it is actually occuring on an ipv4 link, and seems to be associated with this bug----
OK, then please wait for the next pre-release. This one will start even without a trigger interface ... 
2 Likes
I am currently patching the hotplug for the main firewall per this post :
because it seems to be breaking other script functionality as well. The Irony is, the address is not actually updating or changing, it appears only the lease time changes. This is definitely a bad bug.
1 Like
New test pre-release available (most probably the last one this year) with the following changes:
banIP_0.8.0pre1:
- added MAC allowlist and MAC blacklist support within the forward chain.
MAC addresses will be entered in the normal allow-/blacklist.
- added automatic backup & restore for external feeds
- migrated all feeds to new banIP version (thanks @jumpsmm7 for additional feeds)
- added '/etc/init.d/banip status' reporting
- added trigger support (see sample config)
- without trigger, banIP will be started after a timeout (default 10 seconds,
set ban_triggerdelay accordingly)
- renamed some (list) options: ban_sources=>ban_feed,
ban_logincoming=>ban_logingress, ban_logoutgoing=>ban_logforward
- various fixes
Example status output:
::: banIP runtime information
+ status : active
+ version : -
+ element_count : 30510
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistv6, blocklistvMAC, blocklistv4, dohv6, dohv4, firehol1v4, deblv6, deblv4, firehol2v4
+ active_devices : eth2
+ active_interfaces : wan, wan6
+ active_subnets : 91.67.188.139/24, 2a02:810c:0:80:e442:4b0c:845d:1d43/128
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, feed_archive: /etc/banip/banip.feeds.gz
+ run_flags : protocol (4/6): ā/ā, log (ingress/forward): ā/ā, allowlist only: ā
+ last_run : action: reload, duration: 0m 10s, date: 01.12.2022 22:24:22
+ system_info : memory: 1725, cores: 2, device: Turris Omnia, OpenWrt SNAPSHOT r21376-af8bc8e51b
Please start with the new commented config ... and happy testing! 
Thanks!
6 Likes
Heads up: I found and fixed a bug in the log parsing part of the latest pre1 version. Please re-download and re-install pre1 - sorry for the mess.
1 Like
Where can I find a prerelease compatible banip-luci (NFT PreRelease) package?
Arch: mediatek/mt7622 (RT3200)
cd /tmp/
wget https://github.com/dibdot/banIP-prereleases/raw/main/banip_0.8.0pre1-1_all.ipk
1 Like
Nowhere, the frontend part is not available yet.
1 Like
I don't think I've been affected. I have it disabled, but I will re-download it. Thanks heaps.
1 Like
Running banip_0.8.0pre1 on Xiaomi AX3600 (Architecture ARMv8 Processor rev 4, Target Platform ipq807x/generic)
::: banIP runtime information
+ status : active
+ version : 0.8.0pre1-1
+ element_count : 31278
+ active_feeds : allowlistvMAC, allowlistv6, allowlistv4, blocklistvMAC, blocklistv6, blocklistv4, deblv6, deblv4, dohv6, dohv4, firehol1v4, torv4, torv6, firehol2v4
+ active_devices : eth0
+ active_interfaces : wan
+ active_subnets : 188.192.40.15/24
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, feed_archive: /etc/banip/banip.feeds.gz
+ run_flags : protocol (4/6): ā/ā, log (ingress/forward): ā/ā, allowlist only: ā
+ last_run : action: reload, duration: 0m 16s, date: 02.12.2022 17:53:32
+ system_info : memory: 129, cores: 4, device: Xiaomi AX3600, OpenWrt SNAPSHOT r17769+3625-333f93333e
Seems to work:
Fri Dec 2 18:01:10 2022 kern.info kernel: [ 2502.535796] banIP_drop: IN=eth0 OUT= MAC=28:d1:27:fc:80:90:00:17:10:90:f6:24:08:00 SRC=146.88.240.4 DST=188.192.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=54321 PROTO=TCP SPT=35538 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Fri Dec 2 18:01:58 2022 kern.info kernel: [ 2550.909885] banIP_drop: IN=eth0 OUT= MAC=28:d1:27:fc:80:90:00:17:10:90:f6:24:08:00 SRC=89.248.165.204 DST=188.192.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=51421 PROTO=TCP SPT=58313 DPT=4108 WINDOW=1024 RES=0x00 SYN URGP=0
Fri Dec 2 18:02:34 2022 kern.info kernel: [ 2586.936950] banIP_drop: IN=eth0 OUT= MAC=28:d1:27:fc:80:90:00:17:10:90:f6:24:08:00 SRC=89.248.165.104 DST=188.192.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=24308 PROTO=TCP SPT=57015 DPT=235 WINDOW=1024 RES=0x00 SYN URGP=0
Fri Dec 2 18:02:41 2022 kern.info kernel: [ 2593.692367] banIP_drop: IN=eth0 OUT= MAC=28:d1:27:fc:80:90:00:17:10:90:f6:24:08:00 SRC=89.248.165.104 DST=188.192.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=22976 PROTO=TCP SPT=57015 DPT=40300 WINDOW=1024 RES=0x00 SYN URGP=0
