Yep, you're using the allowlist only mode, here is no nftables Set / block list from which data can be extracted. I'll disable the button in that mode with the next update ...
OK, thanks. As best as I can tell in testing, for my purposes it's just "Inbound Feed" (local allowlist) that needs setting of the three you showed given that I'm only dealing with Inbound allowlisting.
"Inbound Feed" seems to serve the function of the two obsolete ones that I mentioned earlier.
small issue...I updated my system from 23.05 -> 24.02 withour any problems yesterday.
In parallel banip was updated from 1.02 -> 1.5. with the current config. I read not to save the current config and to reconfigure banip...
Now I find out that I can't see MAC or src-IP(hardware) in the log file...
Ok, I reinstalled banip (cleaned direcotry etc/config, etc/banip/ and tmp/) but I can not see the MAC or deviceIP in the log file...any more...
Before I upgrade banip I was able to see MAC and srcIP of the device...
Now I see no MAC and no deviceIP.
banIP/inbound/drop/country.v4: IN=pppoe-WAN_GF OUT= MAC= SRC=213.21.126.43 DST=87.184.66.233
This is not an error. It's normal behavior when using PPPoE (Point-to-Point Protocol over Ethernet).
You're using a PPPoE interface (pppoe-WAN_GF) for your internet connection.
PPPoE is not a typical Ethernet interface in how it exposes traffic.
Even though it's technically transported over Ethernet, the actual IP traffic is encapsulated inside PPP frames, and the kernel doesn't always expose the underlying Ethernet/MAC headers in this context.
As a result, the MAC address is not available to nftables for logging, so MAC= is left empty.
Bottomline, this behavior is expected with PPPoE interfaces.
If you look at traffic on a regular Ethernet interface (like eth0, enp0s3, etc.), you will see the MAC addresses in the log.
Thanks for responding but why I could see the MAC & source deviceIP in version banip1.02...that why I ask?
Now I can not identify, which device send out/request a banned IP.
Another kernel, another nftables version ... I don't know. Ask on the netfilter mailing list, if you think that this is a bug. banIP only prints the nfttables output - without further modification.
Dirk, I still have to come back to the change from 1.02 to 1.5.
MAC and Source/DeviceIP are no longer displayed in the firewall log - very bad for analysis which device requested a banned IP or in worst case, which device has been compromised.
I have a failover system WAN-pppoe and WAN-5G. Although I have activated ban-filters, these are no longer displayed with the WAN-5G interface - no asn, no country, nothing...
I have setup banip fresh after I deleted old configs...
config banip 'global'
option ban_enabled '1'
option ban_debug '1'
option ban_autodetect '0'
option ban_fetchretry '5'
option ban_nicelimit '-10'
option ban_filelimit '1024'
option ban_deduplicate '1'
option ban_nftpriority '-100'
option ban_icmplimit '25'
option ban_synlimit '10'
option ban_udplimit '100'
option ban_nftpolicy 'performance'
option ban_nftretry '5'
option ban_blockpolicy 'drop'
option ban_nftloglevel 'warn'
option ban_logprerouting '1'
option ban_loginbound '1'
option ban_logoutbound '1'
option ban_loglimit '100'
list ban_region 'AFRINIC'
list ban_region 'APNIC'
list ban_region 'ARIN'
list ban_region 'LACNIC'
list ban_region 'RIPE'
list ban_asn '138699'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/at-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/ca-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/fi-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/fr-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/de-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/ie-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/nl-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/pl-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/ch-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/gb-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone'
option ban_autoallowlist '1'
option ban_autoallowuplink 'subnet'
option ban_autoblocklist '1'
option ban_allowlistonly '0'
option ban_fetchcmd 'uclient-fetch'
option ban_protov4 '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'AdGuardHome.*\[error\].*/control/login: from ip'
option ban_nftcount '1'
option ban_map '1'
option ban_autoblocksubnet '1'
list ban_feed 'asn'
list ban_feed 'becyber'
list ban_feed 'binarydefense'
list ban_feed 'bogon'
list ban_feed 'bruteforceblock'
list ban_feed 'cinsscore'
list ban_feed 'country'
list ban_feed 'debl'
list ban_feed 'doh'
list ban_feed 'drop'
list ban_feed 'dshield'
list ban_feed 'etcompromised'
list ban_feed 'feodo'
list ban_feed 'firehol2'
list ban_feed 'firehol3'
list ban_feed 'firehol4'
list ban_feed 'ipthreat'
list ban_feed 'turris'
list ban_feed 'voip'
list ban_feed 'webclient'
option ban_countrysplit '1'
list ban_feedcomplete 'doh'
list ban_dev 'lan2'
list ban_dev 'pppoe-WAN_GF'
list ban_ifv4 'WAN_GF'
list ban_ifv4 'WAN2_5G'
Sorry, I have no better answer ... ask on the netfilter mailing list. Even 5G modems/interfaces are provided by modem drivers (like qmi_wwan, mbim, cdc_ncm, rndis, or ppp), which use non-Ethernet transport protocols, such as:
