You probably need to create a manual firewall (nft) definition for this very specific requirement. And make sure the priority is higher than BANIP. BanIP's default priority level is -200 (if i'm not mistaken).
How do i set priority for a Traffic rule?
I tried creating a traffic rule via luci, but i guess it's priority is lower than banip cause it's not working.
Ok so, i figured it out.
I tried changing the priority of banip anywhere from -1000 to 1000 but still my traffic rules were not working.
In the end, i just inserted the rules in banip lan-forward chain like so,
nft insert rule inet banIP lan-forward meta l4proto icmp ip saddr { 172.26.32.2, 172.26.32.3 } ip daddr 8.8.8.8 counter packets 0 bytes 0 accept
But on reboot or banip restart, the rules were getting overwritten obviously.
So i added the above rule command to the banip init script in start,restart,reload functions like so,
start_service() {
if "${ban_init}" enabled; then
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_rmpid
procd_open_instance "banip-service"
procd_set_param command "${ban_service}" "${@:-"${action}"}"
procd_set_param pidfile "${ban_pidfile}"
procd_set_param nice "$(uci_get banip global ban_nicelimit "0")"
procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")"
procd_set_param stdout 1
procd_set_param stderr 1
procd_close_instance
sleep 300s
nft insert rule inet banIP lan-forward meta l4proto icmp ip saddr { 172.26.32.2, 172.26.32.3 } ip daddr 8.8.8.8 counter packets 0 bytes 0 accept
else
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_log "err" "banIP service autostart is disabled"
rm -rf "${ban_lock}"
fi
}
reload_service() {
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_rmpid
rc_procd start_service "reload"
sleep 300s
nft insert rule inet banIP lan-forward meta l4proto icmp ip saddr { 172.26.32.2, 172.26.32.3 } ip daddr 8.8.8.8 counter packets 0 bytes 0 accept
}
restart() {
stop_service
rc_procd start_service "restart"
sleep 300s
nft insert rule inet banIP lan-forward meta l4proto icmp ip saddr { 172.26.32.2, 172.26.32.3 } ip daddr 8.8.8.8 counter packets 0 bytes 0 accept
}
i added a delay of 300s for banip to populate it's lan-forward chain before i add into it.
Also, since i modified the banip init script, i added /etc/init.d/banip to /etc/sysupgrade.conf so i don't replace it with upgrade.
I found this cool article which helped me a lot in understanding nftables: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-getting_started_with_nftables
@dibdot I think you have some IPs in the DOH ban feed that are not DNS servers.
I've got a couple of IPs below when checked are actually Cloudflare IP's (cloudfront). Can you check and verify?
104.26.14.96
104.26.15.96
172.67.73.29
2606:4700:20::681a:e60
2606:4700:20::681a:f60
2606:4700:20::ac43:491d
Well, dig -x 104.26.14.96 shows that it's dns.cloudflare.com, so I'd say the rest are, too. Many CDNs re-use the same IP for all sorts of things, piling DoH onto it isn't surprising and I've seen it before.
Yeah.. but it's also blocking some sites due to the fact that they are also using the same IPs (might due to cloudflront or CDN).
Cloudfront is AWS's CDN.
I use this online tool to check for reverse IP lookup. https://hackertarget.com/reverse-ip-lookup/
If you try those IP's i've mentioned, it will show that those IPs are set to multiple domains.
And doing a random dig or nslookup it does indeed return those IP address as the A PTR address for for those domains.
For example:
# dig @8.8.8.8 parisjewelers.com
; <<>> DiG 9.18.19 <<>> @8.8.8.8 parisjewelers.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28799
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;parisjewelers.com. IN A
;; ANSWER SECTION:
parisjewelers.com. 300 IN A 104.26.14.96
parisjewelers.com. 300 IN A 172.67.73.29
parisjewelers.com. 300 IN A 104.26.15.96
;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Oct 22 22:47:05 PST 2023
;; MSG SIZE rcvd: 94
Another example:
# dig @8.8.8.8 watchasian.pro
; <<>> DiG 9.18.19 <<>> @8.8.8.8 watchasian.pro
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46831
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;watchasian.pro. IN A
;; ANSWER SECTION:
watchasian.pro. 300 IN A 104.26.14.96
watchasian.pro. 300 IN A 104.26.15.96
watchasian.pro. 300 IN A 172.67.73.29
;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Oct 22 22:48:41 PST 2023
;; MSG SIZE rcvd: 91
I just upgraded banIP to the 0.9.1-1 and it doesn't block anything anymore, at least according to the /etc/init.d/banip report command. There's no errors in the log files and all the feeds are loaded as I can see in nft list ruleset. I'd appreciate any help!
