What's new

Aegis aegis: a firewall blocklist

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

HELLO_wORLD

Very Senior Member
aegis is the successor of firewall-blocklist:
https://www.snbforums.com/threads/r7800-r9000-probably-others-blocklist-based-firewall-addon.63241/
It starts with version 1.0.0, but is more recent than latest firewall-blocklist


aegis
A firewall blocklist script for Netgear R7800 and R9000 Routers with Voxel firmware.
Should work with some other models as well.

What is it?
It is a script that allows to block a list of IP adresses or ranges for inbound and outbound traffic.
The main purpose is blocking dangerous adresses known for spam, hacking, malware, etc...
The blocklist is automatically generated from known sources (this is editable) and you can add your own IP adresses/ranges as well.

Instructions and installation
https://github.com/bolemo/aegis/blob/master/README.md


________ below this is only if you are using firewall-blocklist ________

To migrate from firewall-blocklist
It is very easy, and can be done with three commands
Code:
wget -qO- https://raw.githubusercontent.com/bolemo/firewall-blocklist/master/migrate-to-aegis.sh | sh
Code:
wget -qO- https://github.com/bolemo/aegis/raw/master/aegis-install.sh | sh
Code:
/opt/bolemo/scripts/aegis update
Don’t forget to update you cron job to aegis update instead of firewall-blocklist update if you had one set.
 
Last edited:
I think you have a bug in migrate-to-aegis.sh

Code:
/opt/bolemo/script/firewall-blocklist clean
rm -f /opt/bolemo/script/firewall-blocklist

At least on my device the location is /opt/bolemo/scripts


Also I see aegis adds itself to the PATH via /root/.profile
Wouldn't it be much cleaner and simpler if you just create a symlink to aegis in /usr/bin or /usr/sbin ?
 
And also the new install doesn't go smoothly:

Code:
root@R7800:/tmp/mnt/sda1/bolemo/scripts$ wget -qO- https://github.com/bolemo/aegis/raw/master/aegis-install.sh | sh
Where do you want to install aegis?
  0 - router internal memory (rootfs)
  1 - external drive: /mnt/optware
  2 - external drive: /mnt/sda1
  c - cancel installation
Your choice: 1
aegis will be installed on external drive /tmp/mnt/optware
Creating directory (if not already existing): /opt/scripts
Creating directory (if not already existing): /tmp/mnt/optware/bolemo
Creating symlink (if not already existing): /opt/bolemo
Creating subdirectories in bolemo: scripts, etc
Downloading and installing aegis...
An aegis sources file already exists, keeping it.
sh: Syntax error: "fi" unexpected (expecting "then")

downloading it and running it locally shows:
Code:
An aegis sources file already exists, keeping it.
./aegis-install.sh: ./aegis-install.sh: 68: Syntax error: "fi" unexpected (expecting "then")

so it in here:
Code:
if ! echo $PATH | grep -qF "/opt/bolemo/scripts"
[ -e "/opt/bolemo/etc/profile" ] && sed -i "|export PATH=/opt/bolemo/scripts:\$PATH|d" '/root/.profile'
echo "export PATH=/opt/bolemo/scripts:\$PATH" >> '/root/.profile'
[ -e '/root/.profile' ] && sed -i "|. /opt/bolemo/etc/profile|d" '/root/.profile'
echo ". /opt/bolemo/etc/profile" >> '/root/.profile'
fi

first line should be
Code:
if ! echo $PATH | grep -qF "/opt/bolemo/scripts"; then

with that change the initial error is gone, but now I see:
Code:
Downloading and installing aegis...
An aegis sources file already exists, keeping it.
sed: -e expression #1, char 1: unknown command: `|'
iprange is installed.
Done!
 
Last edited:
I think you have a bug in migrate-to-aegis.sh

Code:
/opt/bolemo/script/firewall-blocklist clean
rm -f /opt/bolemo/script/firewall-blocklist

At least on my device the location is /opt/bolemo/scripts


Also I see aegis adds itself to the PATH via /root/.profile
Wouldn't it be much cleaner and simpler if you just create a symlink to aegis in /usr/bin or /usr/sbin ?

I also think a symlink might be better. It instantly works the moment it's created.
 
Yep, those are little annoying bugs. Will fix it right away. Thank you for reporting them!

I hesitated between symlink and .profile
I have several scripts in my bolemo/scripts, so I opted for .profile.
However, you are right, might be a lot simpler to use symlink in /usr/bin particularly because of the instant effect.
 
Version 1.0.1
Migration from firewall-blocklist and aegis Installer scripts are fixed ( thanks @R. Gerrits ).

Next release will use symlink instead of .profile if profile is not already used.
 
Version 1.0.2

Install script and aegis itself now will create symlink if aegis is not accessible in $PATH (either by symlink or profile).
 
I get this error regarding iprange....

"root@NetgearR7800:/$ wget -qO- https://github.com/bolemo/aegis/raw/master/aegis-install.sh | sh Where do you want to install aegis?
0 - router internal memory (rootfs)
1 - external drive: /mnt/R7800USB
2 - external drive: /mnt/sda
c - cancel installation
Your choice: 1
aegis will be installed on external drive /tmp/mnt/R7800USB
Creating directory (if not already existing): /opt/scripts
Creating directory (if not already existing): /tmp/mnt/R7800USB/bolemo
Creating symlink (if not already existing): /opt/bolemo
Creating subdirectories in bolemo: scripts, etc
Downloading and installing aegis...
Downloading aegis default sources file...
iprange is not installed.
The iprange versions available from this installer are not supported on this device.
Done! "
 
Even without iprange the blocklist should still be working.
try running: aegis status
you should see something like 'set and active' and also 'Filtering <x> addresses'.

I know that he has an iprange that should work on R9000 but I have the R7800 so can't help there.
I would wait for a reply from HELLO_wORLD to address that.
 
Mine is an R7800 too....
It should install it.
Could you please try this command and report the result?
Code:
/bin/uname -p

I will look into it tomorrow if I find time, but if you are in a hurry, you can install iprange separately as mentionned at the end of the readme. Also, script can work without iprange as @NetBytes mentionned.

Have a good night :)
 
Updated install script.
Now identifying the model number differently.

That should solve the problem encountered by @R. Gerrits

I’m using this
Code:
cat /module_name
As it should be on every NG routers and is not dependent on router name or uname -p (that is not always reliable to identify the model).

@R. Gerrits : I’m still curious to know what ‘
/bin/uname -p’ returns for you... should be IPQ8065
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top