BanIP list feed applied when not selected

Installing and Using OpenWrt
1

I have a question. Its seems that one of the feeds are applied on a interface.
But this feed isnt sellected within the chain settings.
This is the firewall Rules of LAN-Forwared

2023-11-16_11-13
2023-11-16_11-131275×214 21.2 KB

config banip 'global'
        option ban_autodetect '1'
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        list ban_logterm 'error: maximum authentication attempts exceeded'
        list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
        list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
        option ban_filelimit '4096'
        option ban_deduplicate '1'
        option ban_autoallowlist '1'
        option ban_autoblocklist '1'
        option ban_allowlistonly '0'
        option ban_nftpolicy 'memory'
        option ban_nftpriority '-200'
        option ban_nftloglevel 'warn'
        option ban_loglimit '100'
        option ban_debug '1'
        option ban_nicelimit '0'
        option ban_fetchcmd 'uclient-fetch'
        option ban_protov4 '1'
        list ban_ifv4 'wan'
        list ban_dev 'eth1'
        list ban_trigger 'wan'
        option ban_triggeraction 'start'
        option ban_fetchretry '5'
        option ban_loginput '0'
        option ban_logforwardwan '0'
        option ban_logforwardlan '1'
        option ban_splitsize '4096'
        list ban_country 'br'
        list ban_country 'cn'
        list ban_country 'ir'
        list ban_country 'iq'
        list ban_country 'ly'
        list ban_country 'ng'
        list ban_country 'pk'
        list ban_country 'pl'
        list ban_country 'ru'
        list ban_country 'so'
        list ban_country 'sy'
        list ban_country 'tr'
        list ban_country 've'
        list ban_country 'ye'
        option ban_reportelements '0'
        list ban_feed 'asn'
        list ban_feed 'backscatterer'
        list ban_feed 'binarydefense'
        list ban_feed 'bogon'
        list ban_feed 'bruteforceblock'
        list ban_feed 'cinsscore'
        list ban_feed 'country'
        list ban_feed 'darklist'
        list ban_feed 'debl'
        list ban_feed 'doh'
        list ban_feed 'drop'
        list ban_feed 'dshield'
        list ban_feed 'edrop'
        list ban_feed 'etcompromised'
        list ban_feed 'feodo'
        list ban_feed 'firehol1'
        list ban_feed 'firehol2'
        list ban_feed 'firehol3'
        list ban_feed 'firehol4'
        list ban_feed 'greensnow'
        list ban_feed 'iblockads'
        list ban_feed 'iblockspy'
        list ban_feed 'ipblackhole'
        list ban_feed 'ipthreat'
        list ban_feed 'myip'
        list ban_feed 'nixspam'
        list ban_feed 'oisdbig'
        list ban_feed 'oisdnsfw'
        list ban_feed 'oisdsmall'
        list ban_feed 'proxy'
        list ban_feed 'sslbl'
        list ban_feed 'stevenblack'
        list ban_feed 'talos'
        list ban_feed 'threat'
        list ban_feed 'threatview'
        list ban_feed 'tor'
        list ban_feed 'uceprotect1'
        list ban_feed 'uceprotect2'
        list ban_feed 'uceprotect3'
        list ban_feed 'urlhaus'
        list ban_feed 'urlvir'
        list ban_feed 'voip'
        list ban_feed 'webclient'
        list ban_feed 'yoyo'
        option ban_cores '2'
        option ban_enabled '1'
        list ban_blockinput 'shadowinbound'
        list ban_blockinput 'backscatterer'
        list ban_blockinput 'binarydefense'
        list ban_blockinput 'bogon'
        list ban_blockinput 'bruteforceblock'
        list ban_blockinput 'cinsscore'
        list ban_blockinput 'country'
        list ban_blockinput 'darklist'
        list ban_blockinput 'debl'
        list ban_blockinput 'doh'
        list ban_blockinput 'drop'
        list ban_blockinput 'dshield'
        list ban_blockinput 'edrop'
        list ban_blockinput 'etcompromised'
        list ban_blockinput 'feodo'
        list ban_blockinput 'firehol1'
        list ban_blockinput 'firehol2'
        list ban_blockinput 'firehol3'
        list ban_blockinput 'firehol4'
        list ban_blockinput 'greensnow'
        list ban_blockinput 'iblockspy'
        list ban_blockinput 'ipblackhole'
        list ban_blockinput 'ipthreat'
        list ban_blockinput 'myip'
        list ban_blockinput 'nixspam'
        list ban_blockinput 'proxy'
        list ban_blockinput 'sslbl'
        list ban_blockinput 'talos'
        list ban_blockinput 'threat'
        list ban_blockinput 'threatview'
        list ban_blockinput 'tor'
        list ban_blockinput 'uceprotect1'
        list ban_blockinput 'uceprotect2'
        list ban_blockinput 'uceprotect3'
        list ban_blockinput 'urlhaus'
        list ban_blockforwardlan 'shadowoutbound'
        list ban_blockforwardlan 'asn'
        list ban_blockforwardlan 'backscatterer'
        list ban_blockforwardlan 'binarydefense'
        list ban_blockforwardlan 'bruteforceblock'
        list ban_blockforwardlan 'cinsscore'
        list ban_blockforwardlan 'country'
        list ban_blockforwardlan 'darklist'
        list ban_blockforwardlan 'debl'
        list ban_blockforwardlan 'doh'
        list ban_blockforwardlan 'drop'
        list ban_blockforwardlan 'dshield'
        list ban_blockforwardlan 'edrop'
        list ban_blockforwardlan 'etcompromised'
        list ban_blockforwardlan 'feodo'
        list ban_blockforwardlan 'greensnow'
        list ban_blockforwardlan 'iblockads'
        list ban_blockforwardlan 'iblockspy'
        list ban_blockforwardlan 'ipblackhole'
        list ban_blockforwardlan 'ipthreat'
        list ban_blockforwardlan 'myip'
        list ban_blockforwardlan 'nixspam'
        list ban_blockforwardlan 'proxy'
        list ban_blockforwardlan 'sslbl'
        list ban_blockforwardlan 'talos'
        list ban_blockforwardlan 'threat'
        list ban_blockforwardlan 'threatview'
        list ban_blockforwardlan 'tor'
        list ban_blockforwardlan 'urlhaus'
        list ban_blockforwardlan 'urlvir'
        list ban_blockforwardlan 'voip'
        list ban_blockforwardlan 'webclient'
        list ban_blockforwardlan 'yoyo'

