Hi @dibdot noticed, you're using curl as DL Utility in your banIP configuration. I don't see it here mentioned in this thread that uclient-fetch is broken when using with banIP, might be worth mentioning here to forwarn SNAPSHOT users.
Fri Nov 15 12:46:22 2024 user.info banIP-[55975]: start banIP processing (restart)
Fri Nov 15 12:46:22 2024 user.err banIP-[55975]: no download utility with SSL support
Fri Nov 15 12:46:24 2024 user.info banIP-[56276]: start banIP processing (reload)
Fri Nov 15 12:46:24 2024 user.err banIP-[56276]: no download utility with SSL support
Fri Nov 15 12:48:31 2024 user.info banIP-[61571]: start banIP processing (restart)
Fri Nov 15 12:48:31 2024 user.err banIP-[61571]: no download utility with SSL support
Can this be set up to only block incoming/outgoing connection attempts to IPs located in Asia? I would like to block these from a single host on my network only.
A brief note on our own behalf: in master- and 24.10-branch is a new banIP release. Among other things, it includes performance improvements and fixes the broken IP realtime monitor (triggered by the already mentioned apk bug).
I don't know if you might have fixed it already but I'll report it anyway. When reject is activated, TYPE=3 CODE=3 ICMP packets are sent to the rejected addresses via the Wan port. If you change it to drop this effect is gone.
Default in banIP is "drop". What's the issue with the above icmp types/codes? If I remember correctly we're using the same than OpenWrt fw4.
What's your recommendation?
Well, it depends on whether the packets really leave the device in the direction of the Internet, I have not tested this now. I have only seen that when lan requests are rejected such icmp packets come to the wan postrouting hook Priority: 95, which would of course be a problem because your Ip address would be visible to the discarded pages. Maybe you should add an extra drop rule for Icmp. You could also simplify things a bit in general, so far the rule chain for the input hook and the forward hook is created twice, but if you create it only once without hook assignment you could call it several times via jump/goto which reduces the size of the banip table.
hello @dibdot are you the maintainer for luci-app-banip too? Because luci banip is not working correctly at the moment in the latest snapshot r28214-5a4eb56a7b
thanks, can confirm it's working after this was merged, can't wait for stable OpenWrt 24.x i'm at the edge of my seat at the moment waiting for this to happen after several months on snapshot