Would this be a sufficient basic Blocklist Feed Selection or should I add more feeds?
darklist, debl, feodo, firehol1, firehol2, iblockspy, proxy, sslbl, threat, tor
Depends on what you want to block.
I would go with cinscore, etcompromised, talos and brute force also.
how can I use doh list and allow single lan IP to have access to certain DNS servers on internet?
I have both 21.02 and 22.03 versions of openwrt.
thanks!
I'm new to banIP. Is there a way to create a custom local feed that's separate to the standard local allowlist and blocklist? i.e. a custom feed where the "URL" points to a local file? Can I use a file:// URL?
The reason behind this is that I'm not satisfied with the accuracy of the IPdeny location database that's used by default for country identification, so I'd like to create my own feed based on IP ranges of my choice extracted from a different location database (db-ip.com).
The db-ip.com database is only available in a CSV format, so it needs some massaging to get it into a format that banIP will accept (i.e. a list of CIDR ranges). I'm happy to do that massaging, but I then need to be able to import the resulting list into banIP, and I'd rather not use the generic blocklist because I might want to use that for other purposes in future.
Another idea - it would be useful to be able to add certain ports to an allow list, so that incoming packets on those ports are never blocked.
For example, I would like to keep my OpenVPN port accessible from anywhere, just in case. The geoip and blocklist data is never going to be completely correct, and a bad or outdated entry could lead to me being locked out of my home network while travelling.
I see that some DHCP ports are already whitelisted in the banIP's wan-input chain, but there doesn't seem to be a way to do something similar for other ports without manually adding a rule.
1 Like
have a question banip's blocking system.. I just started using it so pardon the naiveness but..
I regularly SSH into my router where banip is running, and i have found that it's adding the IP of the host i'm ssh'ing in from to the banip.blocklist.
I've already added this to the whitelist, so i am not sure why it's STILL adding it to the blocklist afterwards? This just happened, even though last night i've added it to the blocklist (and i've reboot the router for other reasons since then)
root@router-main:/etc/banip# uptime
12:03:59 up 57 min, load average: 0.01, 0.05, 0.00
root@router-main:/etc/banip# grep 172.2x.x.10 *
banip.allowlist:172.2x.x.10 # added on 2023-09-30 00:12:32
banip.blocklist:172.2x.x.10 # added on 2023-09-30 11:59:41
Any ideas??
I have disabled myself the ability to auto add ip to local blacklist, my opnsense firewall ip sitting behind openwrt was always added as suspicius.
In my case, i'm NAT-ing evrything with that ip plus opnwrt in x64 devel running on a CT, so i disabled the feature.
This might be an issue that needs to be addressed in your case since you have the same behaviour with one client.
sorry i don't quite understand, how to address it ? you said disable something but it was not clear what/where/how ?
In feed selection, untick auto blocklist.
"Automatically add resolved domains and suspicious IPs to the local banIP blocklist"
doesn't that disable the entire strength of the system ? e.g. the suspicious stuff on the outside trying to get in will no longer get blocked? if that change makes entirely lose protection from the outside, i don't think i want that heavy-a-hammer solution for what seems like a logic flaw - why something already being in the allowlist should still get added to the block list ??
As long as the allowlist rule always supersedes the blocklist rule, itâs usually not a problem. It would be tedious (I imagine) to try to prune the blocklist for every exception.
does that mean that it doesn't even consult the allowlist when deciding to block something (as i thought my experience was an outlier)? that seems rather short-sighted ? without wishing to sound ungrateful, how hard would could it be for banip to check the other list before deciding to block something (esp when there's no point in doing so because the host is in the allowlist).
Are you being blocked from this allowed IP? You donât actually mention if youâre blocked, or you just donât like seeing the allowed IP on the block list.
In the firewall chains updated by banIP the Allow List rules always appear before the Block List rules. Packets are processed until they match a rule at which point the rule's action is taken.
Anything in the allow list will never be blocked by the block list(s), either the auto ones or the ones sourced from various feeds.
2 Likes
Agreed, not officially supported, but I run it on OpenWrt 23.05 on my C7v2 with 4-7 small/medium sets with no memory issues.
I wouldnât hesitate to run BanIP with 128MB of RAM on a default OpenWrt installationâŚjust donât go overboard on the number of IP sets.
1 Like
Hi, I am running version 9.1 on Open 23.0.5.
I just noticed that out of a download set of 83939, that it is only using 27266 in the set. Normally on 22.03.5 it was always loading a set of approximately 80000+
Is there something specific to the new version, or something I should check / reset in the settings?
Here is an excerpt of the processing log:
/`Preformatted textuser.debug banIP-0.9.1-1[3116]: f_down ::: feed: countryv4, cnt_dl: 83939, cnt_set: 27266, split_size: 256, time: 199, rc: 0, log: /Preformatted text`
Thank you.
newbie question for BanIP experts...
I use the DNS HTTPS proxy in LuCI to send DNS queries to quad9 and Cloudflare, both as DoH. I force clients to use router DNS (DNS hijacking).
But as is well known, this isn't really a defence against potentially hostile devices on the LAN from using hard coded DNS over DOH to bypass the rules.
would using BanIP stop them from doing this?
We have almost the same setup
- banip
- https-dns-proxy (https over dns)
But i'm also using adblock
I've enabled DOH feeds on both banip and adblock just to make sure clients in my network has no chance of using manual DNS. Plus the https-dns-proxy has a feature (enabled by default) to capture and force all DNS queries to it.
With those 3 combined, there's almost no chance a client in the network to bypass the DNS.
1 Like
hello,
I am running banip on Archer A7v5 with only doh feed. I have a Xiaomi camera which stops working after enabling banip with doh feed. If i add the camera's MAC in allowlist, it starts working again.
How do i view the logs to find out which domain/ip is getting blocked here?
I have tried setting log level to debug, and enabling verbose debug logging. Still can't see any indication of block in logread.
NVM, It was "Log LAN-Forward" in Logging. I enabled that and started seeing BanIP logs in firewall logs.
Turns out, my Xiaomi camera has harcoded 8.8.8.8 to check connectivity which was getting blocked by doh feed.
Is there any way to only allow access to specific ip/domain(8.8.8.8) from specific LAN clients?
I don't wanna allow the client to bypass doh feed by putting it's MAC in allowlist. And if i put 8.8.8.8 in allowlist, then every LAN client can access 8.8.8.8
I tried with firewall traffic rules, but i guess banip supercedes those.