banIP support thread

vochong · June 29, 2024, 1:57am

It's because ... you are blocking my country! Lol

dibdot · June 29, 2024, 5:33am

Your config said the opposite - you've selected the country (us) but didn't activate the country feed itself in the first select box, e.g. ...

StarIndigo · June 29, 2024, 9:36pm

Blocklist Feed
country (country blocks)
▾
Countries (RIR)
United States (ARIN)
▾
Regional Internet Registry
ARIN - serving Canada and the United States
▾
still dont work

dibdot · June 30, 2024, 6:52pm

Post your current config and your processing (debug) log.

StarIndigo · July 1, 2024, 3:57am


config banip 'global'
	option ban_enabled '1'
	option ban_debug '0'
	option ban_autodetect '1'
	list ban_logterm 'Exit before auth from'
	list ban_logterm 'luci: failed login'
	list ban_dev 'wan'
	list ban_ifv4 'wan'
	option ban_fetchretry '5'
	option ban_nicelimit '0'
	option ban_filelimit '1024'
	option ban_deduplicate '1'
	option ban_nftpriority '-100'
	option ban_icmplimit '10'
	option ban_synlimit '10'
	option ban_udplimit '100'
	option ban_nftpolicy 'memory'
	option ban_blocktype 'drop'
	option ban_nftloglevel 'warn'
	option ban_logprerouting '0'
	option ban_loginput '0'
	option ban_logforwardwan '0'
	option ban_logforwardlan '0'
	option ban_loglimit '100'
	option ban_autoallowlist '1'
	option ban_autoallowuplink 'subnet'
	option ban_autoblocklist '1'
	option ban_allowlistonly '0'
	list ban_feed 'country'
	list ban_country 'us'
	list ban_region 'ARIN'
	option ban_fetchcmd 'uclient-fetch'

StarIndigo · July 1, 2024, 3:58am

Mon Jul  1 03:50:17 2024 user.err banIP-1.0.0-4[3634]: banIP is disabled
Mon Jul  1 03:52:14 2024 user.err banIP-1.0.0-4[5863]: banIP is disabled
Mon Jul  1 03:53:46 2024 user.err banIP-1.0.0-4[6437]: banIP is disabled
Mon Jul  1 03:53:52 2024 user.err banIP-1.0.0-4[6526]: banIP is disabled
Mon Jul  1 03:54:13 2024 user.err banIP-1.0.0-4[6608]: banIP is disabled
Mon Jul  1 03:54:20 2024 user.err banIP-1.0.0-4[6711]: banIP is disabled
Mon Jul  1 03:54:23 2024 user.err banIP-1.0.0-4[6793]: banIP is disabled
Mon Jul  1 03:54:55 2024 user.err banIP-1.0.0-4[6877]: banIP is disabled
Mon Jul  1 03:55:07 2024 user.info banIP-1.0.0-4[7451]: start banIP processing (restart)
Mon Jul  1 03:55:07 2024 user.err banIP-1.0.0-4[7451]: no download utility with SSL support
Mon Jul  1 03:55:37 2024 user.info banIP-1.0.0-4[8971]: start banIP processing (reload)
Mon Jul  1 03:55:37 2024 user.err banIP-1.0.0-4[8971]: no download utility with SSL support
Mon Jul  1 03:55:48 2024 user.info banIP-1.0.0-4[9889]: start banIP processing (restart)
Mon Jul  1 03:55:48 2024 user.info banIP-1.0.0-4[9889]: add uplink '192.168.100.2/24' to local allowlist
Mon Jul  1 03:55:48 2024 user.info banIP-1.0.0-4[9889]: initialize banIP nftables namespace
Mon Jul  1 03:55:48 2024 user.info banIP-1.0.0-4[9889]: start banIP download processes
Mon Jul  1 03:55:48 2024 user.info banIP-1.0.0-4[9889]: start banIP domain lookup
Mon Jul  1 03:55:48 2024 user.info banIP-1.0.0-4[9889]: domain lookup finished in 0m 0s (allowlist, 0 domains, 0 IPs)
Mon Jul  1 03:55:48 2024 user.info banIP-1.0.0-4[9889]: domain lookup finished in 0m 0s (blocklist, 0 domains, 0 IPs)
Mon Jul  1 03:55:48 2024 user.info banIP-1.0.0-4[9889]: start detached banIP log service (/sbin/logread)
Mon Jul  1 03:56:15 2024 user.info banIP-1.0.0-4[11615]: start banIP processing (reload)
Mon Jul  1 03:56:15 2024 user.info banIP-1.0.0-4[11615]: start banIP download processes
Mon Jul  1 03:56:16 2024 user.info banIP-1.0.0-4[11615]: start banIP domain lookup
Mon Jul  1 03:56:16 2024 user.info banIP-1.0.0-4[11615]: domain lookup finished in 0m 0s (blocklist, 0 domains, 0 IPs)
Mon Jul  1 03:56:16 2024 user.info banIP-1.0.0-4[11615]: domain lookup finished in 0m 0s (allowlist, 0 domains, 0 IPs)
Mon Jul  1 03:56:16 2024 user.info banIP-1.0.0-4[11615]: start detached banIP log service (/sbin/logread)

dibdot · July 1, 2024, 5:07am

No appropriate download tool - no downloads! See the prerequisite chapter in the readme.

...to See more Download information enable debug and rerun the Last Test...

