banIP support thread

just try it, most probably I have to send you a test version to get this fixed.

1 Like

no luck

set the option, removed the 2 ban_dev and still this after reboot


config banip 'global'
	option ban_enabled '1'
	option ban_debug '0'
	option ban_autodetect '1'
	list ban_logterm 'Exit before auth from'
	list ban_logterm 'luci: failed login'
	list ban_logterm 'error: maximum authentication attempts exceeded'
	list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
	list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
	option ban_deduplicate '1'
	option ban_loginput '1'
	option ban_logforwardwan '1'
	option ban_logforwardlan '0'
	option ban_logcount '3'
	option ban_autoallowlist '1'
	option ban_autoblocklist '1'
	option ban_allowlistonly '0'
	option ban_fetchcmd 'aria2c'
	option ban_protov4 '1'
	list ban_ifv4 'wan'
	option ban_protov6 '1'
	list ban_ifv6 'hetunnel'
	option ban_loglimit '100'
	list ban_feed 'debl'
	list ban_feed 'doh'
	list ban_feed 'firehol1'
	list ban_trigger 'hetunnel'
	list ban_trigger 'wan'
	option ban_triggerdelay '30'
	list ban_dev 'pppoe-wan'
	list ban_dev '6in4-hetunnel'

OK, thanks for testing I'll contact you by mail and send you a test version.

Hi @dibdot, thank's for the new update!

I have got this error on the last 2 updates (cosmetic bug I think)

Thu Mar  9 17:00:12 2023 user.debug banIP-0.8.1-3[7676]: f_down    ::: name: threatviewv4, cnt_dl: 705, cnt_set: -, split_size: 0, time: 0, rc: 1, log: /banip/tmp.ComjHG/tmp.jHCMgl.threatviewv4.nft:3:6712-6724: Error: Could not resolve hostname: Name does not resolve add set inet banIP threatviewv4 { type ipv4_addr; flags interval; auto-merge; policy memory; elements={ 101.108.104.180, 101.108.96.195, 102.33.16.89, 103.41.27.181, 103.83.184.124, 103.84.130.186, 105.154.6.77, 105.155.101.152, 105.155.33.156, 105.158.200.152, 106.56.92.138, 107.189.12.152, 110.177.106.234, 110.177.109.228, 110.180.153.70, 110.182.122.16, 110.182.213.0, 110.182.227.177, 110.183.57.29, 111.179.176.246, 111.92.22.182, 112.113.108.70, 112.123.129.175, 112.132.26.137, 112.229.194.111, 112.238.146.73, 112.239.101.182, 112.239.103.12, 112.245.255.167, 112.248.103.179, 112.248.153.159, 112.248.60.141, 112.249.69.25, 112.29.109.205, 113.110.255.45, 113.118.14.200, 113.221.36.100, 113.246.130.73, 113.25.208.7, 113.25.218.36, 113.26.93.47, 113.27.38.5,

root@wrt3200acm:~# nslookup 101.108.104.180
180.104.108.101.in-addr.arpa name = node-kok.pool-101-108.dynamic.totinternet.net.

Authoritative answers can be found from:

root@wrt3200acm:~# nslookup 101.108.104.180 8.8.8.8
180.104.108.101.in-addr.arpa name = node-kok.pool-101-108.dynamic.totinternet.net.

Authoritative answers can be found from:

I don't know why the script try to resolve the hosts, because threatviewv4 is only an IP list.

Also the last package version is not the same as the package installed

Thu Mar  9 17:00:18 2023 user.debug banIP-0.8.1-3[7676]: f_system  ::: system: Linksys WRT3200ACM, OpenWrt 22.03.2 r19803-9a599fee93, version: 0.8.1-3, memory: 104, cpu_cores: 1

root@wrt3200acm:~/banIP-prereleases# opkgsnapshot list_installed
banip - 0.8.2-1

banip - 0.8.* only for OpenWrt 22.03?
Old stable series: OpenWrt 21.02 can not use it?
so "refresh" still needed? :rofl:

I don't think this will be backported to lower versions of openwrt since this is a total overhaul to make it work with nftables.

21.x use firewall3 (iptables) and banip was available.

