Feature request: support blocklists

[vrapp]

Hello,

Any chance to implement support of blacklists for the firewall? There are many good blocklists, free and paid, such as squidblacklists.org, iblocklist.com, and more. Would be great improvement over the existing small hardcoded set of URL's to block. Especially, for the download master with its torrent application, looks like a must.

 

[RMerlin]

Hello,

Any chance to implement support of blacklists for the firewall? There are many good blocklists, free and paid, such as squidblacklists.org, iblocklist.com, and more. Would be great improvement over the existing small hardcoded set of URL's to block. Especially, for the download master with its torrent application, looks like a must.

Search this forum for "ipset". Everything required to implement a blocklist is already present in the FW.

I don't want to implement it at the webui level because it would be a huge time sink for me to constantly update it for everyone's favorite blocklist, having to deal with various different formats, etc...

 

[vrapp]

Thanks; I've found this post:
https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

that I can see how I can easily modify for the list I want. But it looks like I need a little crash course on scripts. In all pages, I see directions like "put script X into /jffs/scripts/..... - but how to do that? I have enabled and formatted JFFS partition, but how does one put a file in there, is there some file manager?

 

[RMerlin]

You can either use the "vi" editor included in the firmware (which comes with a steep learning curve), or have Entware or Optware installed on a USB flash drive, and use the nano editor.

Another method is to create the file on the USB disk, login using telnet or SSH, and copy the file to its location on the JFFS partition.

 

[vrapp]

I don't want to implement it at the webui level because it would be a huge time sink for me to constantly update it for everyone's favorite blocklist, having to deal with various different formats, etc...

Maybe you could implement just one format, such as ipfilter.dat, which is de-facto standard supported by all bittorrent clients, if I'm not mistaken. Iblocklist.com allows the choice of the format to download. Besides, there are places to convert one format to another. I'm sure if you chose one format and implement, it would be huge improvement. Using Download Master without blocklist in place is somewhat risky...

 

[RMerlin]

There are already guides showing how to configure a blocklist on Asuswrt-Merlin using ipset.

 

[Nutz2U2]

Hi to All,

You gotta love this forum and our ASUS/Merlin Routers - BUT (isn't there always a BUT )

Did a search and found my answer - but get the following errors:-

insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists
insmod: 'ip_set_iptreemap.ko': module not found
insmod: 'ipt_set.ko': module not found
ipset v6.29: Error in line 1: Syntax error: typename 'iptreemap' is unknown

Looking at ipset guide https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset it appears that some of the command options are incorrect. Can someone point me in the right direction with this PeerGuardian V3 script that I would like to use:-
#!/bin/sh

logger "PeerGuardian rules"

logger "Loading ipset modules"
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_iptreemap ipt_set; do
insmod $module
done

case $(uname -m) in
armv7l)
MATCH_SET='--match-set'
;;
mips)
MATCH_SET='--set'
;;
esac

logger "Create the BluetackLevel1 (primary) if does not exists"
if [ "$(ipset --swap BluetackLevel1 BluetackLevel1 2>&1 | grep 'Unknown set')" != "" ]; then
ipset --create BluetackLevel1 iptreemap && \
iptables -I FORWARD -m set $MATCH_SET BluetackLevel1 src,dst -j DROP
fi
logger "Destroy this transient set just in case"
ipset --destroy BluetackLevel2 > /dev/null 2>&1

logger "Load the latest rule(s)"

(

(
(
nice wget -q -O - "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz" | \
nice gunzip | nice cut -d: -f2 | nice grep -E "^[-0-9.]+$" \
) && \
(
nice wget -q -O - "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz" | \
nice gunzip | nice cut -d: -f2 | nice grep -E "^[-0-9.]+$" \
) && \
(
nice wget -q -O - "http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=p2p&archiveformat=gz" | \
nice gunzip | nice cut -d: -f2 | nice grep -E "^[-0-9.]+$" \
)
) | \
(
nice sed '/^$/d' | \
nice sed 's/^/-A BluetackLevel2 /' | \
nice sed '1s/^/-N BluetackLevel2 iptreemap\n/' && \
echo -e "\nCOMMIT\n" \
)
#) > output
) | \
nice ipset --restore && \
nice ipset --swap BluetackLevel2 BluetackLevel1 && \
nice ipset --destroy BluetackLevel2

logger "exiting Peerguarding rules"
exit $?


Thanks in advance !!!!

 

[sfx2000]

Search this forum for "ipset". Everything required to implement a blocklist is already present in the FW.

I don't want to implement it at the webui level because it would be a huge time sink for me to constantly update it for everyone's favorite blocklist, having to deal with various different formats, etc...

