Hi,
in OpenWrt snapshot package repo you'll find the banIP package:
stable OpenWrt version 23.05.x.: banIP 1.0.0-9 plus luci companion package
latest snapshot version: banIP 1.0.0-9 plus luci companion package
Link to the latest banIP documentation
Feel free to test, ask questions or make suggestions.
Changelog
---
update 1.0.0-9
- fixed gathering/printing of system information in banIP status
- removed broken iblocklist.com feeds
- updated readme
---
update 1.0.0-8 - supports comments (introduced with a #), for MAC addresses in the allow and block list, e.g. 26:5e:a0:6a:9c:da # Test
- added hagezi threat ip feed
- added an adguard logterm to the readme
- removed the broken talos feed
---
update 1.0.0-7 - fixed auto allow-/blocklist-issue with IPv6 addresses in CIDR notation
- removed edrop feed from readme (had been removed from feeds for a while)
---
update 1.0.0-6 - automatic blocking of IP ranges via RDAP request now supports multiple CIDRs
- cosmetics
---
update 1.0.0-5 - filter crappy IP entries from urlhaus feed
---
update 1.0.0-4 - relax the firewall pre-check if fw4 is not running
- replace former stale tor feed source with 'https://www.dan.me.uk/torlist/?exit'
- add openvpn log term/search pattern example to the readme
- the default config now includes only log terms for dropbear and LuCI, all others are optional
- readme update
---
update 1.0.0-3 - fixed a regression in the split Set function (reported in the forum)
- fixed regex for urlhaus feed
---
update 1.0.0-2 - fixed a possible "Argument list too long" error in the f_log function
- fixed multiple, incomplete digit character classes
- fixed/optimized split file handling
- cosmetics
---
release 1.0.0-1 - made sure, that the domain lookup always add the found IPs to the underlying allow-/blocklist-Set
- major readme update
---
update 0.9.6-3 - fixed concurrent, too high nft loads during feed processing (seen in LuCI frontend)
---
update 0.9.6-2 - fix regex for nixspam and sslbl feed
- list the pre-routing limits in the banIP status
- small fixes and log improvements
---
release 0.9.6-1 - refine IPv4 parsing, skip rough feed entries like loopback addresses
- better error logging during banIP nftables initialization and Set loading
- cosmetics
---
update 0.9.5-5 - fix a processing race condition
- it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
---
update 0.9.5-4 - optimized adding suspicious IPs to Sets in the log monitor
- re-added ipblackhole feed
---
update 0.9.5-3 - allow multiple protocol/port definitions per feed, e.g. 'tcp udp 80 443 50000'
- removed the default protocol/port limitation from asn feed
---
update 0.9.5-2 - fixed possible Set search race condition (initiated from LuCI frontend)
- fixed the "no result" Set search problem in LuCI
- removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)
---
release 0.9.5-1 - added DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
- the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
- block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
- it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
- filter/convert possible windows line endings of external feeds during processing
- the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
- set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
- update readme
- a couple of bugfixes & performance improvements
- removed abandoned feeds: darklist, ipblackhole
- added new feeds: becyber, ipsum, pallebone, debl (changed URL)
- requires a LuCI frontend update as well (separate PR/commit)
---
update 0.9.4-3 - fix another logical glitch in the logfile monitor
---
update 0.9.4-2 - fix a long standing problem in the logfile-parser with dropbear and compressed IPv6 addresses
---
release 0.9.4-1 - add support for destination port & protocol limitations for external feeds (see readme for details), useful for lan-forward ad- or DoH-blocking, e.g. only tcp ports 80 and 443
- add turris sentinel blocklist feed
- update readme
---
update 0.9.3-5 - fix the nft Set survey function
---
update 0.9.3-4 - made the default mail template "responsive" to get a better view esp. on mobile devices
---
update 0.9.3-3 - more init fixes
---
update 0.9.3-2 - rework the device/interface auto-detection (only layer-3 network devices will be detected correctly), disable the auto-detection e.g. for special tunnel interfaces
- supports now full gawk (preferred, if installed) and busybox awk
- raise the default boot timeout to 20 seconds (if 'ban_triggerdelay' is not set)
- various small fixes and improvements
- readme update
---
release 0.9.3-1 - provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details
- refine the allowlist check to support IP intervals as well before adding an IP to the blocklist
---
update 0.9.2-4 - fix the urlhaus regex
- fix a possible init race condition
---
update 0.9.2-2 - support backup/restore for remote allowlists
- report the used log variant in status message
---
release 0.9.2-1 - the log file monitor now supports standard log files used by other log daemons like syslog-ng. Set 'ban_logreadfile' accordingly, by default it points to /var/log/messages
- removed logd dependency
---
update 0.9.1-1 - drop packets silently on input and forwardwan chains or actively reject the traffic, set 'ban_blocktype' accordingly
- optimized banIP boot/reload handling
- removed pppoe quirk in device detection
- small fixes and optimizations
---
update 0.9.0-1 - supports allowing / blocking of certain VLAN forwards in segregated network environments, set 'ban_vlanallow', ''ban_vlanblock' accordingly
- simplified the code/JSON to generate/parse the banIP status
- enclose nft related devices in quotation marks , e.g. to handle devices which starts with a number '10g-1'
- made the new vlan options available to LuCI (separate commit)
---
update 0.8.9-4 - made the etag id parsing more bulletproof (to catch unverified etags as well)
---
update 0.8.9-3 - prevent superflous etag function calls during start action (on start backups will be used anyway)
- changed the ipthreat feed download URL (load a compressed file variant to save bandwidth)
---
update 0.8.9-2 - fix a corner case backup issue with empty feed downloads
---
release 0.8.9-1 - added HTTP ETag or entity tag support to download only ressources that have been updated on the server side, to save bandwidth and speed up banIP reloads
- added 4 new feeds: binarydefense, bruteforceblock, etcompromised, ipblackhole (see readme)
- updated the readme
---
update 0.8.8-2 - process local lists in strict sequential order to prevent possible race conditions
- support ranges in the IP search, too
- fix some minor search issues
---
release 0.8.8-1 - Support MAC-/IPv4/IPv6 ranges in CIDR notation
- Support concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme)
- small fixes & cosmetics
- update readme
---
release 0.8.7-1 - Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default). For more information regarding RDAP see https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference.