Fri Dec 2 18:02:51 2022 kern.info kernel: [ 2603.778641] banIP_drop: IN=eth0 OUT= MAC=28:d1:27:fc:80:90:00:17:10:90:f6:24:08:00 SRC=89.248.165.204 DST=188.192.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=13389 PROTO=TCP SPT=58313 DPT=4111 WINDOW=1024 RES=0x00 SYN URGP=0
Fri Dec 2 18:03:31 2022 kern.info kernel: [ 2643.923446] banIP_drop: IN=eth0 OUT= MAC=28:d1:27:fc:80:90:00:17:10:90:f6:24:08:00 SRC=89.248.165.97 DST=188.192.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54371 PROTO=TCP SPT=50447 DPT=62 WINDOW=1024 RES=0x00 SYN URGP=0
Fri Dec 2 18:04:20 2022 kern.info kernel: [ 2693.312099] banIP_drop: IN=eth0 OUT= MAC=28:d1:27:fc:80:90:00:17:10:90:f6:24:08:00 SRC=89.248.163.218 DST=188.192.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=50359 PROTO=TCP SPT=45024 DPT=3940 WINDOW=1024 RES=0x00 SYN URGP=0
Thanks a lot!
2 Likes
I am currently updating the descriptions on some of my feeds, I will share with you later.
1 Like
Working great here!
::: banIP runtime information
+ status : active
+ version : 0.8.0pre1-1
+ element_count : 708583
+ active_feeds : allowlistvMAC, allowlistv6, allowlistv4, blocklistvMAC, blocklistv6, blocklistv4, alienvaultv4, biany230dv4, bdsatifv4, backscattererv4, asnv6, asnv4, bogonv4, ciarmyv4, ciarmymaliciousv4, blocklistnetuav4, bogonv6, coinblhostsbrowserv4, cybercrimev4, countryv6, darklistv4, countryv4, dropv4, dropv6, dshieldv4, dshield1dv4, deblv6, deblv4, edropv4, dyndnsponmocupv4, etblockv4, energizedv4, feodov4, firehol1v4, firehol2v4, firehol3v4, highbruteforcev4, highattackv4, greensnowv4, firehol4v4, iocipfeedv4, ioctweetfeedv4, iblockspyv4, iblockadsv4, nastiesv4, myipv4, myipv6, pedophilesv4, nixspamv4, proxyv4, sslblv4, threatv4, talosv4, urlvirv4, torv6, torv4, voipv4, uceprotect1v4
+ active_devices : eth1
+ active_interfaces : wan, wan6
+ active_subnets : 7REDACT/23, 2001:5REDACT/128
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, feed_archive: /etc/banip/banip.feeds.gz
+ run_flags : protocol (4/6): ā/ā, log (ingress/forward): ā/ā, counter: ā, allowlist only: ā
+ last_run : action: init, duration: 1m 32s, date: 02.12.2022 16:44:24
+ system_info : memory: 11692, cores: 4, device: Default string Default string, OpenWrt 22.03.2 r19803-9a599fee93
1 Like
What does your /etc/init.d/banip status look like so far? (obviously redact anything you consider private such as IP addresses.)
How does your test network handle? Have you tested any actual blocks?
See below:
@openwrt# ā ~ /etc/init.d/banip status
::: banIP runtime information
+ status : active
+ version : 0.8.0pre1-1
+ element_count : 2558
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv6, dohv4, firehol1v4
+ active_devices : eth1
+ active_interfaces : wan, wan6
+ active_subnets : 180.x.x.x/22, 2403:xxxx:xxxx:xx:xxxx:xxxx:xxxx:3/128
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, feed_archive: /etc/banip/banip.feeds.gz
+ run_flags : protocol (4/6): ā/ā, log (ingress/forward): ā/ā, allowlist only: ā
+ last_run : action: init, duration: 0m 2s, date: 02.12.2022 15:55:56
+ system_info : memory: 3595, cores: 4, device: Raspberry Pi 4 Model B Rev 1.2, OpenWrt SNAPSHOT r21335-e410833bdd
Some statistics:
table inet banIP {
chain lan-forward {
type filter hook forward priority raw; policy accept;
ether saddr @allowlistvMAC oifname "eth1" ct state new counter packets 14805 bytes 3725634 accept
ip daddr @allowlistv4 oifname "eth1" ct state new counter packets 0 bytes 0 accept
ip6 daddr @allowlistv6 oifname "eth1" ct state new counter packets 0 bytes 0 accept
ether saddr @blocklistvMAC oifname "eth1" ct state new limit rate 2/second log prefix "banIP_reject: " level info counter packets 0 bytes 0 reject
ip daddr @blocklistv4 oifname "eth1" ct state new limit rate 2/second log prefix "banIP_reject: " level info counter packets 0 bytes 0 reject with icmp admin-prohibited
ip6 daddr @blocklistv6 oifname "eth1" ct state new limit rate 2/second log prefix "banIP_reject: " level info counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
ip6 daddr @dohv6 oifname "eth1" ct state new limit rate 2/second log prefix "banIP_reject: " level info counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
ip daddr @dohv4 oifname "eth1" ct state new limit rate 2/second log prefix "banIP_reject: " level info counter packets 4 bytes 304 reject with icmp admin-prohibited
ip daddr @firehol1v4 oifname "eth1" ct state new limit rate 2/second log prefix "banIP_reject: " level info counter packets 112 bytes 6140 reject with icmp admin-prohibited
}
}
This is how I usually run my network. So far, so good with the new banIP.
