Just a small note: the latest banIP 0.8.2-2 has been backported to stable branch 22.03 ...
Hello, on latest snapshot (BanIP ver. 0.8.2-2), i get this error
Mon Mar 20 23:25:03 2023 user.err banIP-[17687]: nft based firewall/fw4 not functional
I have verified that nft is functional, also tried resetting settings, from here on I have no idea.
Please provide the output of ...
cat /etc/openwrt_release
and
/etc/init.d/firewall status
Here:
root@OpenWrt:~# /etc/init.d/firewall status
active with no instances
root@OpenWrt:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='SNAPSHOT'
DISTRIB_REVISION='r22310+15-a32def781f'
DISTRIB_TARGET='ipq806x/generic'
DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r22310+15-a32def781f'
DISTRIB_TAINTS='no-all busybox'
Looks OK, /etc/init.d/banip restart
should work.
the luCI gui shows this
error (nft: ✘, monitor: ✘)
I tried to play around with the settings in it too, is there something i should pay special attention too?
The config right now, "dirty" and without many sources checked
config banip 'global'
option ban_enabled '1'
option ban_debug '1'
option ban_autodetect '0'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
list ban_trigger 'wan'
option ban_deduplicate '1'
option ban_loginput '0'
option ban_logforwardwan '0'
option ban_logforwardlan '0'
option ban_nicelimit '0'
option ban_filelimit '512'
option ban_cores '2'
option ban_splitsize '512'
list ban_feed 'firehol1'
list ban_feed 'iblockads'
option ban_autoallowlist '1'
option ban_autoblocklist '1'
option ban_allowlistonly '0'
option ban_nftpolicy 'memory'
option ban_nftpriority '-100'
option ban_nftloglevel 'info'
option ban_loglimit '100'
option ban_reportelements '0'
option ban_fetchcmd 'curl'
option ban_protov4 '1'
list ban_ifv4 'wan'
option ban_protov6 '1'
list ban_ifv6 'wan_6'
option ban_nftexpiry '2h'
option ban_fetchinsecure '1'
list ban_dev 'br-lan'
Please restart the service as mentioned before and post the log output.
Of course I did that already.
I played around with the logging settings since simply enabling verbose default logging didn't show any extra output, i got it to show more but i think it's not showing everything
Mon Mar 20 23:24:21 2023 user.info banIP-[16447]: start banIP processing (start)
Mon Mar 20 23:24:32 2023 user.err banIP-[16447]: nft based firewall/fw4 not functional
Mon Mar 20 23:24:52 2023 user.debug banIP-[17566]: f_system ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 34, cpu_cores: 2
Mon Mar 20 23:24:53 2023 user.info banIP-[17687]: start banIP processing (restart)
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_system ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 33, cpu_cores: 2
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_tmp ::: base_dir: /tmp, tmp_dir: /tmp/tmp.iGMcCM
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_fetch ::: fetch_cmd: /usr/bin/curl, fetch_parm: --insecure --connect-timeout 20 --fail --silent --show-error --location -o
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_getif ::: auto/update: 0/0, interfaces (4/6): wan/wan_6, protocols (4/6): 1/1
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_getdev ::: auto/update: 0/0, devices: br-lan, cnt: 0
Mon Mar 20 23:24:53 2023 user.debug banIP-[17687]: f_getsub ::: auto/update: 1/0, subnet(s): [REDACTED]
Mon Mar 20 23:25:03 2023 user.err banIP-[17687]: nft based firewall/fw4 not functional
Mon Mar 20 23:25:03 2023 user.debug banIP-[17687]: f_system ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 34, cpu_cores: 2
Mon Mar 20 23:25:03 2023 user.debug banIP-[17687]: f_rmdir ::: deleted directory: /tmp/tmp.iGMcCM
Tue Mar 21 00:18:37 2023 user.debug banIP-[24282]: f_system ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 45, cpu_cores: 2
Tue Mar 21 00:18:37 2023 user.info banIP-[24386]: start banIP processing (restart)
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_system ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 45, cpu_cores: 2
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_tmp ::: base_dir: /tmp, tmp_dir: /tmp/tmp.bLdhJi
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_fetch ::: fetch_cmd: /usr/bin/curl, fetch_parm: --insecure --connect-timeout 20 --fail --silent --show-error --location -o
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_getif ::: auto/update: 0/0, interfaces (4/6): wan/wan_6, protocols (4/6): 1/1
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_getdev ::: auto/update: 0/0, devices: br-lan, cnt: 0
