banIP support thread

Everything started to work again after clicking on “Refresh” button some times:

image1430×195 8.6 KB

GeoIP Map wasn’t working at this time:

:::
::: banIP Set Statistics
:::
    Timestamp: 2026-01-08 11:14:31
    ------------------------------
    blocked syn-flood packets  : 990
    blocked udp-flood packets  : 78
    blocked icmp-flood packets : 146927
    blocked invalid ct packets : 15880
    blocked invalid tcp packets: 0
    ---
    auto-added IPs to allowlist: 0
    auto-added IPs to blocklist: 0

Also didn’t work:

:::
::: banIP Set Statistics
:::
    Timestamp: 2026-01-08 11:16:31
    ------------------------------
    blocked syn-flood packets  : 990
    blocked udp-flood packets  : 78
    blocked icmp-flood packets : 147160
    blocked invalid ct packets : 15880
    blocked invalid tcp packets: 0
    ---
    auto-added IPs to allowlist: 0
    auto-added IPs to blocklist: 0

Also didn’t work:

:::
::: banIP Set Statistics
:::
    Timestamp: 2026-01-08 12:33:51
    ------------------------------
    blocked syn-flood packets  : 990
    blocked udp-flood packets  : 78
    blocked icmp-flood packets : 156278
    blocked invalid ct packets : 16142
    blocked invalid tcp packets: 0
    ---
    auto-added IPs to allowlist: 0
    auto-added IPs to blocklist: 0

Started to work at this point:

:::
::: banIP Set Statistics
:::
    Timestamp: 2026-01-08 15:55:34
    ------------------------------
    blocked syn-flood packets  : 990
    blocked udp-flood packets  : 85
    blocked icmp-flood packets : 180052
    blocked invalid ct packets : 16421
    blocked invalid tcp packets: 0
    ---
    auto-added IPs to allowlist: 0
    auto-added IPs to blocklist: 0

# wc -l ban_map.jsn
306 ban_map.jsn

# wc -l ban_report.jsn
27 ban_report.jsn

# wc -l ban_report.txt
4166 ban_report.txt

Is the logging from the WAN zone (in firewall) also catching banIP drops or is it chained after?

By definition/design the deduplicate function will deduplicate all sets.

Probably this is known, but I only noticed it today:
Since the DNS set only applies to ports 53;853 and the DoH set only applies to 80;443 ports, if there are duplicated IPs in these 2 sets they will be removed from the DoH set and they won't be banned with 80;443 ports.

These 2 sets souldn’t be deduplicated between themselfs, since they apply to different ports. We can disabled the deduplicate function to solve the issue.

There is already an option under "Feed/Set Settings" for that ...

Check with IP Search:

image624×328 7.82 KB

Thanks! That's exactly what I was looking for and the option was already there.

FYI, a new banIP release 1.8.0 is in master:

The BCP38 implementation in banIP uses nftables’ FIB lookup to enforce this. It checks whether the packet’s source address is not valid for the incoming interface or whether the routing table reports no route for this source on this interface. Packets that fail this check are dropped.

Have fun!
Dirk

Edit: backported to next stable branch 25.12.x as well.

I added 9.9.9.9 to allowlist but DoH list is still blocking it.

Also How to only allow a IP for certain interface/zone or clients ?

Not reproducible, did you reload after the allowlist addition?

Please consult the readme - keywords are "ban_vlanallow" and " MAC/IP-binding"

Yes Sir Of course

Than explain how did you test that banIP blocks that IP?
To get results, open your browser and try to open "https://9.9.9.9", after that post the output of:

/etc/init.d/banip content allowlist.v4
and
/etc/init.d/banip report