The new version is for 22.x which use firewall4 (NFT) and must use the new version available in the snapshot

Working on 22.03 snapshot thank @dibdot

2 Likes

Actually the list includes an invalid IP address (line 3, columns 6712-6724) which can't be parsed by nft ... looking in the temp. load file reveals the culprit:

198.265.75.69

Please report it upstream to the list/feed maintainer.

2 Likes

Yep! :slight_smile: A "refresh" of the former 0.7.x release is mostly harmless (no new downloads!) and will be triggered by two events:

  • Interface trigger events by your WAN interface - maybe a flaky WAN connection with many ifup events!?
  • Firewall reloads (fw3) triggers this as well to make sure that the banIP chains are

@dibdot Hi can you add these to your DoHv4 feed. so the WARP app cant using it own DoH ? look like they using different IPv4 than their public one.

Seems to be a cloudflare pool address. Just put these IPs to your local blocklist.

1 Like

So on AX3600 the new packages banip, luci-app-banip also arrived in the meantime. It works fine , including the LUCI page. But unfortunately I've got no more free RAM left so OOM killer kicks in - the resource hog in my configuration is AdGuardHome. I think the country feed taking ~ 55 MB of nft RAM cannot be reduced further, so I'll look into AGH if I can reduce the resource footprint there. Thumbs up for banip, I think I can use it in the future with more RAM.

Email Send to feed maintainer!

threatview fix the issue

Sun Mar 12 11:43:15 2023 user.debug banIP-0.8.2-2[16478]: f_restore ::: name: threatviewv4, source: banIP.threatviewv4.gz, target: tmp.AOcoLJ.threatviewv4.load, in_rc: 0, rc: 0
Sun Mar 12 11:43:15 2023 user.debug banIP-0.8.2-2[16478]: f_down    ::: name: threatviewv4, cnt_dl: 681, cnt_set: 681, split_size: 0, time: 0, rc: 0, log: -
1 Like

Where is the version number gone?

I have a strange problem while coming an image based on stable release (22.03.3) for my Rpi4 with Banip. It says compatibility problem. Can i install it manually ??? Or is there a package update for openwrt package repo planned???

Really cool application! I'm able to block DoH IPs from getting pinged by me (ICMP packets get filtered) but I can still use an IP that is in the blocklist to fetch stuff and send stuff to, in my case nslookup works?

This is my config:

config banip 'global'
	option ban_autodetect '0'
	list ban_logterm 'Exit before auth from'
	list ban_logterm 'luci: failed login'
	list ban_logterm 'error: maximum authentication attempts exceeded'
	list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
	list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
	option ban_fetchcmd 'curl'
	option ban_protov4 '1'
	option ban_protov6 '1'
	list ban_ifv4 'wan'
	list ban_trigger 'wan'
	option ban_deduplicate '1'
	option ban_loginput '1'
	option ban_logforwardwan '1'
	option ban_autoallowlist '1'
	option ban_autoblocklist '1'
	option ban_allowlistonly '0'
	option ban_debug '1'
	option ban_logforwardlan '1'
	option ban_enabled '1'
	list ban_ifv6 'wan6'
	list ban_dev 'br-wan'
	list ban_dev 'eth1'
	list ban_dev 'wwan0'
	option ban_fetchparm '--ipv4 --socks5-hostname 127.0.0.1:9050 --connect-timeout 20 --fail --silent --show-error --location -o'
	list ban_feed 'doh'
	option ban_nftpolicy 'performance'
	option ban_nftpriority '-400'
	list ban_blockforwardlan 'doh'

I'm using a proxy for curl because raw.githubusercontent.com is blocked in my country, but I don't think that could be the issue..

$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 10.254.230.1 icmp_seq=1 Packet filtered
$nslookup google.com 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	google.com
Address: 142.250.193.174
Name:	google.com
Address: 2404:6800:4007:820::200e

Any one knows what could be the reason?

What version do you have? According to the readme 0.7.x has to be removed first and then 0.8.x has to be installed maybe try removing whatever you have now then install the latest from the package feeds?

1 Like

Do you mean traffic generated on the router? Thats expected cause banIP doesn't block output traffic - only forward and input.