Tue Mar 21 00:18:38 2023 user.debug banIP-[24386]: f_getsub ::: auto/update: 1/0, subnet(s): [REDACTED]
Tue Mar 21 00:18:48 2023 user.err banIP-[24386]: nft based firewall/fw4 not functional
Tue Mar 21 00:18:48 2023 user.debug banIP-[24386]: f_system ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 47, cpu_cores: 2
Tue Mar 21 00:18:48 2023 user.debug banIP-[24386]: f_rmdir ::: deleted directory: /tmp/tmp.bLdhJi
Tue Mar 21 00:26:14 2023 user.info banIP-[5362]: start banIP processing (reload)
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_system ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 43, cpu_cores: 2
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_tmp ::: base_dir: /tmp, tmp_dir: /tmp/tmp.mKlipf
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_fetch ::: fetch_cmd: /usr/bin/curl, fetch_parm: --insecure --connect-timeout 20 --fail --silent --show-error --location -o
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_getif ::: auto/update: 0/0, interfaces (4/6): wan/wan_6, protocols (4/6): 1/1
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_getdev ::: auto/update: 0/0, devices: br-lan, cnt: 0
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_getsub ::: auto/update: 1/0, subnet(s): [REDACTED]
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_nftinit ::: devices: br-lan, priority: -100, policy: memory, loglevel: debug, rc: 0, log: -
Tue Mar 21 00:26:15 2023 user.info banIP-[5362]: nft namespace initialized
Tue Mar 21 00:26:15 2023 user.info banIP-[5362]: start banIP download processes
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_down ::: name: allowlistvMAC, cnt_dl: -, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_down ::: name: allowlistv4, cnt_dl: -, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:15 2023 user.debug banIP-[5362]: f_down ::: name: allowlistv6, cnt_dl: -, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:16 2023 user.debug banIP-[5362]: f_backup ::: name: firehol1v4, source: tmp.JipmOC.firehol1v4.load, target: banIP.firehol1v4.gz, rc: 0
Tue Mar 21 00:26:17 2023 user.debug banIP-[5362]: f_down ::: name: firehol1v4, cnt_dl: 2157, cnt_set: -, split_size: 512, time: 2, rc: 0, log: -
Tue Mar 21 00:26:18 2023 user.debug banIP-[5362]: f_backup ::: name: iblockadsv4, source: tmp.JipmOC.iblockadsv4.load, target: banIP.iblockadsv4.gz, rc: 0
Tue Mar 21 00:26:20 2023 user.debug banIP-[5362]: f_down ::: name: iblockadsv4, cnt_dl: 3437, cnt_set: -, split_size: 512, time: 3, rc: 0, log: -
Tue Mar 21 00:26:20 2023 user.debug banIP-[5362]: f_down ::: name: blocklistvMAC, cnt_dl: -, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:20 2023 user.debug banIP-[5362]: f_down ::: name: blocklistv4, cnt_dl: 0, cnt_set: -, split_size: 512, time: 0, rc: 0, log: -
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_down ::: name: blocklistv6, cnt_dl: 0, cnt_set: -, split_size: 512, time: 1, rc: 0, log: -
Tue Mar 21 00:26:21 2023 user.info banIP-[5362]: start detached banIP domain lookup
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_lookup ::: name: allowlist, cnt_domain: 0, cnt_ip: 0, duration: 0m 0s
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_lookup ::: name: blocklist, cnt_domain: 0, cnt_ip: 0, duration: 0m 0s
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_rmset ::: sets: -, rc: -, log: -
Tue Mar 21 00:26:21 2023 user.debug banIP-[5362]: f_rmdir ::: deleted directory: /tmp/tmp.mKlipf
Tue Mar 21 00:26:22 2023 user.debug banIP-[5362]: f_system ::: system: Linksys EA7500 V1 WiFi Router, OpenWrt SNAPSHOT r22310+15-a32def781f, version: n/a, memory: 39, cpu_cores: 2
Tue Mar 21 00:26:22 2023 user.info banIP-[5362]: finished banIP download processes
Tue Mar 21 00:26:22 2023 user.info banIP-[5362]: start detached banIP log service
Sorry, I have no idea what's wrong with your environment. Anyway, two observations from your private build:
- your router has very little free memory
- banIP doesn't print any version information .... that's odd
The error message will be emitted here:
i has same error with belkin rt3200 sometimes...
i dn't know why if crash too
Could be from the upstream master, the builds i use shouldn't affect any main environment
Yeah sorry about that, i was loading something in the background. The router has 50MB available memory at any time, should be enough for a few lists even with the overhead? I didn't see it running out of memory while restarting the service.
