misread, deleted
Interesting - when I was looking earlier, immediately after updating, there was no '0' option in the drop-down, but now there is...
I assume that's down to browser caching or something, because I had already deleted the luci cache and restarted uhttpd. Anyway, I see the '0' option now, and it seems to work as expected, so it's all good
EDIT: Definitely caused by the browser cache. Today I opened the luci interface in a browser on a different machine and the old GUI for this part of banIP was still shown. Clearing the cache fixed it.
I updated to 0.9.6-1 and banip is now very noticeably sluggish. It's taking much longer just to load status in luci, and set reporting is very slow. I can't find any relevant log entries. I have about 500k elements, but that's the same as it was before updating to 0.9.6-1.
If I do a restart the information section in luci will partially load and reload multiple times. It says last run was 57s, but its taking luci 3-4 minutes to completely finish refreshing the information/status section. Even clicking logout when on the banip information page in luci is delayed.
I've cleared cache and tested with both Edge and Firefox.
From ssh if I do a status, it seems normal there. I guess it's a luci issue?
Please let me know what I can provide to help.
config banip 'global'
option ban_enabled '1'
option ban_debug '0'
option ban_autodetect '0'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
option ban_protov4 '1'
list ban_dev 'eth0'
list ban_ifv4 'wan'
list ban_ifv6 'wan6'
option ban_fetchcmd 'curl'
list ban_trigger 'wan'
option ban_deduplicate '1'
option ban_loginput '0'
option ban_logforwardwan '0'
option ban_logforwardlan '0'
option ban_autoallowlist '1'
option ban_autoblocklist '1'
option ban_allowlistonly '0'
option ban_nftpolicy 'performance'
list ban_country 'cn'
list ban_country 'kp'
list ban_country 'ru'
option ban_nftexpiry '5m'
list ban_blockforwardlan 'adaway'
list ban_blockforwardlan 'adguard'
list ban_blockforwardlan 'adguardtrackers'
list ban_blockforwardlan 'antipopads'
list ban_blockforwardlan 'asn'
list ban_blockforwardlan 'doh'
list ban_blockforwardlan 'iblockads'
list ban_blockforwardlan 'iblockspy'
list ban_blockforwardlan 'oisdbig'
list ban_blockforwardlan 'oisdnsfw'
list ban_blockforwardlan 'oisdsmall'
list ban_blockforwardlan 'stevenblack'
list ban_blockforwardlan 'yoyo'
option ban_logprerouting '0'
list ban_feed 'backscatterer'
list ban_feed 'becyber'
list ban_feed 'binarydefense'
list ban_feed 'bogon'
list ban_feed 'bruteforceblock'
list ban_feed 'cinsscore'
list ban_feed 'country'
list ban_feed 'debl'
list ban_feed 'doh'
list ban_feed 'drop'
list ban_feed 'dshield'
list ban_feed 'etcompromised'
list ban_feed 'feodo'
list ban_feed 'greensnow'
list ban_feed 'ipsum'
list ban_feed 'ipthreat'
list ban_feed 'myip'
list ban_feed 'nixspam'
list ban_feed 'pallebone'
list ban_feed 'proxy'
list ban_feed 'sslbl'
list ban_feed 'talos'
list ban_feed 'threat'
list ban_feed 'threatview'
list ban_feed 'tor'
list ban_feed 'turris'
list ban_feed 'uceprotect1'
list ban_feed 'urlhaus'
list ban_feed 'urlvir'
list ban_feed 'voip'
list ban_feed 'webclient'
option ban_nftpriority '-100'
option ban_icmplimit '10'
option ban_synlimit '10'
option ban_udplimit '100'
option ban_blocktype 'drop'
option ban_nftloglevel 'warn'
option ban_loglimit '100'
option ban_autoallowuplink 'subnet'
option ban_nicelimit '0'
option ban_filelimit '1024'
option ban_fetchretry '5'
list ban_blockinput 'asn'
list ban_blockinput 'backscatterer'
list ban_blockinput 'becyber'
list ban_blockinput 'binarydefense'
list ban_blockinput 'bogon'
list ban_blockinput 'bruteforceblock'
list ban_blockinput 'cinsscore'
list ban_blockinput 'country'
list ban_blockinput 'debl'
list ban_blockinput 'drop'
list ban_blockinput 'dshield'
list ban_blockinput 'etcompromised'
list ban_blockinput 'feodo'
list ban_blockinput 'firehol1'
list ban_blockinput 'firehol2'
list ban_blockinput 'firehol3'
list ban_blockinput 'firehol4'
list ban_blockinput 'greensnow'
