What's new

aegis: a firewall blocklist

HELLO_wORLD

Senior Member
aegis is the successor of firewall-blocklist:
https://www.snbforums.com/threads/r7800-r9000-probably-others-blocklist-based-firewall-addon.63241/
It starts with version 1.0.0, but is more recent than latest firewall-blocklist


aegis
A firewall blocklist script for Netgear R7800 and R9000 Routers with Voxel firmware.
Should work with some other models as well.

What is it?
It is a script that allows to block a list of IP adresses or ranges for inbound and outbound traffic.
The main purpose is blocking dangerous adresses known for spam, hacking, malware, etc...
The blocklist is automatically generated from known sources (this is editable) and you can add your own IP adresses/ranges as well.

Instructions and installation
https://github.com/bolemo/aegis/blob/master/README.md


________ below this is only if you are using firewall-blocklist ________

To migrate from firewall-blocklist
It is very easy, and can be done with three commands
Code:
wget -qO- https://raw.githubusercontent.com/bolemo/firewall-blocklist/master/migrate-to-aegis.sh | sh
Code:
wget -qO- https://github.com/bolemo/aegis/raw/master/aegis-install.sh | sh
Code:
/opt/bolemo/scripts/aegis update
Don’t forget to update you cron job to aegis update instead of firewall-blocklist update if you had one set.
 
Last edited:

R. Gerrits

Senior Member
I think you have a bug in migrate-to-aegis.sh

Code:
/opt/bolemo/script/firewall-blocklist clean
rm -f /opt/bolemo/script/firewall-blocklist
At least on my device the location is /opt/bolemo/scripts


Also I see aegis adds itself to the PATH via /root/.profile
Wouldn't it be much cleaner and simpler if you just create a symlink to aegis in /usr/bin or /usr/sbin ?
 

R. Gerrits

Senior Member
And also the new install doesn't go smoothly:

Code:
[email protected]:/tmp/mnt/sda1/bolemo/scripts$ wget -qO- https://github.com/bolemo/aegis/raw/master/aegis-install.sh | sh
Where do you want to install aegis?
  0 - router internal memory (rootfs)
  1 - external drive: /mnt/optware
  2 - external drive: /mnt/sda1
  c - cancel installation
Your choice: 1
aegis will be installed on external drive /tmp/mnt/optware
Creating directory (if not already existing): /opt/scripts
Creating directory (if not already existing): /tmp/mnt/optware/bolemo
Creating symlink (if not already existing): /opt/bolemo
Creating subdirectories in bolemo: scripts, etc
Downloading and installing aegis...
An aegis sources file already exists, keeping it.
sh: Syntax error: "fi" unexpected (expecting "then")
downloading it and running it locally shows:
Code:
An aegis sources file already exists, keeping it.
./aegis-install.sh: ./aegis-install.sh: 68: Syntax error: "fi" unexpected (expecting "then")
so it in here:
Code:
if ! echo $PATH | grep -qF "/opt/bolemo/scripts"
[ -e "/opt/bolemo/etc/profile" ] && sed -i "|export PATH=/opt/bolemo/scripts:\$PATH|d" '/root/.profile'
echo "export PATH=/opt/bolemo/scripts:\$PATH" >> '/root/.profile'
[ -e '/root/.profile' ] && sed -i "|. /opt/bolemo/etc/profile|d" '/root/.profile'
echo ". /opt/bolemo/etc/profile" >> '/root/.profile'
fi
first line should be
Code:
if ! echo $PATH | grep -qF "/opt/bolemo/scripts"; then
with that change the initial error is gone, but now I see:
Code:
Downloading and installing aegis...
An aegis sources file already exists, keeping it.
sed: -e expression #1, char 1: unknown command: `|'
iprange is installed.
Done!
 
Last edited:

NetBytes

Regular Contributor
I think you have a bug in migrate-to-aegis.sh

Code:
/opt/bolemo/script/firewall-blocklist clean
rm -f /opt/bolemo/script/firewall-blocklist
At least on my device the location is /opt/bolemo/scripts


Also I see aegis adds itself to the PATH via /root/.profile
Wouldn't it be much cleaner and simpler if you just create a symlink to aegis in /usr/bin or /usr/sbin ?
I also think a symlink might be better. It instantly works the moment it's created.
 

HELLO_wORLD

Senior Member
Yep, those are little annoying bugs. Will fix it right away. Thank you for reporting them!

I hesitated between symlink and .profile
I have several scripts in my bolemo/scripts, so I opted for .profile.
However, you are right, might be a lot simpler to use symlink in /usr/bin particularly because of the instant effect.
 

Tom Brough

Regular Contributor
I get this error regarding iprange....

"[email protected]:/$ wget -qO- https://github.com/bolemo/aegis/raw/master/aegis-install.sh | sh Where do you want to install aegis?
0 - router internal memory (rootfs)
1 - external drive: /mnt/R7800USB
2 - external drive: /mnt/sda
c - cancel installation
Your choice: 1
aegis will be installed on external drive /tmp/mnt/R7800USB
Creating directory (if not already existing): /opt/scripts
Creating directory (if not already existing): /tmp/mnt/R7800USB/bolemo
Creating symlink (if not already existing): /opt/bolemo
Creating subdirectories in bolemo: scripts, etc
Downloading and installing aegis...
Downloading aegis default sources file...
iprange is not installed.
The iprange versions available from this installer are not supported on this device.
Done! "
 

NetBytes

Regular Contributor
Even without iprange the blocklist should still be working.
try running: aegis status
you should see something like 'set and active' and also 'Filtering <x> addresses'.

I know that he has an iprange that should work on R9000 but I have the R7800 so can't help there.
I would wait for a reply from HELLO_wORLD to address that.
 

HELLO_wORLD

Senior Member
Mine is an R7800 too....
It should install it.
Could you please try this command and report the result?
Code:
/bin/uname -p
I will look into it tomorrow if I find time, but if you are in a hurry, you can install iprange separately as mentionned at the end of the readme. Also, script can work without iprange as @NetBytes mentionned.

Have a good night :)
 

HELLO_wORLD

Senior Member
Updated install script.
Now identifying the model number differently.

That should solve the problem encountered by @R. Gerrits

I’m using this
Code:
cat /module_name
As it should be on every NG routers and is not dependent on router name or uname -p (that is not always reliable to identify the model).

@R. Gerrits : I’m still curious to know what ‘
/bin/uname -p’ returns for you... should be IPQ8065
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top