Skynet Skynet - Router Firewall & Security Enhancements

[Datalink]

@Adamm would it make sense to add ASN (add to the whitelist and remove from the whitelist) as well? I was thinking about this over the weekend. Country bans work really well, so well that whitelisting something like Blizzard is a pain. Being able to whitelist an ASN would make this really simple, although, maybe unbanning an ASN will work just as well. With country bans in place, will unbanning an ASN work thru all of the country IP ranges and delete the ranges assigned to an entered ASN?

Here's blizzard, as listed with HE:

https://bgp.he.net/AS57976#_prefixes

Same idea for valve and probably a few others.

Of course this becomes a little more complicated when it comes to updating a country ban list if you have whitelisted ASN ranges in place.

 

[bengalih]

Hi. New to Skynet, someone just recommended as an easy way to block some external IPs from my port forwards.
Just want to understand is Skynet an actual running process or is it just a script frontend to easily edit the built-in router scripts? I'm hoping for the later as I'm not sure I want another layer on top of what the router natively provides.

thanks

 

[dave14305]

Hi. New to Skynet, someone just recommended as an easy way to block some external IPs from my port forwards.
Just want to understand is Skynet an actual running process or is it just a script frontend to easily edit the built-in router scripts? I'm hoping for the later as I'm not sure I want another layer on top of what the router natively provides.

thanks

It uses iptables and ipsets to block traffic to or from known malware IPs. It runs periodic jobs to update itself and the IP lists, but otherwise you wouldn't see it running. You could use it to ban additional IPs even if they're not in the curated lists.

From the documentation:

Example Ban Commands;
( sh /jffs/scripts/firewall ban ip 8.8.8.8 "Apples" ) This Bans The IP Specified With The Comment Apples
( sh /jffs/scripts/firewall ban range 8.8.8.8/24 "Apples" ) This Bans the CIDR Block Specified With The Comment Apples
( sh /jffs/scripts/firewall ban domain google.com ) This Bans the URL Specified
( sh /jffs/scripts/firewall ban country "pk cn sa" ) This Bans The Known IPs For The Specified Countries (Accepts Single/Multiple Inputs If Quoted) http://www.ipdeny.com/ipblocks/data/countries/
( sh /jffs/scripts/firewall ban asn AS123456 ) This Bans the ASN Specified

 

[bengalih]

It uses iptables and ipsets to block traffic to or from known malware IPs. It runs periodic jobs to update itself and the IP lists, but otherwise you wouldn't see it running. You could use it to ban additional IPs even if they're not in the curated lists.

From the documentation:

Example Ban Commands;
( sh /jffs/scripts/firewall ban ip 8.8.8.8 "Apples" ) This Bans The IP Specified With The Comment Apples
( sh /jffs/scripts/firewall ban range 8.8.8.8/24 "Apples" ) This Bans the CIDR Block Specified With The Comment Apples
( sh /jffs/scripts/firewall ban domain google.com ) This Bans the URL Specified
( sh /jffs/scripts/firewall ban country "pk cn sa" ) This Bans The Known IPs For The Specified Countries (Accepts Single/Multiple Inputs If Quoted) http://www.ipdeny.com/ipblocks/data/countries/
( sh /jffs/scripts/firewall ban asn AS123456 ) This Bans the ASN Specified

Thanks. So are the commands you list above what I would actually type, or are those the commands skynet generates?
If the former, it would seem that it wasn't exactly an easy UI, but more of a glorified scripting language to abstract iptables a bit?

 

[dave14305]

Thanks. So are the commands you list above what I would actually type, or are those the commands skynet generates?
If the former, it would seem that it wasn't exactly an easy UI, but more of a glorified scripting language to abstract iptables a bit?

Those are command line alternatives to the terminal menu system.

 

[carpov alexandru]

Hi, I was admiring all the options in Skynet and thinking on installing it. While drawing a mental picture of what I want to do with it, it hit me! Since I can block a list of websites that are known for malware, for ingress, can I replace that list with a list of known ads serving websites/services? I don't see why not. I wanted to buy a raspberry pie and install piehole but since Skynet exists, I think I can use it to do just that. I would like some confirmation on this though.

What is the difference between banmalware <onlinelist> and firewall import blacklist <onlinelistidownloaded.txt> "apples"? Does banmalware cmd save the stuff from the link in the local swap or does it checks links vs that online list every time? Can I import multiple lists into firewall? What is the format required? Can I just use dns names?

Also, what is the resource impact on using skynet? I noticed that most features I enable on my ac1900u (same hardware as rt-ac68p I think) take about 30-40 MBs throughput toll. Having all those packets processed against a firewall gotta take it's toll.

Sorry for formating, I'm on my phone. Cheers and thanks for any help granted.

 

[Adamm]

Since I can block a list of websites that are known for malware, for ingress, can I replace that list with a list of known ads serving websites/services?

Skynet has a default blacklist sourced from multiple reputable providers which is generally "good enough" for most peoples needs. As for ad-blocking I suggest also installing Diversion which works hand-in-hand with Skynet.

