If you want to prevent client/in-game communication you should block the forward chain.
Thx Mate that worked (obviously).
Just for curiosity, did I miss to read this step somewhere ?
yes exactly
option ban_logforward '0' by 1 ? is right
nope, ban_blockforward
- and remember, with pre4 ct (conntrack) is in place, that means only new connections will be blocked and not existing ones ...
seems good now thanks
banIP Set Statistics (28.01.2023 17:39:49)
:::
Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets
---------------------+---------------+---------------+---------------+---------------+----------------
allowlistvMAC | 0 | n/a | OK | n/a | 0
allowlistv4 | 1 | OK | OK | 0 | 0
allowlistv6 | 1 | OK | OK | 0 | 0
blocklistvMAC | 0 | n/a | OK | n/a | 0
blocklistv4 | 0 | OK | OK | 0 | 0
blocklistv6 | 0 | OK | OK | 0 | 0
countryv6 | 13571 | n/a | OK | n/a | 0
countryv4 | 22169 | n/a | OK | n/a | 0
---------------------+---------------+---------------+---------------+---------------+----------------
8 | 35742 | 4 | 8 | 0 | 0
root@OpenWrt:~#
You're currently running a pre-release ... at best you'll find the 'documentation' within this thread ...
the ban system does not work because my console does not connect to the game anymore
I just had the idea to play only with the servers I want to play with
create a whitelist like I did with iptables
and add list server '80.12.00.00' exeample
Okay, got it, I thought this is just adjustment to nftables and the rest is valid.
I guess there is no luci interface either right ?
Maybe it doesn't make sense to block entire countries, probably it's enough to block individual network segments/IPs. You can always allow IP addresses via the local allowlist.
Yep, the LuCI frontend interface comes later.
ok i see but how make can you show example just with one hazard adress
thanks by advance
not sure but
config banip 'global'
option ban_enabled '1'
option ban_debug '1'
option ban_autodetect '1'
#option ban_autoblocklist '1'
option ban_autoallowlist '1'
option ban_nicelimit '0'
option ban_filelimit '1024'
option ban_loglimit '100'
option ban_logcount '1'
option ban_loginput '1'
option ban_logforward '1'
option ban_protov4 '1'
option ban_protov6 '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm '<sip:.*>'\'' failed for '\'''
option ban_deduplicate '1'
list ban_trigger 'wan'
list ban_trigger 'wan6'
#list ban_blockinput 'country'
#list ban_blockforward 'country'
list ban_ifv4 'wan'
list ban_ifv6 'wan6'
list ban_dev 'wan'
list ban_feed 'autoallowlist'
#list ban_feed 'country'
list ban_autoallowlist '173.199.105.0/24'
ok thanks is work now /etc/banipbanip files
::: banIP Set Statistics (28.01.2023 18:48:23)
:::
Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets
---------------------+---------------+---------------+---------------+---------------+----------------
allowlistvMAC | 0 | n/a | OK | n/a | 0
allowlistv4 | 3 | OK | OK | 0 | 8
allowlistv6 | 1 | OK | OK | 0 | 0
blocklistvMAC | 0 | n/a | OK | n/a | 0
blocklistv4 | 0 | OK | OK | 0 | 0
blocklistv6 | 0 | OK | OK | 0 | 0
---------------------+---------------+---------------+---------------+---------------+----------------
6 | 4 | 4 | 6 | 0 | 8
root@OpenWrt:~#
@dibdot Your work on 0.8.0pre4 is great!
I'm testing this on multiple architectures, and the "various optimizations & fixes" you mentioned seem to have made a great difference on my EdgeRouter-X. Without changing anything about my configuration from 0.8.0pre3, banip on the er-x now finishes processing and loads well over a full minute faster!
I also enjoy the new reporting function as it's easier than dumping the full nft ruleset and adding up individual counters from different rulechains
Keep up the great work, new fw4 banip is looking impressive.
ok seems again good
like you see
but i do'nt know if block really all or if allow just this 3 ip adress
root@OpenWrt:~# /etc/init.d/banip search 173.199.105.0/24
:::
::: banIP Search (28.01.2023 18:49:18)
:::
Search for IP '173.199.105.0'
IP found in set allowlistv4
root@OpenWrt:~#
ok doesn't work because he laucnch here
[188.42.241.140] luxembourg
how to block all traffic like before with iptables and authorize only allow list
Thx Mate.
Is there a manual somewhere about the new config file parameters ?
I mean it seems to me that it's kind of different here and there comparing to what I can see here:
Thank's for the new version.
Look's like issue with tor feed (the bug is not new but the new debug report it)
Old log: (count 0)
Fri Jan 27 05:35:45 2023 user.debug banIP-0.8.0pre3-1[3455]: f_backup ::: name: torv4, backup: /banip/banIP-Backup/banIP.torv4.gz, rc: 0
Fri Jan 27 05:35:45 2023 user.debug banIP-0.8.0pre3-1[3455]: f_down ::: name: torv4, split_size: 0, count_dl: 0, count_set: 0, time: 2, rc: 0, log: -
New log:
Sat Jan 28 14:49:03 2023 user.debug banIP-0.8.0pre4-1[12709]: f_system ::: system: Linksys WRT3200ACM, OpenWrt 22.03.2 r19803-9a599fee93, version: 0.8.0pre4-1, memory: 118, cpu_cores: 2
Sat Jan 28 14:49:03 2023 user.debug banIP-0.8.0pre4-1[12709]: f_tmp ::: base_dir: /banip, tmp_dir: /banip/tmp.JomHjk
Sat Jan 28 14:49:03 2023 user.debug banIP-0.8.0pre4-1[12709]: f_fetch ::: fetch_cmd: /usr/bin/curl, fetch_parm: --connect-timeout 20 --fail --silent --show-error --location -o
Sat Jan 28 14:49:03 2023 user.debug banIP-0.8.0pre4-1[12709]: f_getif ::: auto_detect: 1, interfaces (4/6): wan/, protocols (4/6): 1/0
Sat Jan 28 14:49:03 2023 user.debug banIP-0.8.0pre4-1[12709]: f_getdev ::: auto_detect: 1, devices: wan
Sat Jan 28 14:49:03 2023 user.debug banIP-0.8.0pre4-1[12709]: f_getsub ::: auto_allowlist: 1, subnet(s): 192.222.214.171/28
Sat Jan 28 14:49:03 2023 user.info banIP-0.8.0pre4-1[12709]: start banIP processing (init)
Sat Jan 28 14:49:03 2023 user.info banIP-0.8.0pre4-1[12709]: nft namespace initialized
...
