Skynet Skynet v8 - Router Firewall & Security Enhancements

[ColDen]

Gather some data and reinstall if you prefer:

cat /tmp/skynet.lock
ls -l /tmp/skynet.lock
ps ww | grep firewall
lsof | grep skynet.lock

Here are the results:

 

[dave14305]

Here are the results:

Wow. That’s a mess, kind of. I would reboot and upgrade.

What is process 22813 (nvram)?

 

[SolCutter]

Giving this a shot myself today. Have custom lists and my first attempt failed. I trust Adamm's work , since it has been out for almost a week now, I went ahead and took the plunge. For whatever reason Skynet wouldn't load, so I uninstalled and then reinstalled.

Considerations for anyone reading this before upgrading...
1. Use the built-in Skynet backup to backup all your lists for easy access later and be sure to copy that file to another directory as when you uninstall Skynet it will delete it.
2. Print a debug from the menu.
3. If you have customized Skynet much outside of the default config with custom list, whitelist, etc, then consider uninstalling Skynet first.

My install completed and Skynet appears to be running. HOWEVER, whitelisting doesn't seem to be working. I disabled the CDN whitelisting feature, then began adding back my previous whitelist and they don't seem to be saving. Also, the whitelist in Diversion, I thought Skynet pulled these? Maybe these don't register when you go to view whitelist?

So far my steps have been (after the failed installation) to uninstall and then installed Skynet--this is when it started working. When I couldn't whitelist, or the whitelist entries I was adding did not appear when I choose the view whitelist option (view all), I then uninstalled and rebooted. Once boot was complete I installed again and my whitelist don't appear to be working. I'm assuming this is a permissions issue. I've since rebooted. I can whitelist domains, which I was hoping it would pull the Diversion whitelist there. I can't whitelist IPs or CIDRs--this is my issue, for now.

 

[dave14305]

whitelist don't appear to be working.

The whitelist works, but there’s a bug in the comment being added and they are added with the comment “nofilter” instead of “ManualWlist:…”. The order of parameters passed to the wrapper function seems to be wrong in that scenario. For @Adamm to fix.

Actually, the ranges won’t work since the nofilter option isn’t passed properly. So you can whitelist an IP, but not a range at the moment.

 

[SolCutter]

The whitelist works, but there’s a bug in the comment being added and they are added with the comment “nofilter” instead of “ManualWlist:…”. The order of parameters passed to the wrapper function seems to be wrong in that scenario. For @Adamm to fix.

Actually, the ranges won’t work since the nofilter option isn’t passed properly. So you can whitelist an IP, but not a range at the moment.

I tried adding a single IP address in as 12.34.56.78/32 and as 12.34.56.78, or without the bitmask, and it's not showing up when I go to view the whitelist, that's without CDN whitelisting turned on. I have chosen to save changes, and then view, this works for the CDN whitelisting so that when going to view and having disabled the CDN whitelisting--viewing the whitelist shows only what's been whitelisted and not the CDNs.

Then the Diversion whitelist, are those supposed to show up when you choose to view whitelist? I've also chosen to restart Skynet after saving, this doesn't seem to make a difference.

I can work around it for now...

 

[dave14305]

I tried adding a single IP address in as 12.34.56.78/32 and as 12.34.56.78, or without the bitmask, and it's not showing up when I go to view the whitelist,

For now, you can verify if they are there with ipset -L Skynet-Whitelist | grep nofilter

The Diversion whitelist will be visible only in the dnsmasq.conf.add file as domains for dnsmasq to populate IPs in the whitelist ipset.

 

[Boji]

was having issues whitelisting domains via commandline, updating to 8.0.5 seems to have fixed that issue.

ipset -L Skynet-Whitelist | grep sitename

is now showing results.

 

[Adamm]

I've pushed v8.0.6

fix whitelist parameters to wrapper function @dave14305
Improve Domain_Lookup()
- No accidental whitelisting of DNS resolvers.
- Correct handling for CNAME → A-record chains.
Improve Check_Lock() handling of existing processes
Update to new ban reason method in WebUI stats
Fix Refresh_MBans()

 

[Mutzli]

I updated to 8.06 and tried the IoT feature on my RT-BE96U again by blocking just one address 192.168.1.94. Immediately after saving the blocking file I get:

IPTables Rules | [Failed]

When I try to get back into the [11] Settings / [12] IOT Blocking I get:

[*] Skynet Not Running - Exiting

And firewall debug info returns an error in:

Log Level 6 Settings [Failed]

IPTables Rules [Failed]

and an error at the end:

[*] Rule Integrity Violation - [ #12 ]

Workarounds tried:- Manual flush of Skynet-IOT ipset- Editing firewall script to force iotblocked="disabled"- Only full removal/reinstall restores functionality

 

[dave14305]

[*] Rule Integrity Violation - [ #12 ]

This is related to a check when a vpn server is enabled. Check the output of iptables -S FORWARD | grep Skynet-IOT for tun2+ rules. Skynet is looking for:

-A FORWARD -i br+ -o tun2+ -m set --match-set Skynet-IOT src -j ACCEPT

 

[Mutzli]

This is related to a check when a vpn server is enabled. Check the output of iptables -S FORWARD | grep Skynet-IOT for tun2+ rules. Skynet is looking for:

-A FORWARD -i br+ -o tun2+ -m set --match-set Skynet-IOT src -j ACCEPT

I don't have any VPN server active on that router. I think line #12 is looking for WireGuard VPN. Here is what I tried next:

iptables -S FORWARD | grep Skynet-IOT

didn't return any result

Next, I manually add the missing iptables:

iptables -I FORWARD -i br+ -o tun2+ -m set --match-set Skynet-IOT src -j ACCEPT
iptables -I FORWARD -i br+ -o wgs+ -m set --match-set Skynet-IOT src -j ACCEPT

Checking the iptables rules again returned the following:

-A FORWARD -i br+ -o eth1 -p icmp -m set --match-set Skynet-IOT src -j ACCEPT
-A FORWARD -i br+ -o eth1 -p udp --dport 123 -m set --match-set Skynet-IOT src -j ACCEPT
-A FORWARD -i br+ -m set --match-set Skynet-IOT src -j LOG --log-prefix "[BLOCKED - IOT]"
-A FORWARD -i br+ -m set --match-set Skynet-IOT src -j DROP
-A FORWARD -i br+ -o tun2+ -m set --match-set Skynet-IOT src -j ACCEPT

• Despite rules being present, Skynet still reports:
  1. IPTables Rules | [Failed]
  2. Rule Integrity Violation - [ #12 ]

 

[Mutzli]

I did a quick check to see if the router reports any active VPN server, but that is not the case.

nvram get vpn_server1_state = 0
nvram get vpn_server2_state = 0

 

[dave14305]

Despite rules being present, Skynet still reports:

1. IPTables Rules | [Failed]
2. Rule Integrity Violation - [ #12 ]

There’s a minor bug in that check. I sent a pull request to @Adamm

 

[ColDen]

Wow. That’s a mess, kind of. I would reboot and upgrade.

What is process 22813 (nvram)?

Thanks for your assistance,

No idea about process 22813 (nvram). Nevertheless, I will update to 8.0.6 or greater once Adamm will have fixed your reported minor bug.