Skynet Skynet - Router Firewall & Security Enhancements

[martinr]

Another milestone: 6000 posts. Thank you, Adam.

 

[bigAboo]

I highly recommend switching to using a swap file over a swap partition. They are significantly easier to manage/repair and supported by most of the scripts on this forum that also use my swap functions.

So,) I realise your recommendation - but

Spoiler: Skynet tells

[*] Lock File Detected (start skynetloc=/tmp/mnt/NET/skynet) (pid=623)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests

IPSets | [Failed]
IPTables Rules | [Failed]

Right now i use swap file instead swap partition.

 

[dave14305]

So,) I realise your recommendation - but

Spoiler: Skynet tells

[*] Lock File Detected (start skynetloc=/tmp/mnt/NET/skynet) (pid=623)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests

IPSets | [Failed]
IPTables Rules | [Failed]

Right now i use swap file instead swap partition.

If you reload the menu, does it ever Pass?

 

[HardCat]

I found reloading the menu does not work for me. If I select Debug Options, then Print Debug Info, followed by Press Enter to Continue. It will recover!

 

[DocUmibozu]

Hi, one little question.
Has anyone experienced this problem in their log:

Feb 7 16:13:38 RT-AC66U_B1 custom_script: Running /jffs/scripts/service-event (args: restart watchdog)
Feb 7 16:21:38 RT-AC66U_B1 check_watchdog: [check_watchdog] restart watchdog for no heartbeat
Feb 7 16:21:38 RT-AC66U_B1 rc_service: check_watchdog 234:notify_rc restart_watchdog

Service event has only two calls: uiscribe and Skynet

Skynet one is this:
if [ "$1" = "start" ] && [ "$2" = "SkynetStats" ]; then sh /jffs/scripts/firewall debug genstats; fi # Skynet Firewall Addition

 

[Adamm]

I found reloading the menu does not work for me. If I select Debug Options, then Print Debug Info, followed by Press Enter to Continue. It will recover!

Cant reproduce this on mu end, please post the exact steps to take.

Hi, one little question.
Has anyone experienced this problem in their log:

Feb 7 16:13:38 RT-AC66U_B1 custom_script: Running /jffs/scripts/service-event (args: restart watchdog)
Feb 7 16:21:38 RT-AC66U_B1 check_watchdog: [check_watchdog] restart watchdog for no heartbeat
Feb 7 16:21:38 RT-AC66U_B1 rc_service: check_watchdog 234:notify_rc restart_watchdog

Service event has only two calls: uiscribe and Skynet

Skynet one is this:
if [ "$1" = "start" ] && [ "$2" = "SkynetStats" ]; then sh /jffs/scripts/firewall debug genstats; fi # Skynet Firewall Addition

That's expected behavior. Every time an event is run that script is executed with the event args so devs can hook into them.

 

[DocUmibozu]

Ok,
I'm trying to backtrace a bug that plagues my router...
Every 4-6 days the webui refuses to respond and via ssh I can issue a command but it hangs.
The only clue is in the logfile, where I can see a continous repeat of the strings I sent in previous message....
So, you are saying that /jffs/scripts/service-event is summoned by the watchdog?

 

[Adamm]

So, you are saying that /jffs/scripts/service-event is summoned by the watchdog?

Correct

 

[HardCat]

Cant reproduce this on mu end, please post the exact steps to take.]

In an effort to reproduce, these are the steps that will get me to the same result every time. The first time I noticed the behavior was after an update a few weeks back. Sorry I did not report it sooner but I wasn't sure it was happening until the next time I updated. First (for this test) I disable Skynet menu option [9].

