* change the chain structure: only two regular chains contain the generated banIP sets.
“_inbound” covers the base chains WAN-Input and WAN-Forward, ‘_outbound’ covers the base chain LAN-Forward.
* pre-configure the default chains for every feed in the banip.feeds json file, no longer blocks
selected feeds in all chains by default
* it's now possible to split country and asn Sets by country or asn (disabled by default)
* support Set counters to report easily suspicious IPs per Set (disabled by default)
* make it possible, to opt out certain chains from the deduplication process
* the element search now returns all matches (and not only the first one)
* the report engine now includes statistics about the Inbound & Outbound chains and the Set counters (optional)
* save the temp. files of possible nft loading errors in "/tmp/banIP-errors" by default for easier debugging
* various code improvements
* remove ssbl feed (deprecated)
* add two new vpn feeds
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized procd settings for better performance
* made the log monitor working again (even on master with apk migration issues)
* reworked the fetch autodetection function (still broken in master due to apk migration)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed gathering/printing of system information in banIP status
* removed broken iblocklist.com feeds
* updated readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* supports comments (introduced with a #), for MAC addresses
in the allow and block list, e.g. 26:5e:a0:6a:9c:da # Test
* added hagezi threat ip feed
* added an adguard logterm to the readme
* removed the broken talos feed
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed auto allow-/blocklist-issue with IPv6 addresses in CIDR notation
* removed edrop feed from readme (had been removed from feeds for a while)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed a possible "Argument list too long" error in the f_log function
* fixed multiple, incomplete digit character classes
* fixed/optimized split file handling
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* made sure, that the domain lookup always add the found IPs to the underlying allow-/blocklist-Set
* major readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix regex for nixspam and sslbl feed
* list the pre-routing limits in the banIP status
* small fixes and log improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed possible Set search race condition (initiated from LuCI frontend)
* fixed the "no result" Set search problem in LuCI
* removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
* the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
* block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
* it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
* filter/convert possible windows line endings of external feeds during processing
* the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
* set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
* update readme
* a couple of bugfixes & performance improvements
* removed abandoned feeds: darklist, ipblackhole
* added new feeds: becyber, ipsum, pallebone, debl (changed URL)
* requires a LuCI frontend update as well (separate PR/commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add support for destination port & protocol limitations for external feeds (see readme for details),
useful for lan-forward ad- or DoH-blocking, e.g. only tcp ports 80 and 443
* add turris sentinel blocklist feed
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* rework the device/interface auto-detection (only layer-3 network devices will be detetcted correctly), disable the auto-detection e.g. for special tunnel interfaces
* supports now full gawk (preferred, if installed) and busybox awk
* raise the default boot timeout to 20 seconds (if 'ban_triggerdelay' is not set)
* various small fixes and improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details
* refine the allowlist check to support IP intervals as well before adding an IP to the blocklist
Signed-off-by: Dirk Brenken <dev@brenken.org>
* the log file monitor now supports standard log files used by other log daemons like syslog-ng
Set 'ban_logreadfile' accordingly, by default it points to /var/log/messages
* removed logd dependency, closes#21932
Signed-off-by: Dirk Brenken <dev@brenken.org>
* drop packets silently on input and forwardwan chains or actively reject the traffic, set 'ban_blocktype' accordingly
* optimized banIP boot/reload handling
* removed pppoe quirk in device detection
* small fixes and optimizations
Signed-off-by: Dirk Brenken <dev@brenken.org>
* supports allowing / blocking of certain VLAN forwards in segregated network environments,
set 'ban_vlanallow', ''ban_vlanblock' accordingly
* simplified the code/JSON to generate/parse the banIP status
* enclose nft related devices in quotation marks , e.g. to handle devices which starts with a number '10g-1'
* made the new vlan options available to LuCI (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* prevent superflous etag function calls during start action (on start backups will be used anyway)
* changed the ipthreat feed download URL (load a compressed file variant to save bandwidth)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added HTTP ETag or entity tag support to download only ressources that have been updated on the server side,
to save bandwith and speed up banIP reloads
* added 4 new feeds: binarydefense, bruteforceblock, etcompromised, ipblackhole (see readme)
* updated the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* process local lists in strict sequential order to prevent possible race conditions
* support ranges in the IP search, too
* fix some minor search issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
* Support MAC-/IPv4/IPv6 ranges in CIDR notation
* Support concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme)
* small fixes & cosmetics
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the
monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default).
For more information regarding RDAP see
https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference.
* small fixes & cosmetics
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* made the fetch utility function/autodetection more bullet proof
* no longer add suspicious IPs to the local blocklist when the nft set timeout has been set
* restructure internal functions & small fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly
* make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5)
* small fixes
* readme update
* LuCI update (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add housekeeping to the autoallow function, only the current uplink will be held
* fix small issues
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add support for a custom feeds file (/etc/banip/banip.custom.feeds). Add new or edit existing banIP feeds on your own with the integrated custom feed editor (LuCI-component
* add a new option 'ban_blockpolicy' to overrule the default bblock policy (block all chains), see readme for details
* change the feed file format and add a new ipthreat feed, see readme
* refine (debug) logging
* multiple small fixes and improvements
* readme update
* luci update (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add the new init command 'lookup', to lookup the IPs of domain names in the local lists and update them
* significant acceleration of the domain lookup function
* multiple small fixes and improvements
* readme update
* luci update (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed missing version number when installed as separate package (not in build)
* fixed cornercase init and mailing issues
* sorted Country list by country names ascending
* fixed some shellcheck findings
Signed-off-by: Dirk Brenken <dev@brenken.org>
* raise max. timeouts from 10 to 30 seconds to stabilize the autodetection on slow hardware
* made interface trigger action configurable, set 'ban_triggeraction' accordingly (default: 'start')
* made E-Mail notifications configurable to receive status E-Mais with every banIP run,
set 'ban_mailnotification' accordingly (default: disabled)
* small fixes & optimizations
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