I agree - out of scope for the primary builds - and there are options for scripting on both iptables (ipset) and DNS based options thru DNSmasq blackholes...

 

[Nutz2U2]

Hi to All,

Well my old ages must be really showing here, or maybe the message wasn't clear.
I am following the guide AND the Peerguardian scripts. The errors I get are on line 1 .
Not trying to be a wiseguy here, but that clearly indicates that something is incorrect in the guide / script.
My impression is the the Merlin FW are there to customise our routers - Y/N.

The guide for using ipset on Merlin builds has options which create errors.

"There are already guides showing how to configure a blocklist on Asuswrt-Merlin using ipset." is NOT the answer, as the errors are created by ipset.
Whilst all other scripts I have been able to get to work and this one will not clearly indicates that the errors are pretty serious.

But lack of interest is obvious as it is also obvious that my message was not even read properly.

I have searched the forum for ipset and did not find workable answers.

Nevermind - will have to get the answers somewhere else maybe.

 

[Zirescu]

Hi to All,

Well my old ages must be really showing here, or maybe the message wasn't clear.
I am following the guide AND the Peerguardian scripts. The errors I get are on line 1 .
Not trying to be a wiseguy here, but that clearly indicates that something is incorrect in the guide / script.
My impression is the the Merlin FW are there to customise our routers - Y/N.

The guide for using ipset on Merlin builds has options which create errors.

"There are already guides showing how to configure a blocklist on Asuswrt-Merlin using ipset." is NOT the answer, as the errors are created by ipset.
Whilst all other scripts I have been able to get to work and this one will not clearly indicates that the errors are pretty serious.

But lack of interest is obvious as it is also obvious that my message was not even read properly.

I have searched the forum for ipset and did not find workable answers.

Nevermind - will have to get the answers somewhere else maybe.

That wiki entry doesn't appear to have been updated since IPSET was updated to version 6. More information here: http://www.snbforums.com/threads/fo...lts-releases-v20e9.18914/page-212#post-278873 and
http://www.snbforums.com/threads/using-ipset-revisited.32817/#post-289339

 

[Nutz2U2]

Hi to All,
Thanking You Zirescu - not a step but a leap in the right direction .

 

[redhat27]

@Nutz2U2 I know this threads a bit old, but the wiki has been updated and there are newer scripts that should solve your issue

 

[Nutz2U2]

@Nutz2U2 I know this threads a bit old, but the wiki has been updated and there are newer scripts that should solve your issue

Hey thanks a lot. I have noticed some activity. Will go and have some more fun

 

[Nutz2U2]

Hey thanks a lot. I have noticed some activity. Will go and have some more fun

Hi again, iblocklist works excellent - 20 lists in very limited time - a BIG PLUS.
Malware works after fixing word-wrap "copy - paste" error - a runaway ")"

Similar little drama in privacy-script, another ")" on line 19 - an unexpected ")" - will fix tomorrow.

You and toast (and all contributors & testers) got them working ..

Special thanks from me.

 

[swetoast]

dos2unix /path/to/script

 

[Nutz2U2]

Hi Guys,

This is the reult of these various filters. I absolutely have to thank everyone who worked on this / tested it and gave feedback to the coders....

pkts bytes target prot opt in out source destination
67634 5488K DROP all -- any any anywhere anywhere match-set BlockedCountries src
7 500 DROP all -- any any anywhere anywhere match-set TorNodes src
0 0 ACCEPT all -- any any anywhere anywhere match-set I-BlocklistComcastCIDR src,dst
0 0 ACCEPT all -- any any anywhere anywhere match-set I-BlocklistComcastSingle src,dst
0 0 DROP all -- any any anywhere anywhere match-set BluetackWebexploitCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackWebexploitSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackForumspamCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackForumspamSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackDshieldCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackDshieldSingle src
1720 91407 DROP all -- any any anywhere anywhere match-set BluetackHijackedCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackHijackedSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackSpiderCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackSpiderSingle src
533 27912 DROP all -- any any anywhere anywhere match-set BluetackMicrosoftCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackMicrosoftSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackBadpeersCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackBadpeersSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackProxyCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackProxySingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackSpywareCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackSpywareSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackAdsCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackAdsSingle src
96 5020 DROP all -- any any anywhere anywhere match-set BluetackBogonCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackBogonSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackRangetestCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackRangetestSingle src
24 1216 DROP all -- any any anywhere anywhere match-set BluetackEduCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackEduSingle src
1014 52824 DROP all -- any any anywhere anywhere match-set BluetackLevel3CIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackLevel3Single src
48 2904 DROP all -- any any anywhere anywhere match-set BluetackLevel2CIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackLevel2Single src
20 1000 DROP all -- any any anywhere anywhere match-set BluetackLevel1CIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackLevel1Single src
0 0 DROP all -- any any anywhere anywhere match-set I-BlocklistPedophilesCIDR src
0 0 DROP all -- any any anywhere anywhere match-set I-BlocklistPedophilesSingle src
692 32776 REJECT all -- any any anywhere anywhere match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
139 7064 DROP all -- any any anywhere anywhere match-set MicrosoftSpyServers dst
0 0 REJECT all -- any any anywhere anywhere match-set Malware-Range-Filter src,dst reject-with icmp-port-unreachable
0 0 REJECT all -- any any anywhere anywhere match-set Malware-Filter src,dst reject-with icmp-port-unreachable