list ban_blockinput 'ipblackhole'
list ban_blockinput 'ipsum'
list ban_blockinput 'ipthreat'
list ban_blockinput 'myip'
list ban_blockinput 'nixspam'
list ban_blockinput 'pallebone'
list ban_blockinput 'proxy'
list ban_blockinput 'sslbl'
list ban_blockinput 'talos'
list ban_blockinput 'threat'
list ban_blockinput 'threatview'
list ban_blockinput 'tor'
list ban_blockinput 'turris'
list ban_blockinput 'uceprotect1'
list ban_blockinput 'uceprotect2'
list ban_blockinput 'uceprotect3'
list ban_blockinput 'urlhaus'
list ban_blockinput 'urlvir'
list ban_blockinput 'voip'
list ban_blockinput 'webclient'
list ban_blockforwardwan 'asn'
list ban_blockforwardwan 'backscatterer'
list ban_blockforwardwan 'becyber'
list ban_blockforwardwan 'binarydefense'
list ban_blockforwardwan 'bogon'
list ban_blockforwardwan 'bruteforceblock'
list ban_blockforwardwan 'cinsscore'
list ban_blockforwardwan 'country'
list ban_blockforwardwan 'debl'
list ban_blockforwardwan 'drop'
list ban_blockforwardwan 'dshield'
list ban_blockforwardwan 'etcompromised'
list ban_blockforwardwan 'feodo'
list ban_blockforwardwan 'firehol1'
list ban_blockforwardwan 'firehol2'
list ban_blockforwardwan 'firehol3'
list ban_blockforwardwan 'firehol4'
list ban_blockforwardwan 'greensnow'
list ban_blockforwardwan 'ipblackhole'
list ban_blockforwardwan 'ipsum'
list ban_blockforwardwan 'ipthreat'
list ban_blockforwardwan 'myip'
list ban_blockforwardwan 'nixspam'
list ban_blockforwardwan 'pallebone'
list ban_blockforwardwan 'proxy'
list ban_blockforwardwan 'sslbl'
list ban_blockforwardwan 'talos'
list ban_blockforwardwan 'threat'
list ban_blockforwardwan 'threatview'
list ban_blockforwardwan 'tor'
list ban_blockforwardwan 'turris'
list ban_blockforwardwan 'uceprotect1'
list ban_blockforwardwan 'uceprotect2'
list ban_blockforwardwan 'uceprotect3'
list ban_blockforwardwan 'urlhaus'
list ban_blockforwardwan 'urlvir'
list ban_blockforwardwan 'voip'
list ban_blockforwardwan 'webclient'`
::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔)
+ version : 0.9.6-1
+ element_count : 514016
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, bruteforceblockv4, binarydefensev4, bogonv4, backscattererv4, cinsscorev4, becyberv4, countryv4, deblv4, dropv4, etcompromisedv4, dohv4, dshieldv4, ipthreatv4, myipv4, greensnowv4, ipsumv4, proxyv4, pallebonev4, threatv4, threatviewv4, torv4, talosv4, turrisv4, uceprotect1v4, urlvirv4, webclientv4, voipv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
+ active_devices : wan: eth0 / wan-if: wan, wan6 / vlan-allow: - / vlan-block: -
+ active_uplink : ******************
+ nft_info : priority: -100, policy: performance, loglevel: warn, expiry: 5m
+ run_info : base: /tmp, backup: /tmp/banIP-backup, report: /tmp/banIP-report
+ run_flags : auto: ✘, proto (4/6): ✔/✘, log (pre/inp/fwd/lan): ✘/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
+ last_run : action: restart, log: tail, fetch: curl, duration: 0m 57s, date: 2024-05-22 20:47:35
+ system_info : cores: 6, memory: 3666, device: FriendlyElec NanoPi R4S, OpenWrt 23.05.3 r23809-234f1a2efa
Sounds like a LuCI issue, but 0.9.6-1 didn't include any updates in this area. Unfortunately I'm offsite the next couple of days, so I can't test/reproduce anything - sorry.
BTW, the regex for ssbl and nixspam feeds are broken in this version, will be fixed with the next update.
No worries. It's fine as long as I stay away from banip in luci for now. If you are in the US enjoy the Holiday.
Sorry, I can't reproduce your issue.
I had some time so had a go at the regex for the ssbl and nixspam feeds, I found this worked ok and hope it helps
SSBL feed
BEGIN{FS=","; ORS=""} /^[#]/ {next} NF > 1 && $2 !~ /^127\./ {printf "%s,", $2}
here is a regex that works for the nixspam feeds
BEGIN{ORS="\n"} $2 !~ /^127\./ {printf "%s,\n", $2}
Cheers
Well, that's not good. I didn't update anything else when I updated banip from 0.9.5-5 to 0.9.6-1. Do you see any difference in versions in my installed luci packages to what you have installed?
