Jack Yaz
Part of the Furniture
It's trivial to trigger off a command from the UI, FYI
Displaying the stats as graphs would be a good step forward. You wouldn't get full menu control, but visualising data is always good
Skynet Skynet - Router Firewall & Security Enhancements
Displaying the stats as graphs would be a good step forward. You wouldn't get full menu control, but visualising data is always good
Butterfly Bones
Very Senior Member
Found it! Yes Loggly supports syslog-ng TLS.
https://www.loggly.com/docs/syslog-ng-tls-configuration/
Skynet is the best in it's class, but I was plagued with "no internet connectivity" issues. Tried many things but this seems to have solved it:
cru a restart_firewall "7 */3 * * * sh /jffs/scripts/firewall restart"
Restarts Skynet every 3 hours at 7 min past the hour. Add that line to the system_startup file as well to recover from reboots. Working great now.
cru a restart_firewall "7 */3 * * * sh /jffs/scripts/firewall restart"
Restarts Skynet every 3 hours at 7 min past the hour. Add that line to the system_startup file as well to recover from reboots. Working great now.
dave14305
Part of the Furniture
That seems like overkill to interrupt your connectivity every 3 hours. Why do you think this works, meaning how did you reach the conclusion this was needed every 3 hours? What was happening in the system log when you would lose connectivity?
Are you configured with a swap file per the installation instructions?
There should be a more reasonable solution to the problem, hopefully.
Adamm
Part of the Furniture
The connectivity error only occurs when your router fails multiple times to ping goolge, github then snbforums.
Code:
Check_Connection () {
livecheck="0"
while [ "$livecheck" != "4" ]; do
if ping -q -w3 -c1 google.com >/dev/null 2>&1; then
break
else
if ping -q -w3 -c1 github.com >/dev/null 2>&1; then
break
else
if ping -q -w3 -c1 snbforums.com >/dev/null 2>&1; then
break
else
livecheck=$((livecheck+1))
if [ "$livecheck" != "4" ]; then
echo "[*] Internet Connectivity Error"
sleep 10
else
return "1"
fi
fi
fi
fi
done
}There is no science behind every 3 hours (I was thinking every hour at first). Three hours is the first thing I tried and it's working. As previously mentioned, I have a fairly noisy ISP that just doesn't care and their solution for everything is a $60 truck roll and a tech that shrugs his shoulders. Anyway your check connection script is actually happening quit quickly (no delays) and it certainly does seem that my connection is poor enough that it often hits the "Internet Connectivity Error" jackpot.
azdeltawye
Occasional Visitor
Hi,
I'm new to Skynet. Thanks for the great script!
I am having trouble with the IOT blocking feature. I added my security cam NVR and VOIP ATA IPs to the ban list and allowed both TCP and UDP ports 465 for outgoing NVR emails and 5060 for SIP traffic. After doing this my NVR could not send email alerts and I got an offline error from my VOIP provider. What am I doing wrong?
Possible feature upgrade: would it be possible to add URLs to the unban list? Also it would be nice to have a selective list of IOT devices to unban specific ports or URLs instead of globally applied to
all IOT devices. Additionally it would be great to have a list of exactly which ports are un-banned on the 'List Blocked Devices' option.
Again, thanks for the great script!!
I'm new to Skynet. Thanks for the great script!
I am having trouble with the IOT blocking feature. I added my security cam NVR and VOIP ATA IPs to the ban list and allowed both TCP and UDP ports 465 for outgoing NVR emails and 5060 for SIP traffic. After doing this my NVR could not send email alerts and I got an offline error from my VOIP provider. What am I doing wrong?
Possible feature upgrade: would it be possible to add URLs to the unban list? Also it would be nice to have a selective list of IOT devices to unban specific ports or URLs instead of globally applied to
all IOT devices. Additionally it would be great to have a list of exactly which ports are un-banned on the 'List Blocked Devices' option.
Again, thanks for the great script!!
Adamm
Part of the Furniture
Assuming debug mode is enabled, Skynet will log any packet it drops. Use these logs to see what ports need to be unblocked.
