banIP support thread

I have OpenWrt 23.05.2 x86/64 running as a Proxmox VM with pass-through NICs. There are no firewall rules defined. Input/Output/Forward are all 'accept'.

WAN is eth2 aka GE1_up. WAN IP is 192.168.1.201/24.

I have a PC connected to eth5 (MAC 22:6d:2a:8f:69:32) with client IP 10.5.20.9/24.

My test IP is 1.1.1.1 which is included in the DoH blocklist.

My goal is to selectively apply the DoH blocklist. The selective part is not working. As long as banIP is active, curl 1.1.1.1 fails to connect from the PC.

banip

config banip 'global'
  option ban_enabled '1'
  option ban_debug '0'
  option ban_autodetect '0'
  list ban_logterm 'Exit before auth from'
  list ban_logterm 'luci: failed login'
  list ban_logterm 'error: maximum authentication attempts exceeded'
  list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
  list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
  list ban_logterm 'received a suspicious remote IP '\''.*'\'''
  option ban_deduplicate '1'
  list ban_blockforwardlan 'doh'
  option ban_loginput '1'
  option ban_logforwardwan '1'
  option ban_logforwardlan '0'
  list ban_feed 'doh'
  option ban_autoallowlist '1'
  option ban_autoblocklist '1'
  option ban_allowlistonly '0'
  option ban_fetchcmd 'curl'
  option ban_protov4 '1'
  option ban_blocktype 'reject'
  option ban_blockpolicy 'forwardlan'
  list ban_ifv4 'GE1_up'
  list ban_dev 'eth2'
  option ban_nftpriority '-200'

banip.allowlist

192.168.1.201/24 # uplink added on 2024-04-28 17:27:26
22:6d:2a:8f:69:32

firewall log
Sun Apr 28 20:22:45 2024 kern.debug kernel: [143397.476948] banIP/fwd-lan/reject/dohv4: IN=eth5 OUT=eth2 MAC=22:6d:2a:8f:69:32:50:6b:4b:55:33:21:08:00 SRC=10.5.20.9 DST=1.1.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=2221 DF PROTO=TCP SPT=49613 DPT=80 WINDOW=64284 RES=0x00 SYN URGP=0

Works for me, please post the output of
/etc/init.d/banip survey allowlistv4MAC and
/etc/init.d/banip survey allowlistv6MAC

root@OpenWrt-VM:~# /etc/init.d/banip survey allowlistv4MAC
:::
::: banIP Survey
:::
    List of elements in the Set 'allowlistv4MAC' on 2024-04-28 20:59:30
    ---
{ "concat": [ "22:6d:2a:8f:69:32", { "prefix": { "addr": "0.0.0.0", "len": 0 } } ] }

/etc/init.d/banip survey allowlistv6MAC is empty

Is this IPv4 only? If not, maybe you should enable the banIP autodetection ... or manually setup IPv4 and IPv6 uplinks.

I disable IPv6 whenever possible, but it's a losing battle.

Auto Detection makes no difference. I was trying to simplify.

The input interface is 'virtual' via SR-IOV pass-through. Could that make a technical difference?

Since the MAC is currently randomly-assigned, I'm going to make some config changes on the host to assign a permanent MAC and then reboot. Maybe some magic will happen.

Thanks for your help.

Hello dibdot,
Is getting kernel warning every few seconds in system log normal?
e.g.
Mon Apr 29 01:08:51 2024 kern.warn kernel: [ 4161.898514] banIP/inp-wan/drop/countryv4: IN=eth0.2 OUT= MAC=18:a6:f7:26:b8:09:00:17:10:a0:10:16:08:00:45:00:00:28 SRC=152.89.198.98 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=22571 PROTO=TCP SPT=58342 DPT=9280 WINDOW=1024 RES=0x00 SYN URGP=0

Thank-you

yes, that´s how it looks "out there", this time ip 152.89.198.98 wants to know if your port 9280 is open...

Thanks shellman

I don't know if it is a bug or not but with latest two builds I had two hangs when I changed blocklist feeds. I added some new feeds and then hit save&apply and after one or two minutes all network traffic was interrupted, router could not be accessed and I had to reboot it disconnecting power.
Just tried it for the third time and it hanged again. Looks like OOM.

image1503×340 26.7 KB

Just check the section for low memory systems in the readme, e.g. limit the number of CPUs.

Hard to say, maybe you should share your config ...

Here it is. After reboot it doesn't hang but takes over 8 minutes to start.

