Skynet Skynet - Router Firewall & Security Enhancements

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Joe Doe

Occasional Visitor
Why do you have almost every setting disabled including settings that aren't even relevant for your installation (i.e Custom syslog location), no wonder you are getting errors. I suggest uninstalling Skynet followed by a reinstall to correct these and only change settings if you are aware of what it actually does.

I didn't change any settings manually. It should actually be the default state. Could it be that someone hack/accessed my router (and disabled my firewall)?
Or is there a fallback switch in Skynet that disables features in case of errors (maybe this is somewhat related to my installation to the USB swap drive and the fact that I switch off my router every night.. which theoretically could lead to disk errors during a write process). Will start using the wireless scheduler instead now...

I just reinstalled it - seems to work now.
 
Last edited:

Mutzli

Very Senior Member
I've yet to dabble with Suricata, but this does sound feasible, although I would need users to send me their full fast.log so I can phrase them.
Shoot, I deleted the old log once I transferred to IP's over to Skynet. But here is the new log with just two entries:
Suricata fast.log (\entware\var\log\suricata)
Code:
06/26/2020-10:19:35.800684  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 45.148.121.43:52958 -> My.WAN.IP.Address:123
06/27/2020-12:55:56.610556  [**] [1:2017919:2] ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 209.141.55.247:46418 -> My.WAN.IP.Address:123
 

avi68

Regular Contributor
Has anyone had an issue with snapchat recently? Had reports of snapchat receiving data but failing to send messages and pictures since Monday. I temporarily disabled skynet and the app started to work as normal but as soon as I enabled it again the issues started? Ive never had any issues before. Any ideas?

Thanks
 

Wayne Hutchinson

Occasional Visitor
I'm a noob to Skynet and have some question:
1. Today I updated to the latest version of Merlin, Do I need to restart Skynet or is it automatic?
2. How often do you update Skynet's IP lists?

Looking for best practices
Thanks
 

Adamm

Part of the Furniture
Has anyone had an issue with snapchat recently? Had reports of snapchat receiving data but failing to send messages and pictures since Monday. I temporarily disabled skynet and the app started to work as normal but as soon as I enabled it again the issues started? Ive never had any issues before. Any ideas?

Thanks

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Logging
Code:
firewall settings logmode enable
2.) Open the blocked application/website and use the command;

Code:
firewall debug watch
Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;
Code:
DST=175.115.37.52
4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

Code:
https://otx.alienvault.com/indicator/ip/175.115.37.52/
5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

Code:
firewall whitelist ip 175.115.37.52

1. Today I updated to the latest version of Merlin, Do I need to restart Skynet or is it automatic?

No you dont.

2. How often do you update Skynet's IP lists?

How ever often you selected during the install procedure, either daily or weekly.
 

bakerboy448

New Around Here
Some false positives for the record that you'll need to add to whitelist

Snapchat Chats (outgoing chats & group snaps do not appear as sent)
35.227.237.213 blocklist_net_ua.ipset View Details US chat-gateway-prod.chat.snapchat.com

Pi-Hole Forums (won't load)
185.93.1.242 BanAiProtect: mytbar.b-cdn.net View Details US cmbimageservice.b-cdn.net piholediscourse.b-cdn.net bcltest2.b-cdn.net qualdnt.b-cdn.net

##Tags for searches
Skynet Asus Snapchat Sending Chat
 
Last edited:

syked

New Around Here
Example Import Commands; ( firewall import blacklist file.txt "Apples" ) This Bans All IPs From URL/Local File With The Comment Apples ( firewall import whitelist file.txt "Apples" ) This Whitelists All IPs From URL/Local File With The Comment Apples

Regarding the import using a file, where is the file meant to be located? Is it on the router or USB drive? In the above example it lists 'file.txt" but where is the default directory where the skynet looks for this file?

I've done a search and couldn't find the answer so apologies if it has been discussed before.
 

Adamm

Part of the Furniture
Regarding the import using a file, where is the file meant to be located? Is it on the router or USB drive? In the above example it lists 'file.txt" but where is the default directory where the skynet looks for this file?

I've done a search and couldn't find the answer so apologies if it has been discussed before.

Specify the full path, it can be located anywhere.
 

MoonPie2000

Occasional Visitor
I am new to SkyNet but I have tried to search this thread but have not found anything on my question which is... Why am I not seeing data in my 'Top 10 HTTP(s) blocks' and 'Last 10 unique HTTP(s) blocks' Is there a config that Iam missing to capture this data? Thanks for any help.
 

fields987

Regular Contributor
I am new to SkyNet but I have tried to search this thread but have not found anything on my question which is... Why am I not seeing data in my 'Top 10 HTTP(s) blocks' and 'Last 10 unique HTTP(s) blocks' Is there a config that Iam missing to capture this data? Thanks for any help.
Are you in a double nat config? Have you refreshed stats?
 