root@OpenWrt:~# opkg list-installed | grep luci
liblucihttp-lua - 2023-03-15-9b5b683f-1
liblucihttp-ucode - 2023-03-15-9b5b683f-1
liblucihttp0 - 2023-03-15-9b5b683f-1
luci - git-23.051.66410-a505bb1
luci-app-adblock - git-24.086.45142-09d5a38
luci-app-attendedsysupgrade - git-23.339.51123-138595a
luci-app-banip - git-24.127.70474-f9923bc
luci-app-ddns - git-23.346.52990-28c4a65
luci-app-firewall - git-24.067.01746-69867db
luci-app-nlbwmon - git-23.208.37462-0a24642
luci-app-opkg - git-24.043.63812-c89a68b
luci-app-sqm - git-22.360.73151-127c900
luci-app-statistics - git-24.034.36441-feee897
luci-base - git-24.086.45142-09d5a38
luci-lib-base - git-22.308.54612-9118452
luci-lib-ip - git-23.311.79290-c2a887e
luci-lib-jsonc - git-23.298.74571-62eb535
luci-lib-nixio - git-24.034.54875-21210dc
luci-light - git-23.024.33244-34dee82
luci-lua-runtime - git-23.233.52805-dae2684
luci-mod-admin-full - git-19.253.48496-3f93650
luci-mod-network - git-24.075.44893-ac63bea
luci-mod-status - git-24.087.58493-9370bdd
luci-mod-system - git-24.067.01860-7a82b2f
luci-proto-ipv6 - git-24.086.45108-51aee90
luci-proto-ppp - git-21.158.38888-88b9d84
luci-ssl - git-23.035.26083-7550ad6
luci-theme-bootstrap - git-24.086.46634-1ffe078
rpcd-mod-luci - 20240305-1
Hi, I am experiencing the same symptoms as rexbinary: after upgrading banip to 0.9.6-1, the banip luci interface is very sluggish, when opened it shows the status after a long time and then shows it blank again, etc.
My openwrt version is "OpenWrt 23.05.3 r23809-234f1a2efa / LuCI openwrt-23.05 branch git-24.086.45142-09d5a38", hw is "Xunlong Orange Pi R1 Plus LTS".
Thank you
@rexbinary @tinotom I was finally able to reproduce your issue under very high loads ... fixed in banIP 0.9.6-3 (for reference: https://github.com/openwrt/packages/commit/3584187f69f954e0e70dc86ffcf7d46d0df37452).
Thank you very much!
EDIT: I installed the new version, and it did indeed solve the luci slowness issues. Thanks again!
Thank you very much @dibdot ! I'll install the new version as soon as it is available.
Best
hi newbie banip here.
i am using banip just to block DOH and will like to remove all the other local active feeds. is this possible?
I do not see an option to disable/remove all the locally generated feeds.
Active Feeds
allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6, dohv4
No, these local Sets are mandatory and will be used internally, e.g. for autoblocklist or autoallowlist functionality.
-
is there any redundant address pruning for the blocklists? if multiple lists contain one or more of the same IPs, how does banip handles this?
-
i think it might be helpful to include somewhere, either in the LuCI app or readme, direct links to the lists
-
what happens if "Blocklist Set Expiry" is left at its default (please choose)?
-
what is a sensible choice of blocklists for the average home user regarding attackers (not ads)? given that the turris list was added, is it enough to enable only this?
-
i'm wondering if it might be easier for novices (me) if the WAN-Input, WAN-Forward and LAN-Forward chain settings were populated with the defaults according to what lists are enabled/disabled (as per the suggestions in the readme)
Hi there, is it possible to allow outbound requests based on the MAC address of a local machine/device?
We have an IPTV from our TV provider that is getting blocked for a some requests and I'd like to allow it to go through for all of its requests, please.
I've tried adding its MAC address into the "allowlist", but that didn't seem to work.
Thank you.
UPDATE: Actually, I just noticed that banIP appears to have auto-added the IPs to the "allowlist" by itself...? It wrote "# uplink added..." and then the date and time. I didn't know it did that, but that's handy in this case. Is this the result of having the "Auto Detection" option selected in General Settings? The strange thing is, however, it doesn't actually appear to be working - it is still blocking that IP after restarting banIP. Should I try unchecking "Auto Detection" and entering the IP manually in the "allowlist"? Actually, I just tried that and it didn't help. It just keeps blocking that IP...
Any ideas on why this IP refuses to be blocked? Every other IP that I put in the "allowlist" is unblocked. Just not this one our IPTV box tries to connect to. Please help!
You will find in the Advanced Options tab "Deduplicate IPs" which does this. It is enabled by default.
The Readme page has links to websites of list providers. If you are referring to the actual download links of the files, look at contents of the file /etc/banip/banip.feeds (scroll down more to the bottom part of the file and you will find the exact links/filenames.
Be aware of the Turris list. You may have some issues if you use Microsoft / Azure services (and don't modify chain settings ). It tends to block a lot of Microsoft server IPs. And no, I wouldn't just rely on that list by itself. You may want to consider using several lists - but one of the first considerations is how much available memory your device has.
Also, on the subject of the Firehol lists, I recommend using the level 3 list. Not 4 though - too many false positives.
ah, ok - perhaps the wording could be better, like "prune duplicate addresses from blocklists" or something
OpenWrt 23.05.3: banip 0.9.6-3 needs /www/luci-static/resources/tools/views.js to view the firewall log but it's not included