banIP support thread

dibdot · March 20, 2023, 7:58pm

Just a small note: the latest banIP 0.8.2-2 has been backported to stable branch 22.03 ...

Hitmann · March 20, 2023, 9:29pm

Hello, on latest snapshot (BanIP ver. 0.8.2-2), i get this error

Mon Mar 20 23:25:03 2023 user.err banIP-[17687]: nft based firewall/fw4 not functional

I have verified that nft is functional, also tried resetting settings, from here on I have no idea.

dibdot · March 20, 2023, 9:51pm

Please provide the output of ...

cat /etc/openwrt_release
and
/etc/init.d/firewall status

Hitmann · March 20, 2023, 10:13pm

Here:

root@OpenWrt:~# /etc/init.d/firewall status
active with no instances
root@OpenWrt:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='SNAPSHOT'
DISTRIB_REVISION='r22310+15-a32def781f'
DISTRIB_TARGET='ipq806x/generic'
DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r22310+15-a32def781f'
DISTRIB_TAINTS='no-all busybox'

dibdot · March 20, 2023, 10:18pm

Looks OK, /etc/init.d/banip restart should work.

Hitmann · March 20, 2023, 10:21pm

the luCI gui shows this
error (nft: ✘, monitor: ✘)
I tried to play around with the settings in it too, is there something i should pay special attention too?
The config right now, "dirty" and without many sources checked

config banip 'global'
        option ban_enabled '1'
        option ban_debug '1'
        option ban_autodetect '0'
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        list ban_logterm 'error: maximum authentication attempts exceeded'
        list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
        list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
        list ban_trigger 'wan'
        option ban_deduplicate '1'
        option ban_loginput '0'
        option ban_logforwardwan '0'
        option ban_logforwardlan '0'
        option ban_nicelimit '0'
        option ban_filelimit '512'
        option ban_cores '2'
        option ban_splitsize '512'
        list ban_feed 'firehol1'
        list ban_feed 'iblockads'
        option ban_autoallowlist '1'
        option ban_autoblocklist '1'
        option ban_allowlistonly '0'
        option ban_nftpolicy 'memory'
        option ban_nftpriority '-100'
        option ban_nftloglevel 'info'
        option ban_loglimit '100'
        option ban_reportelements '0'
        option ban_fetchcmd 'curl'
        option ban_protov4 '1'
        list ban_ifv4 'wan'
        option ban_protov6 '1'
        list ban_ifv6 'wan_6'
        option ban_nftexpiry '2h'
        option ban_fetchinsecure '1'
        list ban_dev 'br-lan'

dibdot · March 20, 2023, 10:23pm

Please restart the service as mentioned before and post the log output.

Hitmann · March 20, 2023, 10:29pm

Of course I did that already.

I played around with the logging settings since simply enabling verbose default logging didn't show any extra output, i got it to show more but i think it's not showing everything

