Skynet Skynet v8 - Router Firewall & Security Enhancements

[dave14305]

Skynet: USB install directory not ready — sleeping 10s (1/10) - reinstalling gives same error - swap file is there on /tmp/mnt/LINUXCULBUR/ - any ideas?

Check that the path matches what is in firewall-start and is writable.

grep skynetloc /jffs/scripts/firewall-start
ls -ld /tmp/mnt/*/skynet
touch /tmp/mnt/LINUXCULBUR/skynet/test
mount | grep mnt

 

[joe scian]

Check that the path matches what is in firewall-start and is writable.

grep skynetloc /jffs/scripts/firewall-start
ls -ld /tmp/mnt/*/skynet
touch /tmp/mnt/LINUXCULBUR/skynet/test
mount | grep mnt

thanks

 

[routytout]

I've been using Skynet for years without much issues but lately I've been experiencing problems whereby regular domains I visit are blocked at a quite alarming rate. Sometimes even while I'm using them. I then need to unban the domain in Skyney and update the Diversion blocklist for the site to work again.

I'm at a loss what it could be. I'm using a VPN but that has never been an issues, I have been using Unbound to do DNS Lookups over my VPN using VPNmon for the last half year or so but I didn't have any issues with that either before. Has anyone any idea what this could be?

 

[Marcus Yansen]

I've been using Skynet for years without much issues but lately I've been experiencing problems whereby regular domains I visit are blocked at a quite alarming rate. Sometimes even while I'm using them. I then need to unban the domain in Skyney and update the Diversion blocklist for the site to work again.

I'm at a loss what it could be. I'm using a VPN but that has never been an issues, I have been using Unbound to do DNS Lookups over my VPN using VPNmon for the last half year or so but I didn't have any issues with that either before. Has anyone any idea what this could be?

i dont seem to be having such an issue (using skynet too) - possible ur blocklists? are you saying problem is resolved when u turn off skynet, if so could it be ur blocklists are overkill or something?

 

[routytout]

i dont seem to be having such an issue (using skynet too) - possible ur blocklists? are you saying problem is resolved when u turn off skynet, if so could it be ur blocklists are overkill or something?

I've been using the same two blocklists in Diversion for years and I checked but the domains are not included but they are being blocked by Skynet. So that makes me believe that it is Skynet that somehow believes they should be blocked. But I have no prior experience how I would troubleshoot such a thing. Skynet used to just work for me so I never really had to do much digging into it. I just posted here hoping someone might have some insight before going any further.

 

[Twiglets]

Please be aware that blocklists are generally curated by a 3rd party, which means that they change according to the 3rd parties own criteria.
Sometimes blocklists get changes that are flawed or accidentally 'too agressive'.
These are usually corrected in due course BUT it may take a little time for the issues to be reported then corrected.
This is the risk you take with other peoples blocklists which you do not directly control.

Are you using the default blocklists in Skynet ?

If not you have the option to reset the blocklists to default. [Main Menu Option 3 then Option 3 AGAIN (Reset Filter List)]

OR

Within Skynet you can add 'Whitelisted entries' [Main Menu Option 4] (These will be the 'names/ip's' that you are finding blocked)

Select Whitelist Option:
[1]  --> IP/Range
[2]  --> Domain
[3]  --> ASN
[4]  --> Refresh VPN Whitelist
[5]  --> Remove Entries
[6]  --> Refresh Entries
[7]  --> View Entries

[e]  --> Exit

[1-7]:

 

[routytout]

Please be aware that blocklists are generally curated by a 3rd party, which means that they change according to the 3rd parties own criteria.
Sometimes blocklists get changes that are flawed or accidentally 'too agressive'.
These are usually corrected in due course BUT it may take a little time for the issues to be reported then corrected.
This is the risk you take with other peoples blocklists which you do not directly control.

Are you using the default blocklists in Skynet ?

If not you have the option to reset the blocklists to default. [Main Menu Option 3 then Option 3 AGAIN (Reset Filter List)]

I'm using the defaults lists but I've resetted the blocklists nevertheless. I've enabled logging and I'll see if I can figure out what the ban reason is and take it from there. Thanks for your help.

 

[EmeraldDeer]

Assuming you have command line access to your router, find out which blocklist is causing the Skynet outbound drop. Example:

# firewall stats search domain settings-prod-cin-1.centralindia.cloudapp.azure.com

The Skynet command line help is at:

https://github.com/Adamm00/IPSet_ASUS

If you temporarily need to switch Skynet blocklists URL for testing, here is what I am using:

https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list

 

[EmeraldDeer]

To search a domain in Diversion blocklists, here is an example:

# grep "variations.brave.com" /opt/share/diversion/backup/hostsfile*txt
/opt/share/diversion/backup/hostsfile_cdn.jsdelivr.net-gh-hagezi-dns-blocklists@latest-dnsmasq-pro.txt:local=/variations.brave.com/

Here are the custom blocking lists I am using:

https://big.oisd.nl/dnsmasq2
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/dnsmasq/anti.piracy.txt
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/dnsmasq/gambling.txt
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/dnsmasq/pro.txt
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/dnsmasq/tif.txt

 

[Adamm]

I've pushed v8.0.10

Fix country lookup returning invalid data
Remove Cloudflare and Google DNS from Filter_PrivateIP() and move to Whitelist_CDN()

 

[happyaslarry]

I've pushed v8.0.10

In my local patch I also changed another line. In the v8.0.10 you need to check line 2144 because it still uses the old user-agent header.