Sat Jan 28 14:49:09 2023 user.debug banIP-0.8.0pre4-1[12709]: DEBUG1 ::: feed=torv4, proto=4, feed_url=https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst, feed_rule=/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf "%s,\n",$1}, feed_flag=**
Sat Jan 28 14:49:09 2023 user.debug banIP-0.8.0pre4-1[12709]: f_restore ::: name: torv4, source: banIP.torv4.gz, target: tmp.LJoabg.torv4.load, in_rc: 0, rc: 0
Sat Jan 28 14:49:09 2023 user.debug banIP-0.8.0pre4-1[12709]: DEBUG3 ::: restore_rc=0, feed_rc=0
Sat Jan 28 14:49:09 2023 user.info banIP-0.8.0pre4-1[12709]: empty feed torv4 will be skipped
Sat Jan 28 14:49:09 2023 user.debug banIP-0.8.0pre4-1[12709]: f_down ::: name: torv4, cnt_dl: 0, cnt_set: -, split_size: 0, time: 0, rc: 0, log: -
Sat Jan 28 14:49:09 2023 user.info banIP-0.8.0pre4-1[12709]: start background domain lookup
Sat Jan 28 14:49:09 2023 user.debug banIP-0.8.0pre4-1[12709]: f_lookup ::: name: allowlist, cnt_domain: 0, cnt_ip: 0, duration: 0m 0s
Sat Jan 28 14:49:09 2023 user.debug banIP-0.8.0pre4-1[12709]: f_lookup ::: name: blocklist, cnt_domain: 0, cnt_ip: 0, duration: 0m 0s
Sat Jan 28 14:49:10 2023 user.debug banIP-0.8.0pre4-1[12709]: f_rmset ::: sets: -, tmp: /banip/tmp.JomHjk/tmp.LJoabg.final.delete, rc: -, log: -
Sat Jan 28 14:49:10 2023 user.debug banIP-0.8.0pre4-1[12709]: f_rmdir ::: deleted directory: /banip/tmp.JomHjk
Sat Jan 28 14:49:10 2023 user.debug banIP-0.8.0pre4-1[12709]: f_system ::: system: Linksys WRT3200ACM, OpenWrt 22.03.2 r19803-9a599fee93, version: 0.8.0pre4-1, memory: 112, cpu_cores: 2
Sat Jan 28 14:49:13 2023 user.info banIP-0.8.0pre4-1[12709]: finished banIP processing
Sat Jan 28 14:49:13 2023 user.info banIP-0.8.0pre4-1[12709]: start banIP log service
Hmm, looks like I've uploaded a wrong version to my repo ... tor works here in my local version - let me doublecheck.
Sat Jan 28 21:07:27 2023 user.debug banIP-0.8.0-1[12020]: f_restore ::: name: torv4, source: banIP.torv4.gz, target: tmp.nonnIg.torv4.load, in_rc: 0, rc: 1
Sat Jan 28 21:07:28 2023 user.debug banIP-0.8.0-1[12020]: f_backup ::: name: torv4, source: tmp.nonnIg.torv4.load, target: banIP.torv4.gz, rc: 0
Sat Jan 28 21:07:30 2023 user.debug banIP-0.8.0-1[12020]: f_down ::: name: torv4, cnt_dl: 1222, cnt_set: 776, split_size: 1000, time: 3, rc: 0, log: -
Sat Jan 28 21:07:30 2023 user.debug banIP-0.8.0-1[12020]: f_restore ::: name: torv6, source: banIP.torv4.gz, target: tmp.nonnIg.torv6.load, in_rc: 0, rc: 0
Sat Jan 28 21:07:30 2023 user.debug banIP-0.8.0-1[12020]: f_down ::: name: torv6, cnt_dl: 776, cnt_set: 428, split_size: 1000, time: 0, rc: 0, log: -
Please start /etc/init.d/banip reload
and check if this resolves your issue.
Same issue
Sat Jan 28 16:21:09 2023 user.debug banIP-0.8.0pre4-1[14186]: DEBUG1 ::: feed=torv4, proto=4, feed_url=https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst, feed_rule=/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf "%s,\n",$1}, feed_flag=
Sat Jan 28 16:21:09 2023 user.debug banIP-0.8.0pre4-1[14186]: DEBUG3 ::: restore_rc=, feed_rc=0
Sat Jan 28 16:21:09 2023 user.debug banIP-0.8.0pre4-1[14186]: f_backup ::: name: torv4, source: tmp.MDbbfD.torv4.load, target: banIP.torv4.gz, rc: 0
Sat Jan 28 16:21:09 2023 user.debug banIP-0.8.0pre4-1[14186]: f_down ::: name: torv4, cnt_dl: 1308, cnt_set: 817, split_size: 0, time: 0, rc: 0, log: -
In config file /etc/config/banip
...
list ban_feed 'tor'
...
It's not the same, the set has been created successfully.
Strange error!
But now itβs works!