- small fixes & cosmetics
- update readme
---
update 0.8.6-2 - fix/rework no-op loop
- small fixes & cosmetics
- update readme
---
release 0.8.6-1 - made the fetch utility function/autodetection more bullet proof
- no longer add suspicious IPs to the local blocklist when the nft set timeout has been set
- restructure internal functions & small fixes
---
update 0.8.5-2 - fixed a log parser regression introduced in latest 0.8.4 update
---
release 0.8.5-1 - add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly
- make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5)
- small fixes
- readme update
- LuCI update (separate commit)
---
update 0.8.4-5 - fix remaining small issues
- standardize log wording
- polished up for branch 23.x
---
update 0.8.4-4 - add housekeeping to the autoallow function, only the current uplink will be held
- fix small issues
- cosmetics
---
update 0.8.4-3 - add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'
---
update 0.8.4-2 - fix domain lookup function (parse banIP config vars)
- update readme
---
release 0.8.4-1 - add support for a custom feeds file (/etc/banip/banip.custom.feeds). Add new or edit existing banIP feeds on your own with the integrated custom feed editor (LuCI-component
- add a new option 'ban_blockpolicy' to overrule the default bblock policy (block all chains), see readme for details
- change the feed file format and add a new ipthreat feed, see readme
- refine (debug) logging
- multiple small fixes and improvements
- readme update
- luci update (separate commit)
---
update 0.8.3-2 - more init fixes
---
release 0.8.3-1 - add the new init command 'lookup', to lookup the IPs of domain names in the local lists and update them
- significant acceleration of the domain lookup function
- multiple small fixes and improvements
- readme update
- luci update (separate commit)
---
update 0.8.2-6 - restored some accidently removed init stuff in last commit
---
update 0.8.2-5 - fixed missing version number when installed as separate package (not in build)
- fixed cornercase init and mailing issues
- sorted Country list by country names ascending
- fixed some shellcheck findings
---
update 0.8.2-4 - fixed a race condition if the service is in a disabled state
- luci frontend sync
---
update 0.8.2-3 - raise max. timeouts from 10 to 30 seconds to stabilize the autodetection on slow hardware
- made interface trigger action configurable, set 'ban_triggeraction' accordingly (default: 'start')
- made E-Mail notifications configurable to receive status E-Mais with every banIP run, set 'ban_mailnotification' accordingly (default: disabled)
- small fixes & optimizations
- readme update
---
update 0.8.2-2 - fix the auto-detection for pppoe and 6in4 tunnel interfaces
- add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
- add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default), notice, info, debug, audit
- status optimizations
- logging optimizations
- update the readme
---
release 0.8.2-1 - major performance improvements: clean-up/optimize all nft calls
- add a new "ban_reportelements" option, to disable the (time consuming) Set element count in the report (enabled by default)
- update the readme
---
update 0.8.1-3 - finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend)
- added a Set survey, to list all elements of a certain set
- changed the default logterm for asterisk
- update the readme
---
update 0.8.1-2 - add oisdbig as new feed
- LuCI frontend preparation:
- the json feed file points always to /etc/banip/banip.feeds (and is no longer compressed)
- supply country list in /etc/banip/banip.countries
- update readme
---
release 0.8.1-1 - add missing wan-forward chain (incl. report/mail adaption)
- changed options:
- old: ban_blockforward, new: ban_blockforwardwan and ban_blockforwardlan
- old: ban_logforward, new: ban_logforwardwan and ban_logforwardlan
- add missing dhcp(v6) rules/exceptions
- update readme
---
update 0.8.0-4
- remove bogus log limit
---
update 0.8.0-3 - properly initialize the 'proto' variable in the log service
---
update 0.8.0-2 - fix a potential race condition during initial startup (after flash) which leads to a "disabled" service
---
release 0.8.0-1 - complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Have fun!
Dirk