Skynet Skynet v8 - Router Firewall & Security Enhancements

[John Fitzgerald]

It may not be specific to that blocklist. All I know is after changing from the default I got the same errors as the others. Lost access over ssh and the gui. Also to note, after power cycling my router the swapfile was also gone (it was physically still there, but not seen by amtm).

did you see my post#13?

 

[Ripshod]

did you see my post#13?

Yes, saw that. Was just adding my own experience and something you never saw
Only now, with the default blocklist everything is fine again.

 

[John Fitzgerald]

Yes, saw that. Was just adding my own experience and something you never saw
Only now, with the default blocklist everything is fine again.

The problem I'm experiencing is with the default settings. Once, I added back my country block list to see if that had any effect, but the problem still occurred after the reboot, so that has no bearing on my issue.

The other thing is my system is more basic than most and was completely reset from scratch with the new firmware update 388.10_2.

 

[Aloyz]

After installing version 8 (upgrade from 7.6.5), Skynet refused to start at all. The only thing that helped was completely removing everything, creating a new swap file, and reinstalling from scratch.

Skynet started, but attempting to add an IoT block via the Skynet options resulted in the following message:

ipset v7.6: Error in line 1: Syntax error: cannot parse comment: resolving to IPv4 address failed

The command “firewall settings iot ban IP_ADDRESS” also did not help, the devices simply did not add themselves to the blocked list, and “IOT Blocking” was “Disabled.” Manually adding an iptables rule helped and allowed the device to be blocked.

"ipset add Skynet-IOT IP_ADDRESS -exist"

Attempting to add a custom BL/ML https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list resulted in the message “mv: can't rename ‘/jffs/curllst’”, Skynet hung on " Applying New Blacklist |" and the connection to the router was blocked. Only restarting the router and reinstalling Skynet helped.

After all, I returned to version 7.6.5, which works without any problems, and I am patiently waiting for the v8 upgrade.


If anyone else would also like to return to 7.6.5, here's quick how:

/usr/sbin/curl -fsSL "https://raw.githubusercontent.com/A...47a96d843dba8e33101b6644eb8205cee/firewall.sh" -o "/jffs/scripts/firewall" \
&& chmod 755 /jffs/scripts/firewall && sh /jffs/scripts/firewall install

 

[AvalonOC]

Don't install this version; it will disconnect you from the internet. I reverted to version 7.6.5 using BACKUPMON, but I still had internet problems. I managed to access SKYNET and temporarily disable it. I hope Adamm can fix the issue; these things happen.

 

[Ripshod]

Don't install this version; it will disconnect you from the internet. I reverted to version 7.6.5 using BACKUPMON, but I still had internet problems. I managed to access SKYNET and temporarily disable it. I hope Adamm can fix the issue; these things happen.

Works fine with the default blocklist

 

[dave14305]

These bizarre curl messages about moving the curllst log could be a result of too many parallel curl downloads, especially if using over-the-top custom lists.

asuswrt-merlin.ng/release/src/router/curl/src/tool_main.c at e6461ffd11c64d4ad5a2c6ed0ade5cac21d964bf · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

(This is an Asus customization of curl for security logging.)

 

[Ripshod]

This should have all been beaten out in public betas or at least invites to a 'develop' build, this what they're for.

 

[XxUnkn0wnxX]

scary scary update, thought I bricked my router, had to ssh in fast just to uninstall. thank god for backupmon..
Don't forget to disable auto updates guys. I had this on..

 

[Blacklistedcard]

I had the same problem with a custom list. I had to disable skynet on my BE98Pro. Hopefully we figure out what the problem is.

 

[XxUnkn0wnxX]

I was using Jack-Sparr0w-2o4 Filters
And I did nuke the config fast & ipset, but Skynet still kept shutting me out till I recalled the uninstall command after my 7th reboot.

 

[jksmurf]

I had the same problem with a custom list. I had to disable skynet on my BE98Pro. Hopefully we figure out what the problem is.

Quick question, do you or does anyone else know whether “temporarily” disabling Skynet survives a reboot i.e. remains disabled after a reboot? If not I might need to uninstall just to make sure it doesn’t bork the internet access.

