Hi there, I'm trying to add this DNS/DoH blacklist to BanIP (https://public-dns.info/nameservers-all.txt). It is from https://public-dns.info. I'm already using the dohv4 feed that comes with BanIP, and it works fine, but I'd like to add this one, as well.

I tried adding it through the Edit Custom Feeds tab. I'm able to add it okay, but the blacklist doesn't seem to block anything. I'm unclear about the "Rulev4" field when adding a feed. What should I put in there? It looks like a regular expression. For now I've copied and pasted what was in the included dohv4 feed.

To test if this newly added feed is working, I just pick a few IPs from that list at random, try accessing them in my browser, and then check the BanIP/system log to see if it gets blocked or not. So far they're not getting blocked. If I do this same test with the IPs from the dohv4 feed included with BanIP, they are blocked, as expected.

How can I get this to work?

Hi,
in the "edit blacklist" section now I see a series of ip blocked presumably by ban ip, I assume based on the list of feeds used but there is a problem. This list grows every time banip reloads to the point of being so large that it can no longer be saved and it is necessary to manually delete the list. I would have expected this list to automatically delete itself after a set time but it doesn't. Please see attached image. Thank you.

immagine1177×787 52.8 KB

immagine1140×585 16.4 KB

Update: I saw this entry in the system log after a reboot:

user.info banIP-0.9.0-1[3181]: skip incomplete feed 'doh2'

That is the name of the new feed that I'm trying to add. Why would it be considered "incomplete"? Could it be because I emptied the "Rulev4" field? Or could it be something else?

Out of curiosity, in the Edit Custom Feeds tab, I copied the "Rulev4" field from the doh feed that comes with BanIP into the new feed I added, "doh2", and rebooted, now I see the following in the system log, instead:

user.info banIP-0.9.0-1[3175]: skip empty feed 'doh2v4'

What's going on? The feed isn't empty (https://public-dns.info/nameservers-all.txt).

What if I add blocklists only to Chain/Set Settings ?

htttps://192.168.1.1/cgi-bin/luci/admin/services/banip/overview > Chain/Set Settings

Will I also need to enable the here - https://192.168.1.1/cgi-bin/luci/admin/services/banip/overview > Feed Selection

1. How to Allow/Block by domain ?

2. 192.168.1.1/cgi-bin/luci/admin/services/banip/feeds > Edit Custom Feeds is filled with preinstalled lists how to only see "custom feeds" ?

image931×773 28.6 KB

See: https://forum.openwrt.org/t/adblock-support-thread

Not using DNS usind IP. example if I block google.com than all it's IPs will be blocked

Details available at the post above.

BTW, domains are a part of DNS.

BTW, the posted method to solve your issue doesn't involve domains.

Hi, @stevennausak. This "support thread" doesn't appear to provide much actual support for us, so I'll try helping you even though I'm just another user.

In an attempt to debug what's going on, what if you try setting "Auto Allow Uplink" and "Blocklist Set Expiry" back to the defaults of "Please Choose". Then, copy out the contents of the blacklist as a backup if you don't want to lose it, emptying it out, then reboot your device.

Then try selecting one option back at a time to what you have in your screenshot and see if the functionality works correctly with one setting set to your choice, and then the other, by itself. I know "Subnet" says "default" and should work the way you have it, but maybe there's a bug in the code and this procedure might help track it down.

You could also try the above steps and also uncheck "Auto Blocklist", and see if those IPs stop getting automatically added. It would be nice if they had documentation that would properly explain how that feature works, since I've seen IPs get added to my list, but no idea why or how the logic works for that setting. All it says in the docs is "Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the ban_autoblocklist option)", but it doesn't say what a "suspicious request" is or how it is calculated to be "suspicious". That might be helpful to know.

Anyway, hope this helps. Good luck.

@dibdot I think there is an issue with the caching for the IPTHREAT feed. I've been getting the following in my logs for the past two-three weeks (more with similar IP's - same IP /24 segment).