This is already the case
Code:
( sh /jffs/scripts/firewall unban domain google.com ) This Unbans the URL Specifiedazdeltawye
Occasional Visitor
Thanks for the reply!
Yes, Debug is enabled and when I select: Debug Options/Show Debug Entries as They Appear/All; I get no blocked outbound entries when I try to send test email from NVR yet test email fails to be sent..
I added the URL to whitelist: smtp.gmail.com to allow the NVR to send email from my Gmail acct but still no email alerts.
Am I missing something obvious? Like I said before, I'm pretty new to this...
Hi guys,
Need some help. I want to log all accepted connections with using Skynet and latest Merlin firmware 384.13 . Firewall logged packets type is set to BOTH. Accepted connections are NOT logged in syslog. Tried this thread https://www.snbforums.com/threads/firewall-accepted-packets-not-being-logged.36711/ with no luck and also https://www.snbforums.com/threads/block-or-redirect-logged-packets-type-log-entries.39703/
I see only messages from skynet dropped connections.
below output from
iptables -nvL
any help is appreciated, thanks.
Need some help. I want to log all accepted connections with using Skynet and latest Merlin firmware 384.13 . Firewall logged packets type is set to BOTH. Accepted connections are NOT logged in syslog. Tried this thread https://www.snbforums.com/threads/firewall-accepted-packets-not-being-logged.36711/ with no luck and also https://www.snbforums.com/threads/block-or-redirect-logged-packets-type-log-entries.39703/
I see only messages from skynet dropped connections.
below output from
iptables -nvL
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 logdrop icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
140K 170M logaccept all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
13 969 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1528 269K PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
1996 316K PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
1996 316K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0 state NEW
1439 262K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
89 6844 OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 logaccept udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 INPUT_ICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 logaccept tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 logaccept 47 -- * * 0.0.0.0/0 0.0.0.0/0
89 6844 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- br0 eth0 0.0.0.0/0 0.0.0.0/0 match-set Skynet-IOT src udp dpt:123
0 0 LOG all -- br0 !tun2+ 0.0.0.0/0 0.0.0.0/0 match-set Skynet-IOT src LOG flags 7 level 4 prefix "[BLOCKED - IOT] "
0 0 DROP all -- br0 !tun2+ 0.0.0.0/0 0.0.0.0/0 match-set Skynet-IOT src
1273 66060 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
154K 162M logaccept all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 logaccept all -- br0 br0 0.0.0.0/0 0.0.0.0/0
40 2100 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2192 473K NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
2192 473K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 logaccept all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 25333 packets, 17M bytes)
pkts bytes target prot opt in out source destination
Chain ACCESS_RESTRICTION (0 references)
pkts bytes target prot opt in out source destination
Chain DNSFILTER_DOT (0 references)
pkts bytes target prot opt in out source destination
Chain FUPNP (0 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ICMP (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13
0 0 logaccept icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain NSFW (1 references)
pkts bytes target prot opt in out source destination
Chain OVPN (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- tun11 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap21 * 0.0.0.0/0 192.168.2.0/24
Chain PControls (0 references)
pkts bytes target prot opt in out source destination
0 0 logaccept all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PTCSRVLAN (1 references)
pkts bytes target prot opt in out source destination
Chain PTCSRVWAN (1 references)
pkts bytes target prot opt in out source destination
Chain SECURITY (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
0 0 logdrop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
0 0 logdrop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
0 0 logdrop icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain default_block (0 references)
pkts bytes target prot opt in out source destination
Chain logaccept (9 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "ACCEPT "
295K 332M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (9 references)
pkts bytes target prot opt in out source destination
142 9913 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain other2wan (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0any help is appreciated, thanks.
Adamm
Part of the Furniture
With debug mode enabled, Skynet logs every connection it blocks. There is no exception to this rule. So if nothing is being logged, its not Skynet causing the issue.