QQ, do I have to keep my cron job with banip reload for the feeds to update? I reckon yes is the answer.
1 Like
awesome man!
Here is my current forward chain:
root@OpenWrt:~# nft list chain inet banIP lan-forward
table inet banIP {
chain lan-forward {
type filter hook forward priority raw; policy accept;
ether saddr @allowlistvMAC oifname "eth1" ct state new counter packets 0 bytes 0 accept
ip daddr @allowlistv4 oifname "eth1" ct state new counter packets 38080 bytes 3280064 accept
ip6 daddr @allowlistv6 oifname "eth1" ct state new counter packets 22958 bytes 2499237 accept
ether saddr @blocklistvMAC oifname "eth1" ct state new counter packets 0 bytes 0 reject
ip6 daddr @blocklistv6 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
ip daddr @blocklistv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @alienvaultv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @biany230dv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @backscattererv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @bdsatifv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip6 daddr @asnv6 oifname "eth1" ct state new counter packets 2 bytes 176 reject with icmpv6 admin-prohibited
ip daddr @asnv4 oifname "eth1" ct state new counter packets 2320 bytes 181380 reject with icmp admin-prohibited
ip daddr @bogonv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip6 daddr @bogonv6 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
ip daddr @ciarmymaliciousv4 oifname "eth1" ct state new counter packets 6 bytes 552 reject with icmp admin-prohibited
ip daddr @ciarmyv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @blocklistnetuav4 oifname "eth1" ct state new counter packets 20 bytes 2152 reject with icmp admin-prohibited
ip daddr @cybercrimev4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @coinblhostsbrowserv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @darklistv4 oifname "eth1" ct state new counter packets 26 bytes 1888 reject with icmp admin-prohibited
ip daddr @dropv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip6 daddr @dropv6 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
ip daddr @dshieldv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @dshield1dv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip6 daddr @deblv6 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
ip daddr @deblv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @edropv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @dyndnsponmocupv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @etblockv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @energizedv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @feodov4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @firehol1v4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @firehol2v4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @firehol3v4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @highbruteforcev4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @highattackv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @iblockspyv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @greensnowv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @nastiesv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @ioctweetfeedv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @iocipfeedv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @myipv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip6 daddr @myipv6 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
ip daddr @proxyv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @sslblv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @nixspamv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @pedophilesv4 oifname "eth1" ct state new counter packets 10 bytes 1004 reject with icmp admin-prohibited
ip daddr @threatv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip6 daddr @torv6 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
ip daddr @torv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @talosv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @uceprotect1v4 oifname "eth1" ct state new counter packets 3 bytes 258 reject with icmp admin-prohibited
ip daddr @urlvirv4 oifname "eth1" ct state new counter packets 0 bytes 0 reject with icmp admin-prohibited
ip daddr @urlhausv4 oifname "eth1" ct state new counter packets 2 bytes 140 reject with icmp admin-prohibited
ip daddr @voipv4 oifname "eth1" ct state new counter packets 2265 bytes 117276 reject with icmp admin-prohibited
}
}
Just to provide more feedback and support, last night I also installed 0.8.0pre1-1 on my nanopi r4s running 22.03.2. It seems to be running beautifully and working well as others have also reported.
Thank you so much for working on the new nft/fw4 compatibility! Your effort is most appreciated and useful.
1 Like
When the new version of banip is out. It would be nice if the people from this thread could rite a dummy guide to using banip. How to set it up, why you would want to use it, How it works, What the best lists are and how to make sure it's working. BanIP for Noobs. @dibdot thanks for all your hard work.