# /etc/init.d/banip status
::: banIP runtime information
+ status : active (nft: ✔, monitor: ✘)
+ version : 0.9.1-1
+ element_count : 179540
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, darklistv4, deblv4, dshieldv4, edropv4, dropv4, firehol1v4, iblockspyv4, nixspamv4, firehol2v4, sslblv4, talosv4, voipv4, uceprotect1v4, yoyov4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
+ active_devices : wan: wan / wan-if: wan, - / vlan-allow: - / vlan-block: -
+ active_uplink : -
+ nft_info : priority: -200, policy: memory, loglevel: debug, expiry: -
+ run_info : base: /tmp, backup: /tmp/banIP-backup, report: /tmp/banIP-report
+ run_flags : auto: ✔, proto (4/6): ✔/✘, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
+ last_run : action: reload, fetch: uclient-fetch, duration: 0m 29s, date: 2023-10-26 09:27:56
# /etc/init.d/banip report
:::
::: banIP Set Statistics
:::
Timestamp: 2023-10-26 09:33:38
------------------------------
auto-added to allowlist today: 0
auto-added to blocklist today: 0
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets)
---------------------+--------------+-----------------------+-----------------------+------------------------
allowlistv4MAC | 0 | - | - | OK: 0
allowlistv6MAC | 0 | - | - | OK: 0
allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0
allowlistv6 | 0 | OK: 0 | OK: 0 | OK: 0
darklistv4 | 5981 | OK: 0 | OK: 0 | OK: 0
deblv4 | 15247 | OK: 0 | OK: 0 | OK: 0
dshieldv4 | 16 | OK: 0 | OK: 0 | OK: 0
edropv4 | 310 | OK: 0 | OK: 0 | OK: 0
dropv4 | 846 | OK: 0 | OK: 0 | OK: 0
firehol1v4 | 626 | OK: 0 | OK: 0 | OK: 0
iblockspyv4 | 2967 | OK: 0 | OK: 0 | OK: 0
nixspamv4 | 3819 | OK: 0 | OK: 0 | OK: 0
firehol2v4 | 3087 | OK: 0 | OK: 0 | OK: 0
sslblv4 | 31 | OK: 0 | OK: 0 | OK: 0
talosv4 | 4626 | OK: 0 | OK: 0 | OK: 0
voipv4 | 62248 | OK: 0 | OK: 0 | OK: 0
uceprotect1v4 | 76108 | OK: 0 | OK: 0 | OK: 0
yoyov4 | 3626 | OK: 0 | OK: 0 | OK: 0
blocklistv4MAC | 0 | - | - | OK: 0
blocklistv6MAC | 0 | - | - | OK: 0
blocklistv4 | 1 | OK: 0 | OK: 0 | OK: 0
blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0
---------------------+--------------+-----------------------+-----------------------+------------------------
22 | 179540 | 18 (0) | 18 (0) | 22 (0)
After an investigation I have been able to figure out myself. Auto detection of WAN interfaces didn't work correctly in my case, particularly I have to set ban_dev option explicitly.
Hi all,
I've installed banIP and and set it to block DoH following the wiki instructions.
But I can still ping DNS IPs on the DoH list.
What am I doing wrong?
Thanks
Edit: this might be of use
# cat /etc/config/banip
config banip 'global'
option ban_autodetect '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
option ban_enabled '1'
option ban_fetchcmd 'uclient-fetch'
option ban_protov4 '1'
list ban_ifv4 'wan'
list ban_dev 'wan'
list ban_feed 'doh'
option ban_deduplicate '1'
option ban_loginput '1'
option ban_logforwardwan '1'
option ban_logforwardlan '0'
option ban_autoallowlist '1'
option ban_autoblocklist '1'
option ban_allowlistonly '0'
option ban_debug '0'
Enable debug mode and I also recommend to enable ban_logforwardlan to help also trace what are being banned from your local network.
After enabling debug mode, restart banip and post the logs here.
Where are you pinging from? Router or LAN client?