What is the difference between banmalware <onlinelist> and firewall import blacklist <onlinelistidownloaded.txt> "apples"? Does banmalware cmd save the stuff from the link in the local swap or does it checks links vs that online list every time?

Banmalware uses the default blacklist (or a custom user specified one) and updates it either on a daily or weekly basis depending on what the user chooses. The import feature is a "one off" type feature where the list won't be automatically refreshed in the future.

Can I import multiple lists into firewall?

Yes the import feature can be used as many times as you please with different lists.

What is the format required? Can I just use dns names?

One IP per line, you can check the default lists for examples.

Also, what is the resource impact on using skynet? I noticed that most features I enable on my ac1900u (same hardware as rt-ac68p I think) take about 30-40 MBs throughput toll. Having all those packets processed against a firewall gotta take it's toll.

Besides in the 30-60 second period where Skynet updates its lists, Skynets impact on the system is almost immeasurable. The code has been refined and optimized for 5 years now so things run pretty smoothly

 

[Davidncali001]

Hi, I was admiring all the options in Skynet and thinking on installing it. While drawing a mental picture of what I want to do with it, it hit me! Since I can block a list of websites that are known for malware, for ingress, can I replace that list with a list of known ads serving websites/services? I don't see why not. I wanted to buy a raspberry pie and install piehole but since Skynet exists, I think I can use it to do just that. I would like some confirmation on this though.

The Loney Coder already has an ad blocker you can install in your router. It works as well or better then Pie-Hole. It's called Diversion.


https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/

 

[sentinelvdx]

Hi, question, which is the command to uninstall skynet?
A power outage left .cfg locked so I can't access menu to uninstall it and reinstall again

Sent from S.G. S9 Plus Duos using Tapatalk

 

[OMNI619]

Hi, question, which is the command to uninstall skynet?
A power outage left .cfg locked so I can't access menu to uninstall it and reinstall again

Sent from S.G. S9 Plus Duos using Tapatalk

Probably by factory resetting the router not sure

Sent from my SM-G930V using Tapatalk

 

[sentinelvdx]

Probably by factory resetting the router not sure

Sent from my SM-G930V using Tapatalk

Nope, that's not a solution to just reinstall skynet...
There must be a cli command to uninstall it.

Sent from S.G. S9 Plus Duos using Tapatalk

 

[dave14305]

Nope, that's not a solution to just reinstall skynet...
There must be a cli command to uninstall it.

Sent from S.G. S9 Plus Duos using Tapatalk

sh /jffs/scripts/firewall uninstall

 

[sentinelvdx]

sh /jffs/scripts/firewall uninstall

[emoji122][emoji122][emoji122][emoji122][emoji119][emoji119][emoji119][emoji119]thanks!

Sent from S.G. S9 Plus Duos using Tapatalk

 

[SomeWhereOverTheRainBow]

Suricata is an IPS/IDA system which puts it in the same category as AiProtect. Skynet is a blacklist based solution.

Plus the fact they have over 100 developers working on the project along with significant financial backing

looking back at this old post when I opened the thread to check out what is new.... there is one thing suricata does not have and cannot produce,, Adam. Adam great job on keeping up Skynet as an innovative security solution.

I've pushed v6.9.2

Add DNSCrypt Whitelisting Support
Add syslog-ng Support
Add ASN Banning/Unbanning Support

 

[jasonho]

Hi, I insall skynet and diversion in my ac86u, the cpu usage will raise up to 100%, I try install firmware 384.13 and 384.14 beta 2 with factory reset, same result, after remove skynet, the cpu usage dropped to 3 to 5%

 

[Butterfly Bones]

Hi, I insall skynet and diversion in my ac86u, the cpu usage will raise up to 100%, I try install firmware 384.13 and 384.14 beta 2 with factory reset, same result, after remove skynet, the cpu usage dropped to 3 to 5%

Have you tried "top" or better yet "htop" to see what is using cpu cycles? You may have to install htop using "opkg install htop" from an SSH terminal. Of course you need to have both Skynet and Diversion installed to test.

 

[JaimeZX]

Also, you can expect pretty funky CPU usage for the first few minutes, then it should calm down. This will occur every time the Skynet firewall starts. How long did the high CPU usage last?

 

[jasonho]

Have you tried "top" or better yet "htop" to see what is using cpu cycles? You may have to install htop using "opkg install htop" from an SSH terminal. Of course you need to have both Skynet and Diversion installed to test.

I try to resintall skynet again and check
thanks

 

[jasonho]

Also, you can expect pretty funky CPU usage for the first few minutes, then it should calm down. This will occur every time the Skynet firewall starts. How long did the high CPU usage last?

the cup usage down to below 5% after few mins but up to 100% after 3 hours.

 

[Adamm]

the cup usage down to below 5% after few mins but up to 100% after 3 hours.

Without the output from top or htop like suggested above the CPU usage could be caused by anything