And as expected get this:

Router Model; RT-AX88U
Skynet Version; v7.0.9 (01/02/2020) (938354bde7d43e17561b3976fe0fd6dc)
iptables v1.4.15 - (eth0 @ 192.168.xxx.1)
ipset v6.32, protocol version: 6
IP Address; (134.xxx.xxx.xxx)
FW Version; 384.15_beta1 (Feb 1 2020) (4.1.51)
Install Dir; /tmp/mnt/T3/skynet (216.3G / 229.1G Space Available)
SWAP File; /tmp/mnt/T3/myswap.swp (1.0G)
Banned Countries; bg br cn ir kp ro rs ru tr ua in co nl

Cron Jobs                           | [Failed]
IPSets                              | [Failed]
IPTables Rules                      | [Failed]

Next menu Option [8] to Restart Skynet and as expected get this:

Router Model; RT-AX88U
Skynet Version; v7.0.9 (01/02/2020) (938354bde7d43e17561b3976fe0fd6dc)
iptables v1.4.15 - (eth0 @ 192.168.xxx.1)
ipset v6.32, protocol version: 6
IP Address; (134.xxx.xxx.xxx)
FW Version; 384.15_beta1 (Feb 1 2020) (4.1.51)
Install Dir; /tmp/mnt/T3/skynet (216.3G / 229.1G Space Available)
SWAP File; /tmp/mnt/T3/myswap.swp (1.0G)
Banned Countries; bg br cn ir kp ro rs ru tr ua in co nl

[*] Lock File Detected (start skynetloc=/tmp/mnt/T3/skynet) (pid=19703)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests

Cron Jobs                           | [Failed]
IPSets                              | [Failed]
IPTables Rules                      | [Failed]

After 3 and then 5 minutes (plenty of time for AX88U) I [r] Reload Menu still get

Router Model; RT-AX88U
Skynet Version; v7.0.9 (01/02/2020) (938354bde7d43e17561b3976fe0fd6dc)
iptables v1.4.15 - (eth0 @ 192.168.xxx.1)
ipset v6.32, protocol version: 6
IP Address; (134.xxx.xxx.xxx)
FW Version; 384.15_beta1 (Feb 1 2020) (4.1.51)
Install Dir; /tmp/mnt/T3/skynet (216.3G / 229.1G Space Available)
SWAP File; /tmp/mnt/T3/myswap.swp (1.0G)
Banned Countries; bg br cn ir kp ro rs ru tr ua in co nl

IPSets                              | [Failed]
IPTables Rules                      | [Failed]

Goto [12] Debug Options then [2] Print Debug Info

Router Model; RT-AX88U
Skynet Version; v7.0.9 (01/02/2020) (938354bde7d43e17561b3976fe0fd6dc)
iptables v1.4.15 - (eth0 @ 192.168.xxx.1)
ipset v6.32, protocol version: 6
IP Address; (134.xxx.xxx.xxx)
FW Version; 384.15_beta1 (Feb 1 2020) (4.1.51)
Install Dir; /tmp/mnt/T3/skynet (216.3G / 229.1G Space Available)
SWAP File; /tmp/mnt/T3/myswap.swp (1.0G)
Syslog Location; (/opt/var/log/skynet-0.log) (/tmp/syslog.log-1)
Banned Countries; bg br cn ir kp ro rs ru tr ua in co nl
Uptime; 4 days, 19 hours, 30 minutes.
Ram Available; (444M / 882M)


---------------                          | ------------     | ---------------      | ----------   
| Device Name |                          | | Local IP |     | | MAC Address |      | | Status |   
---------------                          | ------------     | ---------------      | ----------   

Unknown                                  | 192.168.xxx.50   | cc:5a:xx:xx:xx:xx    | Online
Reduced what was reported here since not needed!