What a beauty - it has only been running for a little while today. But the results are there.

Thanking You.

 

[Nutz2U2]

Hi again,

For information only ...

ISP Metadata collection / storage became mandatory yesterday here in Australia.
These lists + VPN + DNScrypt + OpenNIC + DNSSEC makes me feel a lot more comfortable and a little bit more secure.

If I was a terrorist or a pedo I would still expect big brother to catch me - that is what my taxes are for
But my personal privacy is MY PRIVACY - anyway my strong personal believes .

 

[redhat27]

If I was a terrorist or a pedo I would still expect big brother to catch me

Then you'd need to use to use Tor yourself (instead of blocking it), you may escape big brother, but the NSA would have you on their cross hairs

What a beauty - it has only been running for a little while today. But the results are there.

You may soon realize (like I did) that having so many blocklists on at the same time will block you from several things that you'd like to do on the www

 

[amplatfus]

Hi Guys,

This is the reult of these various filters. I absolutely have to thank everyone who worked on this / tested it and gave feedback to the coders....

pkts bytes target prot opt in out source destination
67634 5488K DROP all -- any any anywhere anywhere match-set BlockedCountries src
7 500 DROP all -- any any anywhere anywhere match-set TorNodes src
0 0 ACCEPT all -- any any anywhere anywhere match-set I-BlocklistComcastCIDR src,dst
0 0 ACCEPT all -- any any anywhere anywhere match-set I-BlocklistComcastSingle src,dst
0 0 DROP all -- any any anywhere anywhere match-set BluetackWebexploitCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackWebexploitSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackForumspamCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackForumspamSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackDshieldCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackDshieldSingle src
1720 91407 DROP all -- any any anywhere anywhere match-set BluetackHijackedCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackHijackedSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackSpiderCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackSpiderSingle src
533 27912 DROP all -- any any anywhere anywhere match-set BluetackMicrosoftCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackMicrosoftSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackBadpeersCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackBadpeersSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackProxyCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackProxySingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackSpywareCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackSpywareSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackAdsCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackAdsSingle src
96 5020 DROP all -- any any anywhere anywhere match-set BluetackBogonCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackBogonSingle src
0 0 DROP all -- any any anywhere anywhere match-set BluetackRangetestCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackRangetestSingle src
24 1216 DROP all -- any any anywhere anywhere match-set BluetackEduCIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackEduSingle src
1014 52824 DROP all -- any any anywhere anywhere match-set BluetackLevel3CIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackLevel3Single src
48 2904 DROP all -- any any anywhere anywhere match-set BluetackLevel2CIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackLevel2Single src
20 1000 DROP all -- any any anywhere anywhere match-set BluetackLevel1CIDR src
0 0 DROP all -- any any anywhere anywhere match-set BluetackLevel1Single src
0 0 DROP all -- any any anywhere anywhere match-set I-BlocklistPedophilesCIDR src
0 0 DROP all -- any any anywhere anywhere match-set I-BlocklistPedophilesSingle src
692 32776 REJECT all -- any any anywhere anywhere match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
139 7064 DROP all -- any any anywhere anywhere match-set MicrosoftSpyServers dst
0 0 REJECT all -- any any anywhere anywhere match-set Malware-Range-Filter src,dst reject-with icmp-port-unreachable
0 0 REJECT all -- any any anywhere anywhere match-set Malware-Filter src,dst reject-with icmp-port-unreachable

What a beauty - it has only been running for a little while today. But the results are there.

Thanking You.

Hi,

Please how did you export this log?
Edit2: I found it but is not the same output. So if you could share what to do to obtain your output please share.

Edit1: Found something about firewall log here, but is not the same output: https://www.snbforums.com/threads/traffic-logging-questions.31363/#post-248615

Thank you.
amplatfus

 

[ColinTaylor]

Please how did you export this log?

That's not a log file. It's just a dump of his iptables rules.

iptables -L -v -n