I have already delete the feed or restart the application BANIP but these feeds are always applied.

2

Did you restart the firewall too?

3

I`ll update the OS from 22 to 23 today and the same issue still present.

Edit:
after a reboot the rules are still there. Its looks like nft save the config on a file. Each time this file is reloaded and i`ll think the issue is here. But i cannot find these file.

4

Then it sounds like you should either write in BanIP thread or give a shout to @dibdot to have a look at it.

5

Nope, according to your config the feeds are still active ...

1 Like
6

I`ll found a workaround.

After removing the feeds and reload banIP. Works fine but this solution will delete the feed.. So you cannot enable this anymore within the wan interface.

7

Sorry, I don't get it ...what do you want to achieve now, please describe exactly.

2 Likes
8

The issue is still there but for now i have a workaround.
When i`ll remove a feed from "LAN-Forward Chain". Iptables are build with the new config but the old feed are still present within the "LAN-Forward Chain"

From the feed list the feed is unselected but from iptables overview the feed is still there.

9

First of all: banIP supports only nftables, not iptables.

To enable/disable a feed use the feed selection, e.g.:

feed_selection
feed_selection734×169 13.1 KB

To limit a feed to a certain chain use the chain selection, e.g.:

chain_selection
chain_selection768×289 13.3 KB

if no special chains have been selected for a feed (that's the case for the mentioned feeds in your example), the default block policy is used ... and by default each feed is active in all supported chains.

BTW, if you change the chain assignments you need a banIP restart afterwards.

1 Like