banIP support thread

Sorry, I didn't get it what you're trying to achieve. The option you've mentioned is "ban_autoallowuplink", this ensures that incoming packets from (Source IP in WAN-Input/WAN-Forward) and outgoing packets to (Destination IP in LAN-Forward) your uplink are always accepted.
If these IPs get blocked, than probably in the Prerouting chain, e.g.

image844×235 12.9 KB

You can try to raise the thresholds or disable these safeguards at all.
I recommend taking another close look at the online readme ... and if you're are still unable to solve your problem provide more context ... your config, firewall log excerpts, banIP status etc.

After populating the Allowlist, clicking "Domain Lookup, then the "Restart" button, I was (mistakenly) expecting it to "restart" the BanIP service with the changes in effect. When I rebooted the device itself though, everything worked as expected the next time around. Thanks.

i banned accidentially my own IP (keys in use) instead i used putty and get rejected by :publickey (my stupidity), how to remove from list IP? I still have access to root.
In other words, how to remove entry from there

/etc/init.d/banip survey blocklistv4

Depends on your config, check the readme. Generally speaking, remove the entry from your local blocklist and reload banIP.

From the command line, you could manually edit the file /etc/banip/banip.blocklist

Secondarily, you could also temporarily set a static address ( different IP ) on your PC long enough to modify list via the GUI.

Quick question: is there a way to load banip.allowlist and banip.blocklist changes faster? I like the de-duplication feature but perhaps I need to disable it? With about six block lists applied, it takes a few minutes to apply the change via service banip reload

P.S. BanIP is a really amazing tool - thanks for all your hard work in making it!

@dibdot Thanks. Well, I tried changing those thresholds like you mentioned, and even disabling them, but that IP still gets blocked. The IP in question is in fact the WAN IP address of the router (upstream side - the side that faces the modem, I guess?). I don't know why our IPTV would be trying to connect to the router, though. I've read the Readme again, and my config isn't that unusual. I'm not sure what to do at this point. Edit: I also tried adding the MAC addresses of the IPTV, but it made no difference.

The de-duplication feature actually saves resources and makes it more efficient overall. I'm not sure which device you are using, and what the processor / memory specs are. If you have the resources though you could experiment with changing default settings; such as increasing "Processors used" "Max open files" and increasing the "Split-size" etc.
I did this and the processing / load time dramatically decreased by about 2/3rds.

I'm using a NanoPi R5C for testing (RK3568 quad-core CPU / 4 GB RAM). I don't limit CPU cores so it's multi-threading nicely. I've set ban_splitsize and ban_filelimit both to "4096". I'm fine with the current performance, I was just curious if there was a way to differentiate changes to allow/blocklist from the other third-party feeds since the latter change on a daily cadence whereas the former might change frequently (at least at first). I'll probably create a script to pull all the domains from https://oisd.nl/includedlists/whitelists and add them to the allowlist as a workaround.

Hiya,
I have recieved a message in the logs that one of my internal addresses has been listed as suspicious, how do i understand what has triggered this so i can investigate

appreciate your guidance

Thu Jun 13 11:28:11 2024 user.info banIP-1.0.0-1[13216]: suspicious IP '192.168.xxx.xxx'

@dibdot Also, this issue is heavy on the logs, so I'm not sure if this is the cause or not, but my router now becomes unresponsive and then reboots every 6-8 hours. It's a TP-Link Archer C7 v2. The log entries in question occur every 3-12 seconds, with sometimes multiple ones per second. Really wish I could get this to stop. Please help!

@dibdot I'm using banip 1.0.0-r1 on a custom build, however when I try to run banip I get this error:

Thu Jun 13 08:53:19 2024 user.err banIP-1.0.0-r1[5713]: nftables based firewall error

is there a way to expose this error?, this recently started to appear for me, around banip 0.98 it worked fine for me.

Your firewall 4 / fw4 is not running.

Please provide much more information ... e.g. banIP config, banIP status, log file excerpt etc.

most probably a failed luci login, check the online readme esp. the chapter " Regular expressions for logfile parsing".

I see !, I decided to redo my configuration thanks

Hi @dibdot

Okay, info included below.