StarIndigo · July 1, 2024, 5:31am

please help me set the download tool im reading the read me and cant seem to figure it out...i looked through the settings and dont see anywhere to set it..is it something like
uclient-fetch

vochong · July 1, 2024, 2:58pm

@dibdot

Do the OpenWrt fw4 rules or banIP rules have more priority?
In LUCI setting "Feed/Set Settings", if I want to select "Limit certain feeds to the xxxx chain", why does it also give users the checkbox to select "local allowlist". I think it should only show feeds to be banned/blocked.
Can I delete the folder "/tmp/banIP-backup/" after the service banip status shows "active"?

dibdot · July 1, 2024, 8:19pm

In your last posted test run banIP already used uclient-fetch ... just reload this setup with debug and you'll see much more download details ...

dibdot · July 1, 2024, 8:24pm

By default the latter banIP rules (you could change that).

Why? Local list will be treated like normal feeds.

Why would you do that? Completely unsupported ...

vochong · July 2, 2024, 2:03am

Do the OpenWrt fw4 rules or banIP rules have more priority?
By default the latter banIP rules (you could change that).

Can you show how to change that? Is it some existing setting in banip?

Why? Local list will be treated like normal feeds.

If I don't select the local allowlist for all three chains (WAN-input, WAN-forward, LAN-forward), then banIP automatically enables the local allowlist for all of them. However, if select the local allowlist for one or two of the three chains, then banIP only enables the local allowlist for them, except for the chain(s) that do(es) not have the local allowlist enabled. I believe this is not consistent.

Can I delete the folder "/tmp/banIP-backup/" after the service banip status shows "active"?
Why would you do that? Completely unsupported ...

Occasionally (after making different country ban selections), banIP may unexpectedly include CIDR's that do not belong to a banned country (check using service banip search x.x.x.x), so I just delete /tmp/banIP-backup/ and restart banip, and it always work correctly after that. Also, when banip is in active state, I assume that all the CIDR entries have been committed in memory so there is no need to keep them in /tmp/banIP-backup/, saving some memory as well. If I make any banip change, I always use restart, so it would always download the feeds again.

StarIndigo · July 2, 2024, 6:16am

its working now ipv4 and ipv6 was disabled had to uncheck auto detection and enable it
thank much for your help

Status
active (nft: ✔, monitor: ✔)
Version
1.0.0-4
Element Count
19033
Active Feeds
allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, countryv6, countryv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6

StarIndigo · July 2, 2024, 6:24am

another thing...how do i create an ipset and allow it to work with this if possible...lets say i just want to block all the ips in miami alone instead of the entire USA..like search for miami ip blocks and make an ipset and add it to ban ip...and i want my playstation console alone to be affected by these ip blocks how do i exclude other devices from being affected by banip

JustAnotherEndUser · July 4, 2024, 8:10pm

For you particular scenario, perhaps consider an alternate approach of using firewall rules in conjunction with IPSets. You could make separate firewall rules that solely block your game console target from the IPSets.

StarIndigo · July 4, 2024, 8:56pm

i figured it out thanks much

JustAnotherEndUser · July 5, 2024, 8:34pm

@dibdot - I found this in the processing log. I tried reloading BanIP to see if it would resolve, but issue repeated.
Is this just perhaps a temporary error with format / corrupted content in the feed file downloaded? Thank you.

debug banIP-1.0.0-4[6824]: can't initialize Set for feed 'urlhausv4' (rc: 1, log: /tmp/tmp.KChbFI/tmp.dePAGI.urlhausv4.nft:3:61910-61920: Error: syntax error, unexpected string, expecting comma or '}' add set inet banIP urlhausv4 { type ipv4_addr; flags interval; auto-merge; policy performance; elements={ 117.216.144.55, 117.208.221.136, 125.46.241.157, 117.198.14.199, 117.253.195.66, 125.45.48.191, 117.248.168.126, 221.15.242.131, 59.183.113.101, 59.95.131.41, 113.233.36.187, 61.0.213.62, 123.4.78.100, 222.139.53.179, 117.204.126.17
debug banIP-1.0.0-4[6824]: f_down      ::: feed: urlhausv4, cnt_dl: 20196, cnt_set: -, split_size: 16384, time: 2, rc: 1, log: /tmp/tmp.KChbFI/tmp.dePAGI.urlhausv4.nft:3:61910-61920: Error: syntax error, unexpected string, expecting comma or '}' add set inet banIP urlhausv4 { type ipv4_addr; flags interval; auto-merge; policy performance; elements={ 117.216.144.55, 117.208.221.136, 125.46.241.157, 117.198.14.199, 117.253.195.66, 125.45.48.191, 117.248.168.126, 221.15.242.131, 59.183.113.101, 59.95.131.41, 113.233.36.187, 61.0.213.62,

dibdot · July 6, 2024, 5:59pm

Root cause are crappy IP entries like this one in the urlhaus feed, e.g.

content:"148.232.128.45.pfcloud.io"

To fix it on your own, load the default ruleset in the custom feed editor and replace the existing urlhaus ruleset with this one:

BEGIN{FS=";"}/content:"127\./{next}/(content:"([1-9][0-9]{0,2}\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])")/{printf "%s,\n",substr($10,11,length($10)-11)}

JustAnotherEndUser · July 6, 2024, 8:01pm

Thank you @dibdot , replacing the ruleset as described above resolved the issue.

mrbluecoat · July 9, 2024, 2:36pm

Has anyone ported banIP to Debian/Ubuntu? Other than the uci references, anything else to pay special attention to? https://github.com/openwrt/packages/tree/master/net/banip/files