jc1685
December 14, 2023, 7:32pm
1
Hi,
I've read that Banip was not compatible with FW4 when 22.03 came out. How about now with 23.05?
I tried to block DoH today by using Banip and it didn't work.
Here's my Banip config - followed the wiki directions for this:
config banip 'global'
option ban_enabled '1'
option ban_debug '0'
option ban_autodetect '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
option ban_deduplicate '1'
option ban_loginput '1'
option ban_logforwardwan '1'
option ban_logforwardlan '0'
option ban_autoallowlist '1'
option ban_autoblocklist '1'
option ban_allowlistonly '0'
option ban_fetchcmd 'uclient-fetch'
option ban_protov4 '1'
list ban_ifv4 'wan'
option ban_protov6 '1'
list ban_ifv6 'wan6'
list ban_dev 'wan'
list ban_feed 'doh'
list ban_feed 'proxy'
list ban_feed 'doh'
Here's my DNS Redirect (pre-existed my Banip setup):
config redirect 'redirect_lan53'
option name 'Redirect DNS'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option src_ip '!10.11.12.1'
option dest 'lan'
option dest_ip '10.11.12.1'
Any suggestions?
frollic
December 14, 2023, 7:33pm
2
jc1685
December 14, 2023, 7:35pm
3
I prefer reading something without 1662 comments...anyone have a working setup on 23.05?
jc1685
December 14, 2023, 8:17pm
5
I have the updated version for 23.05 and I don't run snapshot. The problem is it doesn't work using the directions in the wiki,and the amount of documentation that a layman can find and use is lacking. Meanwhile I have no way of blocking DoH on my network, which is what my kids are using to get past my DNS Redirect settings.
frollic
December 14, 2023, 8:21pm
6
as a temp solution, you can create an IPset with the DoH server IPs, then create a rule pointing towards the IPset.
something like Ipset-extras, ipset storage and blocking DNS over HTTPS
jc1685
December 14, 2023, 8:23pm
7
That's something to try. Thanks!
tievolu
December 15, 2023, 10:31am
8
I have BanIP working with 23.05.
I don't see anything in your config specifying what to actually do with the doh list. I think you need something like this?
list ban_blockforwardlan 'doh'
There's lots of info here:
<!-- markdownlint-disable -->
# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables
## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.
## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
**Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information |
| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- |
| adaway | adaway IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguard | adguard IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguardtrackers | adguardtracker IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| antipopads | antipopads IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| asn | ASN IPs | | | x | [Link](https://asn.ipinfo.app) |
| backscatterer | backscatterer IPs | x | x | | [Link](https://www.uceprotect.net/en/index.php) |
| binarydefense | binary defense banlist | x | x | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
show original
And setting things up using the LuCI interface is fairly straightforward.
jc1685
December 15, 2023, 11:32am
9
My goal is to block public DoH servers on my network. I installed Banip and chosedoh (public DoH-Provider) in the Blocklist Feed Selection. After restarting it seems to be ineffective. If I'm supposed to choose something else in the gui to make it block the list then I'm not sure what that would be.
frollic
December 15, 2023, 11:33am
10
tievolu
December 15, 2023, 11:58am
11
You've selected the doh feed to download, but you also have to tell BanIP which chains you want to use that block list on, by selecting it here in the GUI for the LAN-Forward chain (i.e. to block packets forwarded from the LAN):
This will add an option to config file like the one I mentioned above.
jc1685
December 15, 2023, 12:23pm
12
Yes that was already in place.
jc1685
December 15, 2023, 12:24pm
13
Thanks I hope that helps. I'll try that and mark it as the solution if it works. Thanks!
jc1685
December 15, 2023, 12:34pm
14
Well that didn't work either. I'll post my banip config later. Have to go to work now.
tievolu
December 15, 2023, 2:37pm
15
Interesting. The BanIP service does need to be restarted to pick up that change - I'm not sure if that happens automatically when you click "Save and Apply" in the LuCI interface?
jc1685
December 15, 2023, 9:15pm
16
Me either, but you can manually restart it from the Luci-Banip gui.
system
December 25, 2023, 9:15pm
17
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
