banIP support thread

Ohh.. not sure what is happening with your setup. I have also an x86 based test network to play around different configurations for openwrt. Just tested your possible issue there and can't reproduce the error.

One of the things I can think of is this portion in the "Advanced Settings". Maybe you are reaching max open files??


(screnshot is actual config from my MR7350 router which has a 4 core CPU)

On my x86 openwrt test, the split size is actually set to the max 16384 hahaha

1 Like

@AcidSlide @Nopel2020 Many thanks for the report ... turns out that it was a bug in the banIP rule maintainance, fixed in 1.5.0-6:

5 Likes

Great! Thanks for the quick fix!

Hi Everyone, installed today the stable 24.10 coming from 23.05.5 on my GL-iNet MT6000 using module BANIP can't load on luci the Overview page of it, displays a "Cannot read properties of undefined (reading 'trim')" Type Error. On logread no errors appear. Upgraded via sysupgrade and installed all modules from scratch (just kept the config files).

Probably because the latest version of BanIP is not compatible with the previous version (of banip) that you where using.

It's best to reconfigure it from scratch. And if you are using custom feeds, you need to delete that too.

Just deleted the custom feed file and that did the trick, thanks!

Is it possible to set the whitelist only mode for incoming connections only?
For example only allow certain asns,countries for incoming connections(wan)?
And have other ban lists apply on top of this?

yep, limit the allowlist to inbound chain, see readme for details. To get what you want, disable the "allowlist only" and limit rhe allowlist feed and you're done

so, how to add all IPs of a certain country to the allowlist and how can this work when I should disable "allowlist only" mode?
Sorry, what am I missing?

Just select the preferred countires and reload afterwards, e.g.:

“Allowlist only” means exactly that, only allowlist entries are processed, no blocklists. Needless for your usecase - if I understand you correctly.

Thanks, I didn't know that the luci app fronted has a preconfigured list.
I was trying to configure this through the config file and expected that it was just possible to specify one or more of the feeds but ban_allowurl only takes urls?
The latest luci app doesn't show the Save, Apply, etc Buttons for me.
In which file is the country to url mapping stored?
So I can take the needed values from there...

This will only work if the default firewall input policy is drop/reject?
And let's assume country X is on the allow list but some other ban feeds have IPs from country X included, doesn't this approach overwrite the other feeds and allow everything from country X?

Once done with the config changes on the Luci, just hit the "Restart" button. This has the same effect of the "Save&Apply".

Thanks that worked.

But the entire approach I'm trying to do does not work.
To make it somewhat work I have to enable "allowlist only mode" but this will disable all other ban feeds and doesn't apply them on top of the allow list.

I want to only allow country X and also have other ban feeds still block IPs even from country X if there are IPs in the other feeds.
So basically block all IP not from Country X but also block maybe suspicious IP from Country X too.

//edit
something like this:

AllowList contains IPs from country X.
idk what the best way would be to implement something like this.
Maybe some sort of "inverse" flag for certain feeds and move them to the top of the chain? ban_feed_inverse?

That sounds overly complex. For testing edit /usr/bin/banip-service.sh ...

OLD (beginning at line 44):
# handle downloads
#
f_log "info" "start banIP download processes"
if [ "${ban_allowlistonly}" = "1" ]; then
	ban_feed=""
else
	f_getfeed
fi

NEW (beginning at line 44):
# handle downloads
#
f_log "info" "start banIP download processes"
#if [ "${ban_allowlistonly}" = "1" ]; then
#	ban_feed=""
#else
	f_getfeed
#fi

bottomline comment the if clause and process always the else case. Reload banIP afterwards and report back. Thanks.

1 Like

Thanks, it worked.

well, it is overly complex?
What about a new flag to set a feed as white or blacklist?

This referred to statements such as ...

or

The already proposed simple code change will be provided with the next update ... :wink:

1 Like

I've uploaded a new banIP release to master/24.10:

6 Likes

after upgrading from 23.05.5 (banip was latest from 1.0. serie) to 24.10.0
(1.5.1-r1) with preserved settings again im loosing 90 prec access to pages

root@OpenWrt:~# cat /etc/config/banip

config banip 'global'
        option ban_enabled '1'
        option ban_debug '0'
        option ban_autodetect '1'
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        list ban_logterm 'error: maximum authentication attempts exceeded'
        list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
        list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
        list ban_logterm 'received a suspicious remote IP '\''.*'\'''
        list ban_logterm 'TLS Error: could not determine wrapping from \[AF_INET\]'
        option ban_fetchcmd 'uclient-fetch'
        option ban_protov4 '1'
        list ban_ifv4 'wan'
        option ban_protov6 '0'
        list ban_dev 'pppoe-wan'
        option ban_fetchretry '5'
        option ban_nicelimit '0'
        option ban_filelimit '1024'
        option ban_deduplicate '1'
        option ban_nftpriority '-100'
        option ban_icmplimit '10'
        option ban_synlimit '10'
        option ban_udplimit '100'
        option ban_nftpolicy 'memory'
        option ban_blocktype 'drop'
        option ban_nftloglevel 'warn'
        option ban_logprerouting '0'
        option ban_loginput '0'
        option ban_logforwardwan '0'
        option ban_logforwardlan '0'
        option ban_loglimit '100'
        option ban_autoallowlist '1'
        option ban_autoallowuplink 'subnet'
        option ban_autoblocklist '1'
        option ban_allowlistonly '1'
        list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/gb-aggregated.zone'
        list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/pl-aggregated.zone'
        list ban_blockinput 'allowlist'
        list ban_blockinput 'cinsscore'
        list ban_blockinput 'country'
        list ban_blockforwardwan 'allowlist'
        list ban_blockforwardwan 'cinsscore'
        list ban_blockforwardwan 'country'
        option ban_nftretry '5'
        option ban_blockpolicy 'drop'
        option ban_loginbound '0'
        option ban_logoutbound '0'

root@OpenWrt:~# 

related to banIP support thread - #2077 by dibdot
browser says

ERR_CONNECTION_REFUSED

what to do?

Well, as usual consult the readme (https://github.com/openwrt/packages/blob/master/net/banip/files/README.md#prerequisites). Derived from your old config, limit your allowlist to the inbound chain at least.

i asked because i dont want to go any further with that since i dont have clue about firewalling or routing, just want to keep it working.
is that correct now?