long as its set in the WebUI.
 

Adamm

Part of the Furniture
openssl does not use the standard base64 encoding and decoding without the -A option:
https://stackoverflow.com/a/35296674/7484547

With the examples below, you see that without the padding the last character is missing.
In your case padding is not strict required.

Without padding
Code:
#!/bin/sh
base64=$(echo 'sdns://AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20' | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g")
echo "Base64: $base64"
echo "Decode: $(echo $base64 | openssl enc -base64 -d)"
Output:
Code:
Base64: AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR/JS3PLCu/iZEIbq95zkSV2LFsigxDIuUso/OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20
Decode: 176.103.130.130:5443 ?+G?R??»???????I]?Ƞ?2.R??s"2.dnscrypt.default.ns1.adguard.c
With trailing padding:
Code:
#!/bin/sh
base64=$(echo 'sdns://AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20' | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g")
base64="$base64$(echo '====' | cut -c-$(($(echo -n "$base64" | wc -m) % 4)))"
echo "Base64: $base64"
echo "Decode: $(echo $base64 | openssl enc -base64 -d -A)"
Output:
Code:
Base64: AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR/JS3PLCu/iZEIbq95zkSV2LFsigxDIuUso/OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20===
Decode: 176.103.130.130:5443 ?+G?R??»???????I]?Ƞ?2.R??s"2.dnscrypt.default.ns1.adguard.com

Ah I misread how you use a newline after the initial echo and that's why my result was different. While the outcome is still the same due to our filtering afterwards, I've gone ahead and pushed the "more correct" method into v7.1.8
 

CriticJay

Senior Member

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top