You can't.. NFT logs is done on the system level which means it logs it to the syslog.
The firewall log is actually parsed/filtered data from the syslog.
2 Likes
I got around this problem by installing syslog-ng and modifying /etc/syslog-ng.conf to filter banip and firewall logging, which I enabled so I can still keep tabs on things in real time by watching the kernel log via serial console (alternatively via SSH by using cat /proc/kmsg instead of logread -f).
Here's a few excerpts from my /etc/syslog-ng.conf file:
filter banip {
not match("banIP")
};
filter firewall_lan_fwd {
not match("reject lan forward")
};
filter firewall_lan2_fwd {
not match("reject lan2 forward")
};
filter firewall_wan_drp {
not match("drop wan invalid")
};
filter firewall_wan_in {
not match("reject wan in")
};
filter firewall_wan_fwd {
not match("reject wan forward")
};
log {
source(src);
source(net);
source(kernel);
source(s_network);
filter(banip);
filter(collectd);
filter(firewall_lan_fwd);
filter(firewall_lan2_fwd);
filter(firewall_wan_drp);
filter(firewall_wan_in);
filter(firewall_wan_fwd);
filter(openvpn_fail);
filter(openvpn_info);
destination(messages);
};
Make sure to also install logrotate and set up a cronjob or else the log will just keep growing infinitely until it exhausts RAM. I do this daily at 1 am:
0 1 * * * /usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1
To demonstrate, here's what my logs now look like.
Syslog:
Kernel log:
Hope this somewhat helps.
3 Likes
These questions are probably better suited to a syslog-ng specific thread, rather than a banIP thread. You might want to visit this link for more detail: https://syslog-ng.github.io
Suggestion add https://github.com/EnergizedProtection/block
Remove https://github.com/AdroitAdorKhan/antipopads-re
Not sure that I should report it here but myip list no longer works because of certificate problem. Certificate was issued on 17th of March and browser (FF 136.0.1) can download it, but wget (both from OpenWrt and 'real' one from Debian 12) fails because of certificate problem.
Tue Mar 18 07:55:22 2025 user.info banIP-1.5.3-r3[14599]: start banIP processing (reload, 1.5.3-r3)
Tue Mar 18 07:55:22 2025 user.info banIP-1.5.3-r3[14599]: start banIP download processes
Tue Mar 18 07:55:29 2025 user.info banIP-1.5.3-r3[14599]: download for feed 'myip.v4' failed, rc: 4
Tue Mar 18 07:55:29 2025 user.info banIP-1.5.3-r3[14599]: download for feed 'myip.v6' failed, rc: 4
Tue Mar 18 07:55:35 2025 user.info banIP-1.5.3-r3[14599]: start banIP domain lookup
Tue Mar 18 07:55:35 2025 user.info banIP-1.5.3-r3[14599]: finish banIP processing
Tue Mar 18 07:55:35 2025 user.info banIP-1.5.3-r3[14599]: start detached banIP log service (/sbin/logread)
Hi:
What is the difference between selecting the same feed in 'Feed/Set Settings' and 'Feed Selection'?
If I select some feed in 'Inbound Feed',
it 'Override the default feed configuration and apply the feed to the inbound chain only.'
So 'Feed Selection' feeds selection will be applied to inbound and outbound?
But there is a 'Inbound & Outbound Feed' config, so I'm a little confused.
Under the Feed Selection tab you enable/disable feeds with their default chain configuration (see the feed table in the readme for all defaults). If you want to change the defaults for a certain feed, than enter the Feed/set Settings tab.
1 Like
Please report it upstream to the site admin, as a workaround you can enable "Download insecure"
Do you have the same?
Debian 12:
wget -v https://myip.ms/files/blacklist/general/latest_blacklist.txt
--2025-03-19 16:46:05-- https://myip.ms/files/blacklist/general/latest_blacklist.txt
Resolving myip.ms (myip.ms)... 2001:41d0:303:d9d6:237a::1, 146.59.166.237
Connecting to myip.ms (myip.ms)|2001:41d0:303:d9d6:237a::1|:443... connected.
ERROR: The certificate of 'myip.ms' is not trusted.
ERROR: The certificate of 'myip.ms' doesn't have a known issuer.
OpenWrt 24.10:
wget https://myip.ms/files/blacklist/general/latest_blacklist.txt
Downloading 'https://myip.ms/files/blacklist/general/latest_blacklist.txt'
Connecting to 2001:41d0:303:d9d6:237a::1:443
SSL verify error: certificate is self-signed or not signed by a trusted CA
Connection error: Invalid SSL certificate
I tried faking user agent but it didn't work. Probably problem is in OpenWrt's CA list...
... but wget says "self-signed certificate".
Could you add Lord Alfred's lists 
to block companies ?
1 Like
I don't get the purpose of these list(s) - is it intended for inbound or outbound blocking?
Its all the ip-ranges in use by Big Tech companies like facebook google. For me its mostly outbound blocking, I added them to custom lists, but I thought it might help others to at least drop the suggestion here.
Say I dont like G-oo-gle, and want my exposure to that company to be as limited as possible. I block the company, then add any exceptions to the allow list.
2 Likes
Hi,
just an announcement about the next forthcoming banIP update. It mainly contains changes to the LuCI reporting. In addition to significant performance improvements, banIP reporting now includes a map in a modal popup window/iframe that shows the geolocation of your own uplink addresses (in green) and the locations of potential attackers (in red).
It uses Leaflet and OpenStreetMap (with CARTO basemaps), and the geolocation of the IP addresses is determined using the batch interface of ip-api.com. Here are some screenshots of the current development version:
Default view, centered on the local IP:
Attacker details view (onclick):
World view:
I'm currently testing the final touches and will probably release the new version next weekend.
Have fun!
Dirk
19 Likes
(fyi, its untested)
Just an idea: I saw the "not supported" and thought, maybe something like this?
$ diff banip-functions.sh.original banip-functions.sh
320a321,329
> # uclient-fetch retry wrapper
> uclient_fetch(){
> local i
> for i in $(seq 1 1 ${ban_fetchretry:-5})
> do
> uclient-fetch "$@" && break
> done
> }
>
339c348
< util="uclient-fetch"
---
> util="uclient_fetch"
372c381
< "uclient-fetch")
---
> "uclient_fetch")
This is amazing. Thank you.
1 Like
No, sorry - no convoluted workarounds. uclient-fetch is simply too limited ... just use a capable download program. Also, uclient-fetch doesn't support ETAG handling, which is even more in favor of curl or full wget in my eyes.
1 Like
https://github.com/openwrt/openwrt/issues/18358 - looks like ca-bundle problem. The problem is gone after loading GlobalSign certificate manually.
As @brada4 correctly pointed out myip.ms is not serving full certificate chain as required by RFC. That's the true reason why command line tools fail to download (no AIA support I suppose).
3 Likes
You can save popular intermediate certs in yoir own store.
Well, yes, this is what I offered. The correct way would be to contact site admin but I failed to find contact information on their website.