 

[Adamm]

The issue has been narrowed down to excessive custom lists. If your stuck after updating do the following;

Remove WAN cable
Reboot
SSH in and run the following commands

skynetloc="$(grep -ow "skynetloc=.* # Skynet" /jffs/scripts/firewall-start | grep -vE "^#" | awk '{print $1}' | cut -c 11-)"

sed -i '/^customlisturl=/d' "${skynetloc}/skynet.cfg"

sed -i '/^add Skynet-BlockedRanges/d' "${skynetloc}/skynet.ipset"

sed -i '/^add Skynet-Blacklist/d' "${skynetloc}/skynet.ipset"

Plug back in your WAN cable and all will be good again. Need to investigste a little further what exactly in these massive lists are causing the issue (the first of which is reoccuring list names). Anyone using the default list should be completely fine.

 

[John Fitzgerald]

The issue has been narrowed down to excessive custom lists. If your stuck after updating do the following;

Remove WAN cable
Reboot
SSH in and run the following commands



Plug back in your WAN cable and all will be good again. Need to investigste a little further what exactly in these massive lists are causing the issue (the first of which is reoccuring list names). Anyone using the default list should be completely fine.

Not sure about the lists being the problem, in my case using the Diversion Large List. I've tried with and without a modest Country block list, both failing in terms of not surviving a reboot.
This is all on a fresh setup. I would call my setup minimal and basic and less complicated than others here.

 

[XxUnkn0wnxX]

Also, I forgot to mention I also had a massive whitelist as well that could have messed with it, not just massive filter lists. I had to whitelist a while back a lot of ASNs since Jack-Sparr0w-2o4 Filters were very aggressive at one time, & were blocking like a 3rd of the internet for me. Mostly sites are hosted on Amazon AWS servers, so I whitelisted all their server ranges, as well CF, Google, Sony, Demonware & a few others..

I won't mess with it further as I don't want to bork my install for tests, but if someone wants to try with just pure whitelist alone, see if they get locked out with like a massive whitelist alone.

Kind of wish you could run an Asus Merlin image in a VM like you could with most cisco firmwares for their equipment..

 

[Tech9]

I was using Jack-Sparr0w-2o4 Filters

Don't. A salad of whatever this person could find online blocking something.

 

[Davidncali001]

The issue has been narrowed down to excessive custom lists. If your stuck after updating do the following;

Remove WAN cable
Reboot
SSH in and run the following commands



Plug back in your WAN cable and all will be good again. Need to investigste a little further what exactly in these massive lists are causing the issue (the first of which is reoccuring list names). Anyone using the default list should be completely fine.

I have the default skynet lists and the new skynet v8 doesn't survive a reboot. When I go back into the Skynet menu after a reboot via AMTM I can see it doesn’t pass one of the 3 tests Skynet performs.

The only way to get rid of it is to reinstall Skynet and make sure to not reboot.

I experimented a few times with the reboot problem to make sure it wasn’t my usb or router causing the problem. I uninstalled Skynet completely and reinstalled it, created a new swap for Skynet only for it to fail upon reboot again and again.

So current status is that Skynet V8 is working for me as intended as long as I never reboot my router.

RT-AX86U Pro - Asuswrt-Merlin 3006.102.6 Beta, Scibe and Diversion addons.


****EDIT****
See Photo for additional error I just discovered:

 

[Adamm]

I've pushed v8.0.2

This should fix the issue people with particular custom lists were facing. With our new list processing method our private IP filtering function wasn't working as expected so people with unfiltered lists were blocking local ip ranges. This has been fixed along with better handling for duplicate list names and more verbose output when running banmalware.

Apoligies for any downtime anyone experienced due to custom lists. As per my previous comment, if your stuck without wireless due to having a custom list, follow these steps;

Remove WAN cable
Reboot
SSH in and run the following commands

skynetloc="$(grep -ow "skynetloc=.* # Skynet" /jffs/scripts/firewall-start | grep -vE "^#" | awk '{print $1}' | cut -c 11-)"

sed -i '/^customlisturl=/d' "${skynetloc}/skynet.cfg"

sed -i '/^add Skynet-BlockedRanges/d' "${skynetloc}/skynet.ipset"

sed -i '/^add Skynet-Blacklist/d' "${skynetloc}/skynet.ipset"


Plug back in your WAN cable and all will be good again.

 

[Stephen Harrington]

This should fix the issue people with particular custom lists were facing.

@Adamm

Thanks for this - I sat out the initial 8.0.0 upgrade when I saw here it was causing issues but the 8.0.2 release was a smooth upgrade for me with the @Viktor Jaep list I've had loaded for months/years.

 

[bjark]

Reporting a smooth upgrade from 7.6.5 to 8.0.2. Thanks!