Very strange, is there any other status message that firewall can give? Cause i started something on firewall (upnpd) but i remember even before that it said "^active"
FYI as you see at the bottom of the log it eventually started but shown 0 applied lists and blocked the traffic on lan until stopped
Would output of nft list ruleset help you in any way?
is there also a way for wildcard domains? for now I used just the dot like how dnsmasq uses wildcards domains if I believe im correct.
thanks
@dibdot just installed v0.8.2-2 from the stable branch, awesome stuff!
Question, on previous stable build v0.7.10 I was consuming /tmp/ban_runtime.json
to determine the runtime status, however it doesn't look like this new version is creating the runtime file? Example json output
{ "status": "disabled", "version": "0.7.10", "ipset_info": "-", "active_sources":
Would it be possible to restore this json file? I am consuming this data to report the BanIP running status in Home Assistant
The file is now located here /var/run/banip_runtime.json
. The data structure has also changed slightly.
Nope, that's not possible. We need to resolve the listed domains via nslookup ...
Thank you so much for re-writing BanIP, was missing it a lot.
If I have installed banIP 8.2.2 on 22.03.x, configured and tested the msmtp what is the purpose of the following setting?
option ban_mailnotification '1'
I was under the impression that every time there was a blacklisting I will get an e-mail, but nothing is happening. I tested the e-mail from the command line by requesting a report and confirmed the smtp configuration; received an e-mail like this.
++
++ System Information ++
++
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 22.03.2, r19803-9a599fee93
-------------------------------
But is this all the e-mail does, is for manual requesting of report or am I missing something?
This option is not yet supported in 22.03 (only supported in master with latest release 0.8.2-3). I'm currently working on some LuCI enhancements, once released in master I'll backport the stuff to stable branch as well.
A big thank you!!!!!!
Hi is there any way to confirm my config actually works?
I used to have banip back when it didn't use the new firewall and it used to block hundreds of ips a day. I was delighted to see it now supports the new firewall, reinstalled and reconfigured it, but after 2 days it tells me it blocked 0 ips. The "workload" going through the router hasn't changed since I last used banip, if anything it increased. Just can't think of a way to try access my network so that banip would pick the attempt out if that makes sense.
my config:
config banip 'global'
option ban_autodetect '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
option ban_enabled '1'
option ban_debug '1'
option ban_deduplicate '1'
option ban_loginput '1'
option ban_logforwardwan '1'
option ban_logforwardlan '0'
option ban_nicelimit '0'
option ban_filelimit '1024'
option ban_basedir '/mnt/usb2/tmp/banip/tmp'
option ban_backupdir '/mnt/usb2/tmp/banip/backup'
option ban_reportdir '/mnt/usb2/tmp/banip/report'
option ban_nftpolicy 'memory'
option ban_nftpriority '-200'
option ban_nftexpiry '1h'
option ban_nftloglevel 'warn'
option ban_loglimit '100'
list ban_feed 'asn'
list ban_feed 'country'
list ban_feed 'firehol1'
list ban_feed 'firehol2'
list ban_feed 'firehol3'
list ban_feed 'sslbl'
list ban_feed 'tor'
list ban_country 'cn'
list ban_country 'in'
list ban_country 'ro'
list ban_country 'ru'
list ban_asn '32934'
list ban_asn '13414'
option ban_autoallowlist '1'
option ban_autoblocklist '1'
option ban_allowlistonly '0'
option ban_fetchcmd 'curl'
option ban_protov4 '1'
list ban_ifv4 'wan'
list ban_dev 'wan'
edit: using OpenWrt 22.03-SNAPSHOT r20065-7b05a8d05d, banip 0.8.2-2, luci-app-banip git-23.078.54332-016adfc
On a quick sight your config looks OK. Just restart banIP and check the log in parallel.