config banip 'global'
	option ban_enabled '1'
	option ban_debug '0'
	option ban_autodetect '1'
	list ban_logterm 'Exit before auth from'
	list ban_logterm 'luci: failed login'
	list ban_logterm 'error: maximum authentication attempts exceeded'
	list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
	list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
	option ban_deduplicate '1'
	option ban_loginput '0'
	option ban_logforwardwan '0'
	option ban_logforwardlan '0'
	option ban_autoallowlist '1'
	option ban_autoblocklist '1'
	option ban_allowlistonly '0'
	list ban_trigger 'wan'
	option ban_triggeraction 'start'
	option ban_fetchretry '5'
	option ban_fetchcmd 'curl'
	option ban_protov4 '1'
	list ban_ifv4 'wan'
	list ban_ifv6 'wan6'
	option ban_nicelimit '0'
	option ban_filelimit '1024'
	option ban_cores '4'
	option ban_splitsize '4096'
	option ban_nftpolicy 'memory'
	option ban_nftpriority '-200'
	option ban_loglimit '100'
	option ban_nftloglevel 'warn'
	option ban_autoallowuplink 'subnet'
	option ban_nftexpiry '2h'
	list ban_blockforwardlan 'adaway'
	list ban_blockforwardlan 'adguard'
	list ban_blockforwardlan 'antipopads'
	list ban_blockforwardlan 'iblockads'
	list ban_blockforwardlan 'iblockspy'
	list ban_blockforwardlan 'oisdsmall'
	option ban_icmplimit '10'
	option ban_synlimit '10'
	option ban_udplimit '100'
	option ban_logprerouting '0'
	option ban_blocktype 'drop'
	list ban_dev '10g-1'
	list ban_blockinput 'backscatterer'
	list ban_blockinput 'becyber'
	list ban_blockinput 'binarydefense'
	list ban_blockinput 'bogon'
	list ban_blockinput 'bruteforceblock'
	list ban_blockinput 'cinsscore'
	list ban_blockinput 'debl'
	list ban_blockinput 'etcompromised'
	list ban_blockinput 'feodo'
	list ban_blockinput 'firehol1'
	list ban_blockinput 'ipsum'
	list ban_blockinput 'ipthreat'
	list ban_blockinput 'pallebone'
	list ban_blockinput 'threat'
	list ban_blockinput 'threatview'
	list ban_blockinput 'turris'
	list ban_blockinput 'urlvir'
	list ban_blockinput 'voip'
	list ban_blockinput 'webclient'
	list ban_blockforwardwan 'backscatterer'
	list ban_blockforwardwan 'becyber'
	list ban_blockforwardwan 'binarydefense'
	list ban_blockforwardwan 'bogon'
	list ban_blockforwardwan 'bruteforceblock'
	list ban_blockforwardwan 'cinsscore'
	list ban_blockforwardwan 'debl'
	list ban_blockforwardwan 'etcompromised'
	list ban_blockforwardwan 'feodo'
	list ban_blockforwardwan 'firehol1'
	list ban_blockforwardwan 'ipsum'
	list ban_blockforwardwan 'ipthreat'
	list ban_blockforwardwan 'pallebone'
	list ban_blockforwardwan 'threat'
	list ban_blockforwardwan 'threatview'
	list ban_blockforwardwan 'turris'
	list ban_blockforwardwan 'urlvir'
	list ban_blockforwardwan 'voip'
	list ban_blockforwardwan 'webclient'
	list ban_feed 'backscatterer'
	list ban_feed 'becyber'
	list ban_feed 'binarydefense'
	list ban_feed 'bogon'
	list ban_feed 'bruteforceblock'
	list ban_feed 'cinsscore'
	list ban_feed 'debl'
	list ban_feed 'etcompromised'
	list ban_feed 'firehol1'
	list ban_feed 'ipsum'
	list ban_feed 'ipthreat'
	list ban_feed 'pallebone'
	list ban_feed 'sslbl'
	list ban_feed 'threat'
	list ban_feed 'threatview'
	list ban_feed 'turris'
	list ban_feed 'urlvir'
	list ban_feed 'voip'
	list ban_feed 'webclient'

set this to '2' and '20248' and remove at least the feeds becyber, pallebone and voip - they are too big for your router.

Edit: remove the 'bogon' feed as well, this will be usually filtered by your ISP.

Yep that's "normal". You can enable/disable the logging of the different chains, if that log spam bothers you.

Hi,

I'm getting via Luci:

imagen668×870 33.2 KB

Via shell seems to be working fine.

root@ER605:~# /etc/init.d/banip status
::: banIP runtime information
  + status            : active (nft: ✔, monitor: ✔)
  + version           : 0.9.5-r3
  + element_count     : 22025
  + active_feeds      : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, bruteforceblockv4, yoyov4, countryv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
  + active_devices    : wan: pppoe-Internet / wan-if: Internet, - / vlan-allow: br-lan, br-lan.1, br-lan.10 / vlan-block: -
  + active_uplink     : XX.XXX.xx.xx/xx
  + nft_info          : priority: -100, policy: memory, loglevel: warn, expiry: -
  + run_info          : base: /tmp, backup: /tmp/banIP-backup, report: /tmp/banIP-report
  + run_flags         : auto: ✔, proto (4/6): ✔/✘, log (pre/inp/fwd/lan): ✘/✔/✔/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
  + last_run          : action: boot, log: logread, fetch: curl, duration: -, date: 2024-04-27 13:50:16
  + system_info       : cores: 4, memory: 160, device: TP-Link ER605 v2, OpenWrt SNAPSHOT r26071-f3895fd30a

Any idea?

Thanks,

Thanks for your help, I'll wait for the Luci app upgrade.

If you've updated both components today, you have the current version. A rpcd restart is required anyway. The quoted response was 3 days old ...

banip 0.9.5-3
luci-app-banip git-24.118.19713-c026420

TypeError

countries[i].match(...) is null

I clean browser cache, run /etc/init.d/rpcd restart
Also

rm -f /tmp/luci-indexcache
rm -f /tmp/luci-indexcache.*.json
rm -f /tmp/luci-modulecache/*
/etc/init.d/uhttpd restart

edit:
Clear all Firefox cache(keep cookeis), now no errors. I only remove 192.168.1.1 cache first.
But after test on Chrome(no error), I clear all Firefox cache.

Are you sure that you can use ether saddr in an nftables forward chain?

I found the following comment here:

Do not forget that the layer 2 header information is only available in the input path.

I tried replacing the match in

ether saddr . ip saddr @allowlistv4MAC counter accept

with the following:

ether saddr ee:10:05:20:02:ee (aka eth5) never matches

iifname eth5 allows selective traffic as expected

ip saddr 10.0.0.0/13 also allows selective traffic

Thank-you dibdot.