Mon Mar 20 23:24:21 2023 user.info banIP-[16447]: start banIP processing (start)
Mon Mar 20 23:24:32 2023 user.err banIP-[16447]: nft based firewall/fw4 not functional
Mon Mar 20 23:24:52 2023 user.debug banIP-[17566]: f_system  ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 34, cpu_cores: 2
Mon Mar 20 23:24:53 2023 user.info banIP-[17687]: start banIP processing (restart) 
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_system  ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 33, cpu_cores: 2
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_tmp     ::: base_dir: /tmp, tmp_dir: /tmp/tmp.iGMcCM
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_fetch   ::: fetch_cmd: /usr/bin/curl, fetch_parm: --insecure --connect-timeout 20 --fail --silent --show-error --location -o
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_getif   ::: auto/update: 0/0, interfaces (4/6): wan/wan_6, protocols (4/6): 1/1
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_getdev  ::: auto/update: 0/0, devices: br-lan, cnt: 0
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_getsub  ::: auto/update: 1/0, subnet(s): [REDACTED]
Mon Mar 20 23:25:03 2023 user.err banIP-[17687]: nft based firewall/fw4 not functional
Mon Mar 20 23:25:03 2023 user.debug banIP-[17687]: f_system  ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 34, cpu_cores: 2
Mon Mar 20 23:25:03 2023 user.debug banIP-[17687]: f_rmdir   ::: deleted directory: /tmp/tmp.iGMcCM
Tue Mar 21 00:18:37 2023 user.debug banIP-[24282]: f_system  ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 45, cpu_cores: 2
Tue Mar 21 00:18:37 2023 user.info banIP-[24386]: start banIP processing (restart)
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_system  ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 45, cpu_cores: 2
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_tmp     ::: base_dir: /tmp, tmp_dir: /tmp/tmp.bLdhJi
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_fetch   ::: fetch_cmd: /usr/bin/curl, fetch_parm: --insecure --connect-timeout 20 --fail --silent --show-error --location -o
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_getif   ::: auto/update: 0/0, interfaces (4/6): wan/wan_6, protocols (4/6): 1/1
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_getdev  ::: auto/update: 0/0, devices: br-lan, cnt: 0
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_getsub  ::: auto/update: 1/0, subnet(s): [REDACTED]
Tue Mar 21 00:18:48 2023 user.err banIP-[24386]: nft based firewall/fw4 not functional
Tue Mar 21 00:18:48 2023 user.debug banIP-[24386]: f_system  ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 47, cpu_cores: 2
Tue Mar 21 00:18:48 2023 user.debug banIP-[24386]: f_rmdir   ::: deleted directory: /tmp/tmp.bLdhJi
Tue Mar 21 00:26:14 2023 user.info banIP-[5362]: start banIP processing (reload)
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_system  ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 43, cpu_cores: 2
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_tmp     ::: base_dir: /tmp, tmp_dir: /tmp/tmp.mKlipf
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_fetch   ::: fetch_cmd: /usr/bin/curl, fetch_parm: --insecure --connect-timeout 20 --fail --silent --show-error --location -o
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_getif   ::: auto/update: 0/0, interfaces (4/6): wan/wan_6, protocols (4/6): 1/1
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_getdev  ::: auto/update: 0/0, devices: br-lan, cnt: 0
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_getsub  ::: auto/update: 1/0, subnet(s): [REDACTED]
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_nftinit ::: devices: br-lan, priority: -100, policy: memory, loglevel: debug, rc: 0, log: -
Tue Mar 21 00:26:15 2023 user.info banIP-[5362]: nft namespace initialized
Tue Mar 21 00:26:15 2023 user.info banIP-[5362]: start banIP download processes
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_down    ::: name: allowlistvMAC, cnt_dl: -, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_down    ::: name: allowlistv4, cnt_dl: -, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_down    ::: name: allowlistv6, cnt_dl: -, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:16 2023 user.debug banIP-[5362]: f_backup  ::: name: firehol1v4, source: tmp.JipmOC.firehol1v4.load, target: banIP.firehol1v4.gz, rc: 0
Tue Mar 21 00:26:17 2023 user.debug banIP-[5362]: f_down    ::: name: firehol1v4, cnt_dl: 2157, cnt_set: -, split_size: 512, time: 2, rc: 0, log: -
Tue Mar 21 00:26:18 2023 user.debug banIP-[5362]: f_backup  ::: name: iblockadsv4, source: tmp.JipmOC.iblockadsv4.load, target: banIP.iblockadsv4.gz, rc: 0
Tue Mar 21 00:26:20 2023 user.debug banIP-[5362]: f_down    ::: name: iblockadsv4, cnt_dl: 3437, cnt_set: -, split_size: 512, time: 3, rc: 0, log: -
Tue Mar 21 00:26:20 2023 user.debug banIP-[5362]: f_down    ::: name: blocklistvMAC, cnt_dl: -, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:20 2023 user.debug banIP-[5362]: f_down    ::: name: blocklistv4, cnt_dl: 0, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_down    ::: name: blocklistv6, cnt_dl: 0, cnt_set: -, split_size: 512, time: 1, rc: 0, log: -
Tue Mar 21 00:26:21 2023 user.info banIP-[5362]: start detached banIP domain lookup
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_lookup  ::: name: allowlist, cnt_domain: 0, cnt_ip: 0, duration: 0m 0s
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_lookup  ::: name: blocklist, cnt_domain: 0, cnt_ip: 0, duration: 0m 0s
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_rmset   ::: sets: -, rc: -, log: -
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_rmdir   ::: deleted directory: /tmp/tmp.mKlipf
Tue Mar 21 00:26:22 2023 user.debug banIP-[5362]: f_system  ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 39, cpu_cores: 2
Tue Mar 21 00:26:22 2023 user.info banIP-[5362]: finished banIP download processes
Tue Mar 21 00:26:22 2023 user.info banIP-[5362]: start detached banIP log service

dibdot · March 20, 2023, 10:58pm

Sorry, I have no idea what's wrong with your environment. Anyway, two observations from your private build:

your router has very little free memory
banIP doesn't print any version information .... that's odd

The error message will be emitted here:

github.com

openwrt/packages/blob/a4b9697684ad13e9c60e22a830c5d5c28bd5e9ad/net/banip/files/banip-service.sh#L37


      
          
          
# firewall check
          #
          if [ "${ban_action}" != "reload" ]; then
          	if [ -x "${ban_fw4cmd}" ]; then
          		cnt=0
          		while [ "${cnt}" -lt "10" ] && ! /etc/init.d/firewall status | grep -q "^active"; do
          			cnt="$((cnt + 1))"
          			sleep 1
          		done
          		if ! /etc/init.d/firewall status | grep -q "^active"; then
          			f_log "err" "nft based firewall/fw4 not functional"
          		fi
          	else
          		f_log "err" "nft based firewall/fw4 not found"
          	fi
          fi
          
          
# init nft namespace
          #
          if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then

Dopam-IT_1987 · March 20, 2023, 11:05pm

i has same error with belkin rt3200 sometimes...

i dn't know why if crash too

Hitmann · March 20, 2023, 11:21pm

Could be from the upstream master, the builds i use shouldn't affect any main environment

Yeah sorry about that, i was loading something in the background. The router has 50MB available memory at any time, should be enough for a few lists even with the overhead? I didn't see it running out of memory while restarting the service.

