banIP support thread

it works here on 22.03, perhaps you are missing command, syntax or just error from the script?

need diff, likely egrep or gnu grep, awk from busy box is fine, assume the rest is there.

or maybe it's wget, you can change this to curl or uclient-fetch (will do next time i puzzle).
it really shouldn't need anything outside of buxybox to run, an inherent goal.
i know nothing about nft really, other than learning about unfriendly quirks of sets.
and the script is really really dumb, spent time on speed and simple.

the way things are done, diff utils is needed, impossible to replace without slowing things down severely. and right now, download and nft add is the slowest parts.

Thank you - diffutils package missing (I roll my own 22.03 and have never needed it before)

last attempt to @bldur and others: please move these script and discussions out of this thread - thanks!

3 Likes

Yeah, sorry about that. In defense I hardly call it a script, just simple pipelines and some useful awk programs and regex. Something until an actually working framework. And helping expose NFT issues and quirks in what might be helpful for anyone wanting to jump in. Would be nice to have it moved to a banip 22.03 discussion thread.

Adendum:
The script I contributed to and put on github now has basic functionality that i wanted.

Never flushes, deletes and adds entries in the ipset based on newest downloaded.
Can be adjusted, but adds 10k entries with nft add element at a time.
And now sanitized and makes entries unique, picks the lagest CIDR address blocks and filters.

1 Like

Wow.. I was glad to double check everything before updating my primary router to the latest OpenWrt (literally was starting to backup everything before writing this).. currently it's still using 19.x and BanIP is one of the most useful package in my setup

So it seems I won't be using the latest 22.03 but use 21.02.3 version instead hahaha

@dibdot we'll be waiting for your latest version that would work with the latest 22.03 hehehehe more power to you :smiley:

4 Likes

@AcidSlide it is possible to contribute, and while LuCI and javascript is something i have less exposure to than NFT ipsets and nftables.

@dibdot I do believe my contribution with some cleaning can help towards fully functioal banIP.

Tried moving it here:

And while I strongly believe these things are essential as soon as a firewall is even possible, interest is low compared to media, storage and wireless.

Phew I have spent some hours for my rollback, I even didn't notice that this awesome package is no longer supported... I really hope there will be support for it :hugs:

so long

1 Like

banip service is running but when using top I found 2 lines that don't look healthy?

/bin/sh /etc/banip/banip.service Exit before auth from|error: maximum authentication attempts exceeded|sshd.*Connection closed by.*\[preauth\]|luci: failed login|nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+

they both look the same, any ideas whats wrong?
thx!

so long

Why don't you stop messing up this thread?? @dibdot kindly asked you many times to stop, and you keep posting about your script in this thread.
If you feel that your script has an interest, create a new thread makes sense!
Here it just seems you want to get some interest of your work by using banIP popularity...

FYI to all.. if you are using curl with banIP, it will not work properly for https links if you have installed the latest patches for the wolfssl security update (Security Advisory 2022-10-04-1 - wolfSSL buffer overflow during a TLS 1.3 handshake (CVE-2022-39173))

somehow libcurl got affected after the update of the wolfssl packages

Is it possible to use banip for a single device only?

You mean only use/apply BanIP to a single device in your network? Short answer, yes it's possible. Honest answer, No, because it becomes too tedious if you have a lot of devices. BanIP can whitelist MAC address that will bypass it's filtering, so what you are trying is the reverse of this.

I made a "how-to" now that the final version of 22.03 is out on how to get the old version of banIP installed. I did this with OpenWrt 22.03.1 r19777-2853b6d652 . I recommend only doing this during the upgrade because it involves uninstalling Luci and firewall 4. If you are unsure of what you are doing you can become lost, easily. I was hoping to put this off until dibdot released the nftables version but the Wolf SSL vulnerability compelled me to upgrade to the latest version - why not just upgrade the whole system while I'm at it. This is the problem we face while waiting for a banIP solution for nftables; a 0 day comes out and we are reluctant to upgrade to keep our present systems working at the risk of vulnerabilities. Follow this "how-to" at your own risk and read through the instructions thoroughly before proceeding if you choose to do so. This is how I was able to get it to work on 22.03.1 with an e8450. Please read the following “How-To” in its entirety before attempting to go through the steps necessary to remove firewall4 and luci. You will have to reinstall luci (easiest solution) in order to get your menus to show up correctly after removing firewall4. It's also possible to remove the annoying nftables mixed with iptables warning by modifying /usr/share/luci/menu.d/luci-app-status.json and rebooting.

Step 1. Source the .ipk’s for Banip along with the dependencies necessary. I sourced the packages I needed based on the architecture of my router. I have an E8450 which is based on the ARMv8-A processor. Going back to when BanIP was still working, I can find the packages necessary for download here:

https://downloads.openwrt.ifw.cn/releases/21.02.0/packages/aarch64_cortex-a53/packages/

Source your packages by visiting
https://downloads.openwrt.ifw.cn/releases/21.02.0/packages/

and select the appropriate package architecture. You will also need to visit
https://downloads.openwrt.ifw.cn/releases/21.02.0/packages/YOURARCHITECTURE/luci/
(Where YOURARCHITECTURE in the url matches your router architecture e.g. aarch64_cortex-a53 for the E8450) in order to install the luci interface for banip.