Fri Sep  1 15:20:02 2023 kern.warn kernel: [603269.362396] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:00:0c:29:6e:20:76:08:00 SRC=10.0.0.32 DST=20.189.173.13 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=59603 DF PROTO=TCP SPT=55401 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Fri Sep  1 15:20:04 2023 kern.warn kernel: [603270.786080] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:f8:ff:c2:06:84:3f:08:00 SRC=10.0.0.10 DST=20.189.173.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=54845 DPT=443 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0
Fri Sep  1 15:20:04 2023 kern.warn kernel: [603271.293940] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:f8:ff:c2:06:84:3f:08:00 SRC=10.0.0.10 DST=20.189.173.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=54846 DPT=443 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0
Fri Sep  1 15:20:05 2023 kern.warn kernel: [603271.804967] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:f8:ff:c2:06:84:3f:08:00 SRC=10.0.0.10 DST=20.189.173.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=54848 DPT=443 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0
Fri Sep  1 15:20:05 2023 kern.warn kernel: [603272.320030] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:f8:ff:c2:06:84:3f:08:00 SRC=10.0.0.10 DST=20.189.173.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=54849 DPT=443 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0
Fri Sep  1 15:20:06 2023 kern.warn kernel: [603272.822770] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:f8:ff:c2:06:84:3f:08:00 SRC=10.0.0.10 DST=20.189.173.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=54850 DPT=443 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0
Fri Sep  1 15:20:13 2023 kern.warn kernel: [603279.702422] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:f8:ff:c2:06:84:3f:08:00 SRC=10.0.0.10 DST=20.189.173.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=54851 DPT=443 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0
Fri Sep  1 15:20:13 2023 kern.warn kernel: [603280.209990] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:f8:ff:c2:06:84:3f:08:00 SRC=10.0.0.10 DST=20.189.173.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=54852 DPT=443 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0
Fri Sep  1 15:20:14 2023 kern.warn kernel: [603280.725618] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:f8:ff:c2:06:84:3f:08:00 SRC=10.0.0.10 DST=20.189.173.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=54853 DPT=443 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0
Fri Sep  1 15:20:14 2023 kern.warn kernel: [603281.159844] banIP/fwd-lan/rej/ipthreatv4: IN=br-lan OUT=eth4 MAC=XX:XX:XX:XX:XX:XX:00:0c:29:6e:20:76:08:00 SRC=10.0.0.32 DST=20.189.173.13 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=59604 DF PROTO=TCP SPT=55405 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
F

But manually downloading the feed file and checking it, the IP's being reported are not in the file. I think the cached file is still being used instead of using the newer file.

        "ipthreat":{
                "url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt.gz",
                "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}",
                "descr": "hacker and botnet IPs",
                "flag": "gz"
        },

UPDATE:
After validating, BanIP was downloading the updated IPTHREAT file but somehow some of the old IP's are still maintained in FW4. Doing reload doesn't help but a full restart of banip fixed the issue.

UPDATE 2
After deleting all the downloaded backup file and doing a restart. From 45K+ Element count it went down to 35K+ count. So it seems the e-tag checking is somehow affecting if to use the backup or download and use a newer file.

I've tried this in 3 different of my routers that uses BANIP and results are the same.

What is the criteria that triggers ban_autoblocklist to block something? I noticed the other day that two local IP addresses had been added there.

I'd like to block requests to specific IPs, and I'm having trouble doing that.

I've added the IP 139.59.209.225 (it belongs to openwrt.org) to my blocklist /etc/banip/banip.blocklist. BanIP is active according to /etc/init.d/banip status, and I've reloaded the config via /etc/init.d/banip reload.

When I try to run a GET request on the PC connected to my Openwrt router via
curl 139.59.209.225
I get a 301 response, not the timeout I was looking for.

Is there anything more I can try? I've read the manual, but I'm up against a wall.

My network hardware configuration looks like this:
Verizon G1100 -> LAN port -> Cat5 -> WAN port -> TP-Link TL-WDR3500 with OpenWRT 22 installed -> LAN port -> Cat5 -> my PC

301 location pointing to your openwrt?
I get "packet filtered" response while probing a blocked dst ip with icmp, which can help you troubleshot asap.
Ps. I would use curl -I http:// or Ik with https.

BTW, the posted method to solve your issue doesn't involve domains.

Adblock only blocks a domain with client is using router's DNS

No, it's a 301 to https://openwrt.org/. Which is how I would expect it to behave if the IP wasn't being blocked. Here's the entire output. I've added -I, which does help.

$ curl -I http://139.59.209.225
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 15 Sep 2023 19:51:49 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://openwrt.org/

I'm wondering my network configuration is messing things up. The configuration in which I'm placing an OpenWRT router "in between" the G1100 (which Verizon compels me to use) and my PC.

I have done some tests on my end, working if properly configured. In my test i use openwrt as upstream router, basically a double nat scenario. Works as expected too.

Make sure you enable the local blocklist in lan forward chain.
I have added and tested with fqdn (cnn.com), add to blacklist, restart banip and test.

curl -Ik https://cnn.com
curl: (7) Failed to connect to cnn.com port 443 after 51 ms: Couldn't connect to server

luci-app-banip Custom Feed Editor is filled with predefined feeds. How to only show "custom feeds" there ?

It started after I clicked Fill Custom Feed

image888×788 93.5 KB

image973×132 7 KB

Delete everything else if that's what you need.
Or just stop banip, and go by cli:
mv /etc/banip/banip.feeds /etc/banip/banip.feeds.old
touch /etc/banip/banip.feeds
edit custom feeds:
vi/nano /etc/banip/banip.custom.feeds
Start bainip
/etc/init.d/banip start.
Check.

Yea, you noticed the typo, banip, not bainip

This deleted all preinstalled feeds I wanted to "only show custom feeds in 'http://192.168.1.1/cgi-bin/luci/admin/services/banip/feeds' "
Now how do I get back the pre installed feeds ?