--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Failed]
IPTables Rules                      | [Failed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]
Diversion Plus Content              | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Enabled]
Ban AiProtect                       | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Custom]
IOT Blocking                        | [Enabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

15/17 Tests Sucessful           

[*] Rule Integrity Violation - [ #1 #2 #3 #4 #5 #6 #7 #8 #11 #12 #13 #16 #17 #18 #19 #20 ]


=============================================================================================================


[#] 111128 IPs (+0) -- 38448 Ranges Banned (+0) || 36 Inbound -- 0 Outbound Connections Blocked! [debug] [1s]

Press Enter To Continue - All is well

Router Model; RT-AX88U
Skynet Version; v7.0.9 (01/02/2020) (938354bde7d43e17561b3976fe0fd6dc)
iptables v1.4.15 - (eth0 @ 192.168.xxx.1)
ipset v6.32, protocol version: 6
IP Address; (134.xxx.xxx.xxx)
FW Version; 384.15_beta1 (Feb 1 2020) (4.1.51)
Install Dir; /tmp/mnt/T3/skynet (216.3G / 229.1G Space Available)
SWAP File; /tmp/mnt/T3/myswap.swp (1.0G)
Banned Countries; bg br cn ir kp ro rs ru tr ua in co nl

111128 IPs (+0) -- 38448 Ranges Banned (+0) || 51 Inbound -- 0 Outbound Connections Blocked!

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Malware Blacklist
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]:

Apologies for the length of the Post, hopefully this will help.

 

[Adamm]

I've pushed v7.0.10

Support new shared-whitelist directory
Move conflicting script check to install function
Use reboot service for consistency
Fix typos
Fix $fail not being unset during startup logging
Add Display_Message()
Fix comment menu inconsistency
Enable country lookup by default
Fix comment length check
Dont warn about Log Invalid Packets being disabled
Fix rule violation logic

 

[bigAboo]

If you reload the menu, does it ever Pass?

Yap! firewall is up and running, since I make swap file, but now my WAN web access doesn't work(

 

[Adamm]

but now my WAN web access doesn't work(

That is intended behavior as the "secure mode" setting is enabled by default (this can be disabled but i highly advise against it). You should never expose the WebUI/SSH to WAN as its a huge security risk, instead use OpenVPN to access it remotely.

 

[HardCat]

v7.0.10 fixes what I reported also! Thanks...

 

[bigAboo]

That is intended behavior as the "secure mode" setting is enabled by default (this can be disabled but i highly advise against it). You should never expose the WebUI/SSH to WAN as its a huge security risk, instead use OpenVPN to access it remotely.

I disable secure mode, but wan access won't work after it...

 

[dave14305]

I disable secure mode, but wan access won't work after it...

Did you enable it again in the GUI?

 

[dugaduga]

@Adamm suddenly I am unable to access the net with skynet enabled. I see zero dnsmasq queries going to dnscrypt when enabled. Sometimes I can access via IP like tor, other times not. How can I determine what happened here and actually continue using your software. Could this be due to a hacker, automated protections delivered by skynet, or something else?

It also takes 10-30 minutes to load skynet entirely on boot, even after setting ntp manually etc.

I was seeing the following:

Feb 9 03:33:09 kernel: DROP IN=eth0 OUT= MAC=01:00:5e:00:00:01:04:95:e6:28:37:30:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF OPT (94040000) PROTO=2\

I see no logs suggesting any other blocking, so I find it strange that skynet would cause this unless the rules were compromised or incorrect in a list update. How can I determine how skynet is blocking my internet?

 

[dugaduga]

I cleared ALL blocks, then I could access the net again. I could still after manually updating all lists including those that load on boot, however after a reboot, the same problem came back again. No internet while skynet is enabled. Im using 7.0.10.

 

[dave14305]

I cleared ALL blocks, then I could access the net again. I could still after manually updating all lists including those that load on boot, however after a reboot, the same problem came back again. No internet while skynet is enabled. Im using 7.0.10.

Is logging enabled? If Skynet is at fault, it would leave evidence in its logging.

 

[^Tripper^]

I must be an idiot; am I not suppose to see some fancy new GUI for skynet with 384.15?

 

[ika]

I must be an idiot; am I not suppose to see some fancy new GUI for skynet with 384.15?

If you have skynet installed, there is a tab on the "firewall" page: