Skynet Skynet - Router Firewall & Security Enhancements

[MarCoMLXXV]

How do you ban a range of IP's ? Do I need a special character in-between the start and end IP or do I just leave a blank space ?

Not sure whether you can actually ban a part of a CIDR, but @Adamm will be able to tell you. If you're looking for a way to ban an entire range, check out the Usage section in the first post. Many examples can be found there of what Skynet is able to do and how to achieve it.

 

[Joe C]

MarCo,

Thank you for responding. I did look at the first post, but I'm unsure about how the start and end IP addresses are entered. For example:

/jffs/scripts/firewall ban 1.2.3.4 - 5.6.7.8

or

/jffs/scripts/firewall ban 1.2.3.4 5.6.7.8

or something else ?

 

[MarCoMLXXV]

Yes, I understood your question, but as mentioned above, I don't know whether that's one of many possibilities of Skynet, that's why I tagged @Adamm.

I referred to the first post, in case you wanted to ban an entire subnet (CIDR) which I couldn't be sure of, based on you question. If that's the case, you can ban the entire CIDR as following (example):

sh /jffs/scripts/firewall ban range 8.8.8.8/24 Apples) This Bans the CIDR Block Specified With Comment Apples

 

[Joe C]

Can you explain the "apples" tag in the code listed above? I do realize that is an example but what is apples representing?

Thanks for helping!

 

[Adamm]

After the update, debug info showed:

As the error suggests, there was an active Skynet process with the PID 7247. Seeing as in this post the IPTables rules or ipsets werent present I assume it was the startup process still running.

The reason for the lockfile system I made is so certain commands don't interfere with each-other and cause other issues while trying to modify data/rules etc. More of a failsafe than anything.

Just checked my debug info, out of curiousity, and something seems a bit contradictive:

This was a simple error with my lock file detection which I fixed around 9 days ago. Nothing to worry about as you already updated.

I noticed that after the upgrade

As stated previously, during your first run of debug info it seems the startup process was still running.

Any concerns with this message? Level 5 Messages Won't Be Logged - Only 5+

It seems you modified your syslog notification settings, usually this value is 7 (debug). There was actually a error in my code as it should only be checking for values higher then the first number and allow values equal, so I pushed a fix for this. With that being said, you changing the default setting still may cause other items not to show up on your syslog as no "debug" or "info" messages will be shown from the system.

How do you ban a range of IP's ? Do I need a special character in-between the start and end IP or do I just leave a blank space ?

Skynet only accepts CIDR format, you can use a tool like this to calculate them for you and use the appropriate commands.

Can you explain the "apples" tag in the code listed above? I do realize that is an example but what is apples representing?

This is a "comment" for the entry, basically a description of what you are adding.

 

[Xentrk]

Thanks @Adamm

I changed to the above settings, I now get the message:
Level 7 Messages Won't Be Logged - Only 7+
What do you recommend?

I reran the install command and still see the lockfile message. If the lockfile message remains tomorrow, any cause for concern?

 

[MarCoMLXXV]

This was a simple error with my lock file detection which I fixed around 9 days ago. Nothing to worry about as you already updated.

Ah, I see. Then it probably wasn't included (yet) in the weekly update, I assume?

 

[eclp]

The system log is finally clean.
@Adamm, thank you for your help and patience!

 

[john9527]

I changed to the above settings, I now get the message:
Level 7 Messages Won't Be Logged - Only 7+
What do you recommend?

The defaults on Merlin are
Default level = notice
more urgent than = debug

Note that on my fork, I changed the 'more urgent than' to just 'Syslog level'. I didn't think that way, about logging messages 'more urgent than'.....I want Syslog level of x. So on my fork the second value is 'Info', and I have tags next to the dropdowns indicating the default levels.

 

[Adamm]

What do you recommend?

The default is "notice" for the first and "debug" for the second.

I reran the install command and still see the lockfile message.

Check the process list (ps) and see what the PID matches up with. The only commands which honor the lock file are;

banmalware
import
deport
save
start
update
install

The longest any of these commands should run for would probably be the start command on a cold boot and that takes 60 seconds at most.

Then it probably wasn't included (yet) in the weekly update, I assume?

I probably changed the version after the weekly update check so it didn't get picked up last monday.

The system log is finally clean.
@Adamm, thank you for your help and patience!

Happy to help.

 

[Xentrk]

The default is "notice" for the first and "debug" for the second.

Check the process list (ps) and see what the PID matches up with. The only commands which honor the lock file are;

banmalware
import
deport
save
start
update
install

The longest any of these commands should run for would probably be the start command on a cold boot and that takes 60 seconds at most.

A reboot fixed the issue with the lockfile. I also changed my debug settings to default and don't have the warning messages any longer. Thank you for the help and support. Grateful!

 

[Joe C]

Thanks Adamm, worked perfectly. Your explanation was very helpful.

 

[johnathonm]

Hi,

I am having a problem with doing country filtering. I want to filter out a lot of the world. I am using the following:

sh /jffs/scripts/firewall ban country "ad ae af ag ai al am ao ap ar as at aw ax az ba bb bd be bf bg bh bi bj bl bm bn bo bq br bs bt bw by bz cd cf cg ch ci ck cl cm cn co cr cu cv cw cy cz de dj dk dm do dz ec ee eg er es et eu fi fj fm fo fr gb gd ge gf gg gh gi gl gm gn gp gq gr gt gu gw gy hk hn hr ht hu id ie il im in io iq ir is it je jm jo jp ke kg kh ki km kn kp kr kw ky kz la lb lc li lk lr ls lt lu lv ly ma mc md me mf mg mh mk ml mm mn mo mp mq mr ms mt mu mv mw mx my mz na nc ne nf ng ni nl no np nr nu nz om pa pe pf pg ph pk pl pm pr ps pt pw py qa re ro rs ru rw sa sb sc sd se sg si sk sl sm sn so sr ss st sv sx sy sz tc td tg th tj tk tl tm tn to tr tt tv tw tz ua ug um uy uz va vc ve vg vi vn vu wf ws ye yt za zm zw"

And I am getting the following error from the script in Putty:

*Removing Previous Country Bans*
Banning Known IP Ranges For ad ae af ag ai al am ao ap ar as at aw ax az ba bb bd be bf bg bh bi bj bl bm bn bo bq br bs bt bw by bz cd cf cg ch ci ck cl cm cn co cr cu cv cw cy cz de dj dk dm do dz ec ee eg er es et eu fi fj fm fo fr gb gd ge gf gg gh gi gl gm gn gp gq gr gt gu gw gy hk hn hr ht hu id ie il im in io iq ir is it je jm jo jp ke kg kh ki km kn kp kr kw ky kz la lb lc li lk lr ls lt lu lv ly ma mc md me mf mg mh mk ml mm mn mo mp mq mr ms mt mu mv mw mx my mz na nc ne nf ng ni nl no np nr nu nz om pa pe pf pg ph pk pl pm pr ps pt pw py qa re ro rs ru rw sa sb sc sd se sg si sk sl sm sn so sr ss st sv sx sy sz tc td tg th tj tk tl tm tn to tr tt tv tw tz ua ug um uy uz va vc ve vg vi vn vu wf ws ye yt za zm zw
Downloading Lists
Filtering IPv4 Ranges & Applying Blacklists
ipset v6.32: Error in line 1: Syntax error: Comment is longer than the maximum allowed 255 characters
Saving Changes
Skynet: [Complete] 127567 IPs / 3164 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 7 Inbound / 0 Outbound Connections Blocked! [16s]

I cannot add the countries in segments because the script is removing the entries I had already placed on the ban list. I am unsure what to do but I want to definitely basically world block.

Do you have any suggestions?

Thank you,

J

 

[Jack Yaz]

You might be able to put the list of countries in a file and reference that in the command call?