Why would the "allowlist" be getting overridden by the countryv4, threatv4, and ipthreatv4 blocklists when I have the MAC addresses of the IPTV in the "allowlist"? Also, note that the IPTV (which is what is making these requests) is using a wide variety of different IP addresses as its source addresses, you'll notice - not sure why that is.

I don't have a very unusual config for banIP, either:

Status
active (nft: ✔, monitor: ✘)
Version
1.0.0-1
Element Count
24307
Active Feeds
allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv4, countryv4, dohv4, ipthreatv4, threatv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
Active Devices
wan: eth0.2 / wan-if: wan, - / vlan-allow: - / vlan-block: -
Active Uplink
xxx.1.82.36/22
NFT Information
priority: -200, policy: memory, loglevel: warn, expiry: -, limit (icmp/syn/udp): 10/10/100
Run Information
base: /tmp, backup: /tmp/banIP-backup, report: /tmp/banIP-report
Run Flags
auto: ✔, proto (4/6): ✔/✘, log (pre/inp/fwd/lan): ✘/✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✔, allowed only: ✘
Last Run
action: restart, log: logread, fetch: uclient-fetch, duration: 0m 58s, date: 2024-06-16 08:21:33
System Information
cores: 1, memory: 47, device: TP-Link Archer C7 v2, OpenWrt 23.05.3 r23809-234f1a2efa

Log snippet (these log entries are occurring every few seconds, sometimes multiple per second - generating around 600+ log entries per hour):

Let me know what other config details you need to see.

At least your config (/etc/config/banip), please.

Edit: and the content of your allowlist and the survey output of your allowlist Set.

@dibdot

Okay, here's the content of my /etc/config/banip:

config banip 'global'
	option ban_debug '0'
	option ban_mail_enabled '0'
	option ban_monitor_enabled '0'
	option ban_logsrc_enabled '0'
	option ban_logdst_enabled '0'
	option ban_autoblacklist '1'
	option ban_autowhitelist '1'
	option ban_nice '0'
	option ban_maxqueue '4'
	option ban_global_settype 'src+dst'
	option ban_target_src 'DROP'
	option ban_target_dst 'REJECT'
	list ban_trigger 'wan'
	option ban_deduplicate '1'
	option ban_loginput '1'
	option ban_logforwardwan '1'
	option ban_autoallowlist '1'
	option ban_autoblocklist '1'
	option ban_allowlistonly '0'
	option ban_nftloglevel 'warn'
	option ban_loglimit '500'
	option ban_nftpolicy 'memory'
	option ban_nftpriority '-200'
	option ban_nicelimit '0'
	option ban_triggeraction 'start'
	option ban_logforwardlan '1'
	option ban_fetchcmd 'uclient-fetch'
	option ban_protov4 '1'
	list ban_ifv4 'wan'
	list ban_dev 'eth0.2'
	list ban_country 'br'
	list ban_country 'cn'
	list ban_country 'ga'
	list ban_country 'hk'
	list ban_country 'id'
	list ban_country 'ir'
	list ban_country 'ml'
	list ban_country 'kp'
	list ban_country 'pw'
	list ban_country 'ru'
	list ban_country 'tw'
	list ban_country 've'
	option ban_enabled '1'
	option ban_autodetect '1'
	option ban_fetchretry '5'
	option ban_filelimit '1024'
	option ban_icmplimit '10'
	option ban_synlimit '10'
	option ban_udplimit '100'
	option ban_blocktype 'drop'
	option ban_logprerouting '0'
	option ban_autoallowuplink 'subnet'
	list ban_feed 'adguardtrackers'
	list ban_feed 'country'
	list ban_feed 'doh'
	list ban_feed 'ipthreat'
	list ban_feed 'threat'

My "allowlist" and "'blocklist" are currently empty since I've been testing different things, but that IP is still getting blocked.
The only entry in my "allowlist" is what banIP automatically adds: xxx.1.82.36/22 # uplink added on 2024-06-16 10:45:55

Sorry, I'm not sure what you mean by this. Where can I find this?

Thanks.

So that's the worst case: you've mixed an old config from banIP 0.7.x with current version. Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed). So remove the folders/files mentioned above and reinstall the current version ...

These and many other important settings/features are described in the online available readme! A few pointers:

• limit the feeds to different chains, e.g. doh to lan-forward, country to wan-input & wan-forward etc.
• check the chapter regarding low memory systems
• ...