You will need the following packages (and any subsequently necessary dependencies such as firewall and iptables-zz-legacy which will come later):

banip_0.7.10-3_all.ipk

luci-app-banip_git-21.165.16952-467b853_all.ipk

Step 2. Transfer banip_0.7.10-3_all.ipk to /tmp/ on your device and keep copies of files transferred to that location on your local system as rebooting will remove them from the tmp directory.

Step 3. Install banIP by creating an SSH session to your OpenWrt device and run the following commands within the /tmp/ directory

opkg install banip_0.7.10-3_all.ipk

Reboot your device after the command is run.

Step 4. BanIP sources your lists by using a pre-defined utility. In my case I like to use curl. It also requires the use of iptables and firewall 3 to work. Start by installing curl or your preferred "get" tool from the software section in Luci or by using opkg from your ssh terminal. Install the iptables-zz-legacy package in the same manner. If you setup ipv6 with banip you will also need to get ip6tables-zz-legacy.

22.03.01 comes with firewall 4 and it will be necessary to remove it by creating an ssh session and issuing the following commands:

opkg update

opkg remove firewall4

then install firewall 3 by running:

opkg install firewall

reboot

SSH into the router and run the following commands as luci will be inaccessible – you will need to reinstall by first removing all Luci based services and packages:

opkg remove luci* --force-depends

reboot

SSH into the router and run the following:

opkg update

opkg install luci

reboot

You will then need to reinstall your luci-app based packages (can be done from within luci) including luci-app-banip_git-21.165.16952-467b853_all.ipk from the SSH session. Do this by transferring the file to /tmp/ then from /tmp/ on your OpenWRT device run:

opkg install luci-app-banip_git-21.165.16952-467b853_all.ipk

reboot

Do not forget to re-apply your backup configuration files and be aware that attended system upgrades will fail while you have non-published packages installed/selected in your current version. You will have to remove those packages from the list in order to upgrade and then manually reinstall. Make sure to check and backup all of your Luci configurations and settings from cronjobs to backup file lists before uninstalling luci. I noticed strange behaviors of how the wireless was configured from luci on this specific router and found it necessary to restore my wireless, network, and firewall configurations manually in order to get everything back exactly the way I wanted. Remember to make backups and good luck!

4 Likes

Please respect the wishes of the thread author and relocate your post to your own thread. It is inappropriate here. Thanks.

I'm pretty sure dibdot was referring to the scripting that was going on to modify banip - my post was on topic and directly related to getting banIP to work on newer versions without scripting. Plus - people asked.

4 Likes

I'll ask you the same question.

Why muddy the waters here in this support forum? Why bother to upgrade to 22.03 and then undo much of the development effort that went into it? You don't think your effort will cause confusion?

Because there wasn't a lot of development that went into openwrt for nftables. I can just as easily uninstall firewall 3 and reinstall firewall 4. It's not muddying the waters at all - OpenWRT is the Operating System and doesn't really have a lot to do with the software that people choose to run on it. I went with 22.03.1 and not 22.03.0 because it already contains the patches for WolfSSL. This specific thread is for banIP support and so it's clear that it belongs here and not in a different thread that focuses on scripts that aren't a part of banIP. If you have issue or concern, feel free to dm me - let's keep it out of the forum because that's going to irritate the thread owner.

4 Likes

@m0dul8r

Nicely put. I removed BanIP because of the switch. However, I am ready for nftables since it is moving the way of tomorrow. Everything that can be done with IP tables can be done with nftables. I am actually about to look at BanIP development to explore how adaptable it may be to nftables. who knows. it may take a little work, but i converted all my personal IP table chains to nftables over night. (including concatenation, and mappings). I look forward to BanIP's progression to nftables.

I had the same thoughts but the formatting of the commands for iptables doesn't work in the same fashion as nftables - it also uses ipsets. The two are very similar but the command line formatting is the challenge and is going to take a bit of redesign. I basically view BanIP as an iptables manager; it gives me the ability to continuously update ipsets from remote sources on a daily basis whereas most chains that are injected have no management for injected chains. Blocklists are constantly updating their datasets and it's important to pull those updates so that you're not blocking people who have contacted the blocklists for removal and have been successful removing their ip's. It's also important to update to ban new offenders. Occasionally, I'll run across an entry from a blocklist that includes desired servers for apps like Discord (which was placed into the voip blocklist) and it was necessary to whitelist their servers. I'll allow dibdot to finish and operate on fw3 until he does - I didn't really see a big difference between fw3 and fw4; just that supposedly it handles memory better and that there's a change in the CLI commands.

The problem presented to banip is there are two paths that can be taken, either banip automatically uninstalls fw4 and installs fw3 in its place at first user run time, or banip becomes adapted to support using new nftables. at Either rate, it has to be adapted for users running latest openwrt.