Very strange, is there any other status message that firewall can give? Cause i started something on firewall (upnpd) but i remember even before that it said "^active"

FYI as you see at the bottom of the log it eventually started but shown 0 applied lists and blocked the traffic on lan until stopped

Would output of nft list ruleset help you in any way?

xize · March 21, 2023, 7:26pm

is there also a way for wildcard domains? for now I used just the dot like how dnsmasq uses wildcards domains if I believe im correct.

thanks

jb80 · March 21, 2023, 11:20pm

@dibdot just installed v0.8.2-2 from the stable branch, awesome stuff!

Question, on previous stable build v0.7.10 I was consuming /tmp/ban_runtime.json to determine the runtime status, however it doesn't look like this new version is creating the runtime file? Example json output

{ "status": "disabled", "version": "0.7.10", "ipset_info": "-", "active_sources":

Would it be possible to restore this json file? I am consuming this data to report the BanIP running status in Home Assistant

dibdot · March 22, 2023, 6:22am

The file is now located here /var/run/banip_runtime.json. The data structure has also changed slightly.

dibdot · March 22, 2023, 6:23am

Nope, that's not possible. We need to resolve the listed domains via nslookup ...

diepeterpan · March 23, 2023, 8:11pm

Thank you so much for re-writing BanIP, was missing it a lot.

If I have installed banIP 8.2.2 on 22.03.x, configured and tested the msmtp what is the purpose of the following setting?

option ban_mailnotification '1'

I was under the impression that every time there was a blacklisting I will get an e-mail, but nothing is happening. I tested the e-mail from the command line by requesting a report and confirmed the smtp configuration; received an e-mail like this.

++
++ System Information ++
++
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.2, r19803-9a599fee93
 -------------------------------

But is this all the e-mail does, is for manual requesting of report or am I missing something?

dibdot · March 23, 2023, 8:15pm

This option is not yet supported in 22.03 (only supported in master with latest release 0.8.2-3). I'm currently working on some LuCI enhancements, once released in master I'll backport the stuff to stable branch as well.

diepeterpan · March 23, 2023, 8:21pm

A big thank you!!!!!!

hugalafutro · March 24, 2023, 6:29am

Hi is there any way to confirm my config actually works?

I used to have banip back when it didn't use the new firewall and it used to block hundreds of ips a day. I was delighted to see it now supports the new firewall, reinstalled and reconfigured it, but after 2 days it tells me it blocked 0 ips. The "workload" going through the router hasn't changed since I last used banip, if anything it increased. Just can't think of a way to try access my network so that banip would pick the attempt out if that makes sense.

my config:

config banip 'global'
        option ban_autodetect '1'
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        list ban_logterm 'error: maximum authentication attempts exceeded'
        list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
        list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
        option ban_enabled '1'
        option ban_debug '1'
        option ban_deduplicate '1'
        option ban_loginput '1'
        option ban_logforwardwan '1'
        option ban_logforwardlan '0'
        option ban_nicelimit '0'
        option ban_filelimit '1024'
        option ban_basedir '/mnt/usb2/tmp/banip/tmp'
        option ban_backupdir '/mnt/usb2/tmp/banip/backup'
        option ban_reportdir '/mnt/usb2/tmp/banip/report'
        option ban_nftpolicy 'memory'
        option ban_nftpriority '-200'
        option ban_nftexpiry '1h'
        option ban_nftloglevel 'warn'
        option ban_loglimit '100'
        list ban_feed 'asn'
        list ban_feed 'country'
        list ban_feed 'firehol1'
        list ban_feed 'firehol2'
        list ban_feed 'firehol3'
        list ban_feed 'sslbl'
        list ban_feed 'tor'
        list ban_country 'cn'
        list ban_country 'in'
        list ban_country 'ro'
        list ban_country 'ru'
        list ban_asn '32934'
        list ban_asn '13414'
        option ban_autoallowlist '1'
        option ban_autoblocklist '1'
        option ban_allowlistonly '0'
        option ban_fetchcmd 'curl'
        option ban_protov4 '1'
        list ban_ifv4 'wan'
        list ban_dev 'wan'

edit: using OpenWrt 22.03-SNAPSHOT r20065-7b05a8d05d, banip 0.8.2-2, luci-app-banip git-23.078.54332-016adfc

dibdot · March 24, 2023, 7:25am

On a quick sight your config looks OK. Just restart banIP and check the log in parallel.