Processing log:
Fri Oct 27 10:48:41 2023 user.info banIP-0.9.0-1[21960]: start banIP processing (restart)
Fri Oct 27 10:48:41 2023 user.debug banIP-0.9.0-1[21960]: f_system ::: system: Linksys E8450 (UBI), OpenWrt 22.03.5 r20134-5f15225c1e, version: 0.9.0-1, memory: 414, cpu_cores: 2
Fri Oct 27 10:48:41 2023 user.debug banIP-0.9.0-1[21960]: f_tmp ::: base_dir: /tmp, tmp_dir: /tmp/tmp.EhlNEF
Fri Oct 27 10:48:41 2023 user.debug banIP-0.9.0-1[21960]: f_getfetch ::: auto/update: 1/0, cmd: /bin/uclient-fetch, fetch_parm: --timeout=20 -O, rdap_parm: --timeout=5 -O, etag_parm: -
Fri Oct 27 10:48:41 2023 user.debug banIP-0.9.0-1[21960]: f_getif ::: auto/update: 1/0, interfaces (4/6): wan/, protocols (4/6): 1/0
Fri Oct 27 10:48:41 2023 user.debug banIP-0.9.0-1[21960]: f_getdev ::: auto/update: 1/0, wan_devices: wan, cnt: 0
Fri Oct 27 10:48:41 2023 user.debug banIP-0.9.0-1[21960]: f_getuplink ::: auto/update: 1/0, uplink: XXX.XXX.XXX.XXX/32
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_nftinit ::: wan_dev: "wan", vlan_allow: -, vlan_block: -, priority: -200, policy: memory, loglevel: warn, rc: 0, log: -
Fri Oct 27 10:48:42 2023 user.info banIP-0.9.0-1[21960]: initialize nft namespace
Fri Oct 27 10:48:42 2023 user.info banIP-0.9.0-1[21960]: start banIP download processes
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_down ::: feed: allowlistv4MAC, cnt_dl: -, cnt_set: 0, split_size: 0, time: 0, rc: 0, log: -
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_down ::: feed: allowlistv6MAC, cnt_dl: -, cnt_set: 0, split_size: 0, time: 0, rc: 0, log: -
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_down ::: feed: allowlistv4, cnt_dl: -, cnt_set: 1, split_size: 0, time: 0, rc: 0, log: -
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_down ::: feed: allowlistv6, cnt_dl: -, cnt_set: 0, split_size: 0, time: 0, rc: 0, log: -
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_restore ::: feed: dohv4, file: banIP.dohv4.gz, in_rc: -, rc: 0
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_down ::: feed: dohv4, cnt_dl: 1605, cnt_set: 970, split_size: 0, time: 0, rc: 0, log: -
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_down ::: feed: blocklistv4MAC, cnt_dl: -, cnt_set: 0, split_size: 0, time: 0, rc: 0, log: -
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_down ::: feed: blocklistv6MAC, cnt_dl: -, cnt_set: 0, split_size: 0, time: 0, rc: 0, log: -
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_down ::: feed: blocklistv4, cnt_dl: 0, cnt_set: 0, split_size: 0, time: 0, rc: 0, log: -
Fri Oct 27 10:48:42 2023 user.debug banIP-0.9.0-1[21960]: f_down ::: feed: blocklistv6, cnt_dl: 0, cnt_set: 0, split_size: 0, time: 0, rc: 0, log: -
Fri Oct 27 10:48:43 2023 user.debug banIP-0.9.0-1[21960]: f_rmset ::: sets: -, rc: -, log: -
Fri Oct 27 10:48:43 2023 user.debug banIP-0.9.0-1[21960]: f_rmdir ::: directory: /tmp/tmp.EhlNEF
Fri Oct 27 10:48:43 2023 user.info banIP-0.9.0-1[21960]: start banIP domain lookup
Fri Oct 27 10:48:43 2023 user.debug banIP-0.9.0-1[21960]: f_lookup ::: feed: allowlist, domains: 0, IPs: 0, duration: 0m 0s
Fri Oct 27 10:48:43 2023 user.debug banIP-0.9.0-1[21960]: f_lookup ::: feed: blocklist, domains: 0, IPs: 0, duration: 0m 0s
Fri Oct 27 10:48:43 2023 user.info banIP-0.9.0-1[21960]: start detached banIP log service
Firewall log:
No banIP related firewall logs yet!
I'm pinging from LAN client.
Check Status->Firewall looking at the Traffic filter chain "lan-forward" and see if there are @dohv4 and @dohv6 rules and how many matches they have,
There are only @dohv4 rules. And it has 0B for Rule matches (I've disabled IPv6 on the router.)
What is in your allowlistv4? It shows 1 entry.
The IP address supplied by my ISP. This is done automatically by banIP.
Allowlist:
xxx.xxx.xxx.xxx/32 # uplink added on 2023-10-27 12:22:33
Hi all, my first post here.
Is it possible in banip to exclude a feed from the firewall log? Want DOH feed to be active, but i'm not interested in the flood of entries because of my chromecasts. Otherwise i want the entries from other feeds (possible IOCs)
Thanks!
only on chain level, not on "per feed" level, e.g.
1 Like