 

[Adamm]

Do you have any suggestions?

This is an IPSet limitation on the size of the comment aka description, as the comment for this I use the full country list. You would need to manually edit the following line every time you update Skynet;

grep -F "/" /tmp/countrylist.txt | sed -n "s/\\r//;/^$/d;/^[0-9,\\.,\\/]*$/s/^/add BlockedRanges /p" | sed "s/$/& comment \"Country: $3\"/" | ipset restore -!

to

grep -F "/" /tmp/countrylist.txt | sed -n "s/\\r//;/^$/d;/^[0-9,\\.,\\/]*$/s/^/add BlockedRanges /p" | sed "s/$/& comment \"Country: WorldBlock\"/" | ipset restore -!

With that being said, this is definitely not efficient for this type of blocking nor something I recommend. Beyond the obvious issues you are going to run into by "blocking everything", blacklisting billions of IP's is much slower than white-listing specific ranges. Again this was not the intended purpose of this functionality, you would be better off with a custom solution which does as described, but if you insist on using Skynet to-do so than the manual edit above is how you would achieve it.

 

[johnathonm]

First,

Thank you for taking the time to respond. Leave it to me to do stupid stuff ;-). May I ask what countries that you or someone would recommend blocking?

Thank you,

J

 

[MarCoMLXXV]

Personally I don't block any complete countries manually, as I see no need for it currently. I rather rely on Skynets autoban functionality to ban automatically when necessary, in addition to the DPI firewall that the router uses and the lists used by Skynet to block specific ranges.

 

[skeal]

@Adamm I had some trouble with skynet last night. I updated the country block info I had and it blocked my streaming media service. I knew it was the country block instruction I just gave it, but , I thought I could use the white-list or unban commands to do the job. The unban commands couldn't find the address both as a domain and a IP. White-listing did not work. So to continue my test I disabled the firewall in skynet, BOOM things worked right away. I reverted back to the country selection I had before. Now it works. I'm concerned that I was unable to find the IP or domain in skynet and that white-listing in this case didn't help. Any ideas what is going on?
Now I'm having the same problem with ASUS.COM.

Unbanning 103.10.4.216
ipset v6.32: Element cannot be deleted from the set: it's not added
Saving Changes
Skynet: [Complete] 122143 IPs / 31266 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 23 Inbound / 0 Outbound Connections Blocked! [6s]

If I disable skynet I get ping results again.
I'm using the latest build I updated last night. v5.1.6 I'll try to uninstall and reinstall and see what happens.
EDIT: After removing and replacing and using default values plus banmalware and no country block and everything works fine. I think I'll leave the country block off and use the dynamic nature of the firewall to protect. You can chalk this up as user caused.
EDIT: Did I miss a way to reset to fresh install?

 

[Adamm]

I updated the country block info I had and it blocked my streaming media service

Like I was saying in my previous posts about country blocking, due to the nature of the internet and CDN's etc, you will likely break more things than its worth unless you are very specific in what you want to block.

I'm concerned that I was unable to find the IP or domain in skynet and that white-listing in this case didn't help.

That's what debug mode is for, look at the guide in the first post about finding out what exactly is being blocked and use the commands like "stats search ip xxx".

EDIT: Did I miss a way to reset to fresh install?

An easier way then uninstalling would have been using;

sh /jffs/scripts/firewall unban country

Or to unban everything;

sh /jffs/scripts/firewall unban all

 

[skeal]

Like I was saying in my previous posts about country blocking, due to the nature of the internet and CDN's etc, you will likely break more things than its worth unless you are very specific in what you want to block.



That's what debug mode is for, look at the guide in the first post about finding out what exactly is being blocked and use the commands like "stats search ip xxx".



An easier way then uninstalling would have been using;

sh /jffs/scripts/firewall unban country

Or to unban everything;

sh /jffs/scripts/firewall unban all

Thanks for the explanation @Adamm like I said user error...lol.