HTH -- Andy

 

[happyaslarry]

Just pull your git branch and that fixes the issue. 'firewall stats reset' now works as expected.

Thanks again for all your great work.

 

[dave14305]

I've pushed v8.0.10

I made a comment on GitHub but there might be a regression in Filter_PrivateIP now with the trailing $

Edit: already fixed. Couldn’t find my GH comment after I made it, so wasn’t sure if it got lost.

 

[Boji]

I block these for security and privacy:

'add Skynet-Whitelist 8.8.8.8 comment "CDN-Whitelist: GoogleDNS"' \
'add Skynet-Whitelist 8.8.4.4 comment "CDN-Whitelist: GoogleDNS"' \
'add Skynet-Whitelist 1.1.1.1 comment "CDN-Whitelist: CloudFlareDNS"' \
'add Skynet-Whitelist 1.0.0.1 comment "CDN-Whitelist: CloudFlareDNS"'

so... will this override the block?

 

[dave14305]

will this override the block?

Yes, the whitelist always wins over the blocklist. I’m not sure I understand why these particular servers are hardcoded, since the whitelist already includes whatever DNS servers are configured on WAN or DNS Privacy.

 

[Boji]

Yes, the whitelist always wins over the blocklist. I’m not sure I understand why these particular servers are hardcoded, since the whitelist already includes whatever DNS servers are configured on WAN or DNS Privacy.

How can we make this optional?

 

[SolCutter]

How can we make this optional?

Good point, because I block Google DNS since it's notorious for tracking.

I don't have it right off hand, however there are files associated with these lists that you could edit to remove the whitelist entries, if you can't find it via the user interface provided (menu driven via ssh). I have blocked various ports to 8.8.8.8 on my router, in order to block DNS including QUIC since some Google DNS queries are UDP over 443--with the standard Asus web config console....

I learned when version 8 came out that you might just want to skip the upgrade, unless it fixes something you are dealing with or patches a CVE, because I thought I'd lost all of my configs, briefly. That's the easiest answer (to skip the update), and there are ways posted on this forum on how to rollback if you have already updated--especially in the first few pages of this thread.

Not to self promote, I created a script to examine the security controls on these routers, back around November. In that script it has some information on where the config files, logs etc for Skynet, Diversion, and even AIProtect (some call it AiProtection which is the proper name). You can use that for more information on your routers security and I hope to release a new version soon when I find the time. Good luck!

Oh and here's the link to that script:

https://www.snbforums.com/threads/new-script-turboasussec-beta-foray-into-the-world-of-ai-development.96341/

 

[dave14305]

How can we make this optional?

You could delete the lines from the firewall script (currently lines 1271-1276), but they will come back with every Skynet upgrade.

IPSet_ASUS/firewall.sh at b437c907249aa44e8385e55ecf11195e199cd216 · Adamm00/IPSet_ASUS

Skynet - Advanced IP Blocking For ASUS Routers Using IPSet. - Adamm00/IPSet_ASUS

github.com

            # Public DNS resolvers
            printf '%s\n' \
                'add Skynet-Whitelist 8.8.8.8 comment "CDN-Whitelist: GoogleDNS"' \
                'add Skynet-Whitelist 8.8.4.4 comment "CDN-Whitelist: GoogleDNS"' \
                'add Skynet-Whitelist 1.1.1.1 comment "CDN-Whitelist: CloudFlareDNS"' \
                'add Skynet-Whitelist 1.0.0.1 comment "CDN-Whitelist: CloudFlareDNS"'

 

[Adamm]

GoogleDNS and CloudflareDNS has been removed from the Private IP filter and moved to the Whitelist_CDN() function which can be disabled in settings.

I didn’t want to fully remove this functionality just yet as it was added 8 years ago due to users having issues and blaming Skynet due to these IP’s incorrectly being on common filter lists. I may fully remove this in future updates but nomatter my decision it was inevitable someone would complain either way.

Lessons have been learned about modifying things that have been in place for a very long time….

 

[SolCutter]

GoogleDNS and CloudflareDNS has been removed from the Private IP filter and moved to the Whitelist_CDN() function which can be disabled in settings.

I didn’t want to fully remove this functionality just yet as it was added 8 years ago due to users having issues and blaming Skynet due to these IP’s incorrectly being on common filter lists. I may fully remove this in future updates but nomatter my decision it was inevitable someone would complain either way.

Lessons have been learned about modifying things that have been in place for a very long time….

You have to evolve, and sometimes faster than you would like, especially in this current landscape... I'm not getting caught, like I did with cloud, knowing my track record is still better for uptime. Remember 15 years ago they were like "this (insert cloud product) has 97% uptime" and then kept incrementing it up to now it's typically 99.97%?

I think Skynet is one of the greatest open source scripts out there, given that it's proven its use & dependability through the ages... Of course some people want it to do more & in that case they have a great code base to work from, if that's what you choose...