Mine said ver. 20.
Do I need to reload it again or is it just the revision number that was wrong?
Xentrk
Part of the Furniture
Just ran version 25 at the school I support. Works great:
I will now load the new version on the other routers. Thank you for the update!
Code:
system: Malware Filter (ipv4) loaded 36115 unique ip addresses that will be rejected from contacting your router.
system: Malware Filter (ipv4) loaded 852 unique ip ranges that will be rejected from contacting your router.I will now load the new version on the other routers. Thank you for the update!
swetoast
Guest
tnx to everyone who tested just bumped it officially to rev 25
https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter
changelog:
https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter
changelog:
- minor tweaks
- cleaner syntax
swetoast
Guest
Updated my debugtool again
https://gitlab.com/swe_toast/debugtool/raw/master/debugtool.sh
if there are users with issues out there
https://gitlab.com/swe_toast/debugtool/raw/master/debugtool.sh
if there are users with issues out there
Xentrk
Part of the Furniture
Thanks again @swetoast for maintaining these scripts. pfSense does not have ipset. But it has a package called pfBlockerNG for blocking sites and advertisements. I was able to use the list of malware-filer & privacy-filter.list domains in pfBlockerNG to implement the tool on pfSense.
Last edited:
Encountered the following error on RT-N66U running John's fork
Running the debug tool, encountered an error as well
Link to the debug tool output: https://clbin.com/o7Aal
Code:
admin@rt-n66u:/tmp/mnt/sda1/entware/bin# time malware-filter
ip6tables v1.3.8: Couldn't load match `set':File not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
system: Malware Filter (ipv4) loaded 47301 unique ip addresses that will be rejected from contacting your router.
system: Malware Filter (ipv4) loaded 850 unique ip ranges that will be rejected from contacting your router.
ipset v4.5: Unknown set
system: Malware Filter (ipv6) loaded -7 unique ip addresses that will be rejected from contacting your router.Running the debug tool, encountered an error as well
Code:
admin@rt-n66u:/tmp/mnt/sda1/entware/bin# sh debugtool.sh
cat: read error: Is a directory
Do you want to review the debug log and send it (y/n)?yLink to the debug tool output: https://clbin.com/o7Aal
swetoast
Guest
seems that for some reason it tried to use ipv6 on your router, do you have ipv6 enabled ?
the good news is that its blocking on ipv4 so you are protected but it tries also on ipv6 and there is no default blocklist availble there yet but i also see an error that needs fixing
the good news is that its blocking on ipv4 so you are protected but it tries also on ipv6 and there is no default blocklist availble there yet but i also see an error that needs fixing
Last edited:
john9527
Part of the Furniture
here u go
Code:
admin@rt-n66u:/tmp/home/root# ip6tables -h
ip6tables v1.3.8
Usage: ip6tables -[AD] chain rule-specification [options]
ip6tables -[RI] chain rulenum rule-specification [options]
ip6tables -D chain rulenum [options]
ip6tables -[LFZ] [chain] [options]
ip6tables -[NX] chain
ip6tables -E old-chain-name new-chain-name
ip6tables -P chain target [options]
ip6tables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.and to answer your previous question, yes my ISP do provide ipv6 and so i have it enabled as well
swetoast
Guest
i know but there is still the matter of that command and not allowing it on those routers i have to sort out
Greets Swetoast!
FYI, I ran malware-filter this morning and got the following:
"insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists"
The script completed and ipset list indicated lots of addresses blocked
I then ran privacy-filter and it completed successfully, but there was no such message.
Also, IIUC, the scripts go out to the net to get the latest addresses and load them directly into the iptables. ISTM this would be a problem if one booted up off line.
Perhaps the block addresses should be loaded into a file somewhere, and when booting off line with fresh addresses unavailable, that file would be loaded into iptables instead..... older addresses would be better than none.
FYI, I ran malware-filter this morning and got the following:
"insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists"
The script completed and ipset list indicated lots of addresses blocked
I then ran privacy-filter and it completed successfully, but there was no such message.
Also, IIUC, the scripts go out to the net to get the latest addresses and load them directly into the iptables. ISTM this would be a problem if one booted up off line.
Perhaps the block addresses should be loaded into a file somewhere, and when booting off line with fresh addresses unavailable, that file would be loaded into iptables instead..... older addresses would be better than none.
Similar threads
Similar threads
Similar threads
-
-
-
-
Wireless MAC (Band filter filtering out Guest network)
- Started by recharging
- Replies: 2
-
-
-
-
-
-