1 Like
With so many lists, Iām interested in the output of running your ruleset through the nft optimizer.
nft list ruleset | nft -c -o -f /dev/stdin
2 Likes
hypothetically, they could all be merged like so
Merging:
/dev/stdin:305050:3-146: icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } limit rate 1000/second ip6 hoplimit 1 counter packets 0 bytes 0 accept
/dev/stdin:305051:3-148: icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } limit rate 1000/second ip6 hoplimit 255 counter packets 0 bytes 0 accept
into:
icmpv6 type . ip6 hoplimit { { nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert } . 1, { nd-router-advert,
nd-neighbor-solicit,
nd-neighbor-advert } . 255 } limit rate 1000/second counter packets 0 bytes 0 accept
Merging:
/dev/stdin:305056:3-112: ip saddr @alienvaultv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305057:3-109: ip saddr @bdsatifv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305058:3-111: ip saddr @biany230dv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
into:
ip saddr { alienvaultv4, bdsatifv4, biany230dv4 } limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
Merging:
/dev/stdin:305060:3-105: ip saddr @asnv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305061:3-107: ip saddr @bogonv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305062:3-108: ip saddr @ciarmyv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305063:3-117: ip saddr @ciarmymaliciousv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305064:3-116: ip saddr @blocklistnetuav4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
into:
ip saddr { asnv4, bogonv4, ciarmyv4, ciarmymaliciousv4, blocklistnetuav4 } limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
Merging:
/dev/stdin:305066:3-112: ip saddr @cybercrimev4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305067:3-120: ip saddr @coinblhostsbrowserv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305068:3-110: ip saddr @darklistv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
into:
ip saddr { cybercrimev4, coinblhostsbrowserv4, darklistv4 } limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
Merging:
/dev/stdin:305072:3-106: ip saddr @dropv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305073:3-111: ip saddr @dshield1dv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305074:3-109: ip saddr @dshieldv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
into:
ip saddr { dropv4, dshield1dv4, dshieldv4 } limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
Merging:
/dev/stdin:305076:3-106: ip saddr @deblv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305077:3-107: ip saddr @edropv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305078:3-116: ip saddr @dyndnsponmocupv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305079:3-109: ip saddr @etblockv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305080:3-111: ip saddr @energizedv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305081:3-107: ip saddr @feodov4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305082:3-110: ip saddr @firehol1v4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305083:3-110: ip saddr @firehol3v4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305084:3-110: ip saddr @firehol2v4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305085:3-112: ip saddr @highattackv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305086:3-116: ip saddr @highbruteforcev4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305087:3-111: ip saddr @iblockspyv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305088:3-111: ip saddr @greensnowv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305089:3-109: ip saddr @nastiesv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305090:3-111: ip saddr @iocipfeedv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305091:3-114: ip saddr @ioctweetfeedv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
into:
ip saddr { deblv4, edropv4, dyndnsponmocupv4, etblockv4, energizedv4, feodov4, firehol1v4, firehol3v4, firehol2v4, highattackv4, highbruteforcev4, iblockspyv4, greensnowv4, nastiesv4, iocipfeedv4, ioctweetfeedv4 } limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
Merging:
/dev/stdin:305093:3-106: ip saddr @myipv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305094:3-107: ip saddr @proxyv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305095:3-107: ip saddr @sslblv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305096:3-109: ip saddr @nixspamv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305097:3-112: ip saddr @pedophilesv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305098:3-108: ip saddr @threatv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
into:
ip saddr { myipv4, proxyv4, sslblv4, nixspamv4, pedophilesv4, threatv4 } limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
Merging:
/dev/stdin:305100:3-105: ip saddr @torv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305101:3-107: ip saddr @talosv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305102:3-113: ip saddr @uceprotect1v4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305103:3-108: ip saddr @urlvirv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305104:3-109: ip saddr @urlhausv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305105:3-106: ip saddr @voipv4 limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
into:
ip saddr { torv4, talosv4, uceprotect1v4, urlvirv4, urlhausv4, voipv4 } limit rate 2/second log prefix "banIP_drop: " level info counter packets 0 bytes 0 drop
/dev/stdin:305050:100-111: Error: can not use variable sized data types (integer) in concat expressions
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } limit rate 1000/second ip6 hoplimit 1 counter packets 0 bytes 0 accept
^^^^^^^^^^^^
But that is up to @dibdot on how he wishes to merge the lists. The down side with this concept is you loose out on being able to observe the counter of a single block lists. Plus I am not sure if at the bottom the last error is telling us they cannot be merged like this.
service banip status - unit banip.service not found
I had installed first 08pre0 release and upgraded to new version.
First (08pre0) worked fine, because of banning at syslog.
Using first pre release conf file. Maybe, that this is the problem?