Works perfectly on my end, make sure you haven't messed with the settings "Default message log level" and "Log only messages more urgent than" in the WebUI.
Adamm
Part of the Furniture
No, the default settings are "notice" and "debug"
dave14305
Part of the Furniture
What traffic are you allowing in through your firewall that needs logging? I don't think you can log outgoing in that way.Hmmm well, tried to uninstall skynet, restarted router and set Firewall logged packets type is set to ACCEPTED and .... nothingso not a problem of skynet, thanks for your help Adamm. Will try to post main forum.
azdeltawye
Occasional Visitor
Sorry, I jumped the gun. Yes I see the blocked messages coming in. See below.
Aug 2 16:30:44 RT-AC86U-D8E0 kernel: [BLOCKED - IOT] IN=br0 OUT=eth0 MAC=... SRC=192.168.. DST=8.8.8.8 LEN=59 TOS=0x00 PREC=0x00 TTL=63 ID=23769 DF PROTO=UDP SPT=35089 DPT=53 LEN=39
Aug 2 16:30:54 RT-AC86U-D8E0 kernel: [BLOCKED - IOT] IN=br0 OUT=eth0 MAC=... SRC=192.168.. DST=8.8.4.4 LEN=59 TOS=0x00 PREC=0x00 TTL=63 ID=26269 DF PROTO=UDP SPT=37258 DPT=53 LEN=39
However it appears to be blocking Google DNS (8.8.8.8 & 8.8.4.4) and port UDP 53. This seems odd because I specifically added those IPs and ports 53 to the Unban list...
Perhaps the Unban list is getting overwritten. Is there any way to list the ports in the IOT Unban list?
dave14305
Part of the Furniture
Check the skynet.cfg file in the skynet directory on your usb. Or look at the iptables -S output.
Then make sure you enabled the udp protocol and not just tcp.
azdeltawye
Occasional Visitor
Thanks. Ah yes it appears the Unban list was overwritten by my latest entry (ports 5010 & 5060). So you have to retype all ports each time you update the list?
However that doesn't explain why Google DNS was blocked when I put it in the whitelist..??
################################################
## Generated By Skynet - Do Not Manually Edit ##
## Aug 02 17:00:10 ##
## Installer ##
model="RT-AC86U"
localver="v6.8.5"
autoupdate="enabled"
banmalwareupdate="daily"
forcebanmalwareupdate=""
debugmode="enabled"
filtertraffic="all"
swaplocation="/tmp/mnt/ASUS-1/myswap.swp"
swappartition=""
## Counters / Lists ##
blacklist1count="154957"
blacklist2count="1657"
customlisturl=""
customlist2url=""
countrylist=""
excludelists=""
## Settings ##
unbanprivateip="enabled"
loginvalid="disabled"
banaiprotect="enabled"
securemode="enabled"
extendedstats="enabled"
fastswitch="disabled"
syslogloc="/opt/var/log/skynet-0.log"
syslog1loc="/tmp/syslog.log-1"
iotblocked="enabled"
iotports="5010,5060"
iotproto="all"
lookupcountry="enabled"
################################################
dave14305
Part of the Furniture
IOT unbans apply to source IP or destination ports, different from regular skynet blocks. At least that’s how I read it.
So you can only unblock IOT devices to access a series of ports, not a specific IP.
Last edited:
Similar threads
Similar threads
Similar threads
-
Skynet Installing Skynet causes router to crash and reboot
- Started by ovancantfort
- Replies: 26
-
Diversion Diversion & Skynet Missing on GUI after Router Reboot.- Started by cofetym
- Replies: 7
-
Any usefulness for Skynet + pfsense/opnsense in transparent bridge mode?
- Started by pjd50
- Replies: 7
-
Solved Skynet running slow with install/update issues from AMTM?- Started by John Fitzgerald
- Replies: 10
-
Skynet Source LAN IP for outbound IP blocked by SkyNet
- Started by buzzy
- Replies: 8
-
-
-
Send stats Division and Skynet to webhook or mqtt
- Started by poudenes
- Replies: 0
-
-