Adamm

Part of the Furniture
I am new to SkyNet but I have tried to search this thread but have not found anything on my question which is... Why am I not seeing data in my 'Top 10 HTTP(s) blocks' and 'Last 10 unique HTTP(s) blocks' Is there a config that Iam missing to capture this data? Thanks for any help.

Have you considered maybe you just haven’t run into any malicious websites yet :p
 

MoonPie2000

Occasional Visitor
fields987 - I am not in a double NAT and YES I did a refresh of my browser.

Adamm - Funny you should ask about visiting malicious sites... I am not aware that I have but I just wanted to I make sure if I do they will be blocked. So I wanted to check to verify I wasn't missing anything however maybe the question needs to be how can I test to see if it is configured correctly i.e. Are there any HTTPS test sites that would trigger some data to be generated. Thanks...
 

dave14305

Part of the Furniture
fields987 - I am not in a double NAT and YES I did a refresh of my browser.

Adamm - Funny you should ask about visiting malicious sites... I am not aware that I have but I just wanted to I make sure if I do they will be blocked. So I wanted to check to verify I wasn't missing anything however maybe the question needs to be how can I test to see if it is configured correctly i.e. Are there any HTTPS test sites that would trigger some data to be generated. Thanks...
HTTP(s) blocks are specifically reporting on port 80 or 443 blocks. I am happy to see that I have no outbound blocks at all, especially on ports 80 or 443. It means whatever measures I have in place (Diversion, browser ad-blockers, Quad9 DNS, etc.) are keeping me and my family from visiting malicious websites. Practice safe browsing!
 

MoonPie2000

Occasional Visitor
Thanks everyone for your quick replies... I feel much safer now!
 

Wycleff

Regular Contributor
is it possible to let an specific MAC address bypass Skynet ?
im currently having buffering problems with my IPTV and activated Skynet.
 

reerden

Regular Contributor
This script looks interesting, but I had a few questions before I try it out:

1. Is it possible to exclude certain clients? As most people, I'm currently working from home and I'd rather not have my work devices being inadvertently blocked, as I don't have the time to fiddle with the whitelist during the week. I'm also not too comfortable with 'debugging' proprietary devices like setup boxes and game consoles at home. It's usually too much of a hassle for a device that isn't even vulnerable for malware in the first place.

2. I know this script included telemetry in the past, and I'm not too comfortable with blocking that. Working a lot with Azure, I've seen too many colleagues getting a headache when their pi-hole broke the Azure portal and local builds on their devices. So is telemetry still blocked by default, or has that been removed? Considering it's not really malware.
 

Adamm

Part of the Furniture
is it possible to let an specific MAC address bypass Skynet ?
im currently having buffering problems with my IPTV and activated Skynet.

Skynet shouldn't have any effect on buffering, you can temporarily disable it from the menu to confirm this.

1. Is it possible to exclude certain clients? As most people, I'm currently working from home and I'd rather not have my work devices being inadvertently blocked, as I don't have the time to fiddle with the whitelist during the week. I'm also not too comfortable with 'debugging' proprietary devices like setup boxes and game consoles at home. It's usually too much of a hassle for a device that isn't even vulnerable for malware in the first place.

No not at this time.

2. I know this script included telemetry in the past, and I'm not too comfortable with blocking that. Working a lot with Azure, I've seen too many colleagues getting a headache when their pi-hole broke the Azure portal and local builds on their devices. So is telemetry still blocked by default, or has that been removed? Considering it's not really malware.

We don't include telemetry lists by default.
 

tekrich

Regular Contributor
I have messed up, changed the swap file name. So now Skynet errors...

-Problem with USB Intstall Location - Please Fix Immediately!
-When fixed Run ( sh /jffs/scripts/firewall restart )

Its looking for the old swap location, that has been changed.

Is there a command that I can use in AMTM to uninstall Skynet, so I can reinstall it?
 
Last edited:

dave14305

Part of the Furniture
I have messed up, changed the swap file name. So now Skynet errors...

-Problem with USB Intstall Location - Please Fix Immediately!
-When fixed Run ( sh /jffs/scripts/firewall restart )

Its looking for the old swap location, that has been changed.

Is there a command that I can use in AMTM to uninstall Skynet, so I can reinstall it?
Can you just correct the skynetloc path in /jffs/scripts/firewall-start?
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top