[R7800, R9000 & probably others] Blocklist based Firewall addon

[HELLO_wORLD]

Ok, studying your output, it seems that the script is working and filtering. That is good news for R9000 because the script is working! And right now, you are protected (if you did not use clean)

Now, the problem is that my way of checking if the blocklist is working is not working properly on R9000, likely because of little differences in installed binaries (different versions, etc...)
The good news is suspect it can be easily fixed, but I will need your help as I don’t have a R9000.

With the script running (if you used the script with clean, please use restart or update again)
Would you try these commands for me and give me the output?

iptables -S 2>/dev/null | grep -F "FwBl" | grep -Fv "LOG"

And

iptables -S 2>/dev/null | grep -F "FwBl" | grep -Fv "LOG" | md5sum -

Thank you!

Install info:

The script is properly installed.
- firewall-blocklist version: v3.2.0
- This is the last version.
- iprange is not installed.

"Something is not working"
...

 

[KW.]

Hello! Great news if its working. Is it a way for me to check it is working. Even if you wrote how to show logs I was not able, and Im sure the problem is on me, but would be very nice if you just could write a copy paste command for show logs and whats is happening with the fantastic blocking

I will try to get these entware going. I know I looked at it when i first installed voxel but gave up. I will give it a new shot. Thank you allot!

Now to the response of your commands:

Command 1

-N FwBl_DROP                                                                                                         
-A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP                                  
 -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP      
  -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP      
   -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP            
-A FwBl_DROP -j DROP

Command 2

9b7ed183ae8e4d418c957c16fca26939  -

 

[HELLO_wORLD]

Interesting...

[EDIT]: never mind the test I just posted here. I figured it out. For some reason, the iptables output ends with a space in R7800 and none in R9000.
Now that I identified that, I will be able to correct and release a version that will display correct status information on R9000.Thank you!

For the log, to enable it, just do:

/opt/bolemo/scripts/firewall-blocklist restart -log=on

To check it is on, do:

/opt/bolemo/scripts/firewall-blocklist status

And to read the log:

/opt/bolemo/scripts/firewall-blocklist log

Hello! Great news if its working. Is it a way for me to check it is working. Even if you wrote how to show logs I was not able, and Im sure the problem is on me, but would be very nice if you just could write a copy paste command for show logs and whats is happening with the fantastic blocking

I will try to get these entware going. I know I looked at it when i first installed voxel but gave up. I will give it a new shot. Thank you allot!

Now to the response of your commands:

Command 1

-N FwBl_DROP                                                                                                         
-A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP                                                       
 -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP                                                     
 -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP                                                         -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP                                                       
 -A FwBl_DROP -j DROP

Command 2

9b7ed183ae8e4d418c957c16fca26939  -

 

[KW.]

Thanks it was the "restart" before "-log on" I failed to understand

Here's the responses of you commands

Command 1

-N FwBl_DROP 
-A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP  
  -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP           
  -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP                                                 
 -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP                                           
-A FwBl_DROP -j DROP

Command 2

9b7ed183ae8e4d418c957c16fca26939  -

 

[HELLO_wORLD]

Perfect!
Will post updated version soon and status should be fine onR9000

Thanks it was the "restart" before "-log on" I failed to understand

Here's the responses of you commands

Command 1

-N FwBl_DROP
-A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP 
  -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP          
  -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP                                                
 -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP                                          
-A FwBl_DROP -j DROP

Command 2

9b7ed183ae8e4d418c957c16fca26939  -

 

[HELLO_wORLD]

V3.2.1

Recommanded upgrade procedure:

/opt/bolemo/scripts/firewall-blocklist clean
/opt/bolemo/scripts/firewall-blocklist upgrade
/opt/bolemo/scripts/firewall-blocklist update

@KW. : after upgrade & update, could you do:

/opt/bolemo/scripts/firewall-blocklist status -v

And post output, to check if all is ok?
Thank you

 

[KW.]

For some reason the auto-update didn't work. But it seems to work great when I did from scratch from your site.

Autoupdate fail:

root@R9000:/$ /opt/bolemo/scripts/firewall-blocklist upgrade     
 Upgrading:                                                                                     
 - Version installed: v3.2.     
- Version found: v3.2.1                         
 ? Do you want to upgrade from v3.2.0 to v3.2.1 (y/n)? y 
root@R9000:/$ y                                   
 /
bin/ash: y: not found

Install info:

Info:                                                
- The script is properly installed.                                                                                   
- firewall-blocklist version: v3.2.1                      
- This is the last version.                                                                                             
- iprange is not installed.

The status command

firewall-blocklist v3.2.1 - Verbose mode   
 Status:                     
- firewall-blocklist version: v3.2.1   
 - iprange is not installed.                                   
  - Firewall blocklist is set and active.                                                             
- Filtering 619985334 IP adresses.                                                         
- Logging is off.                                                               
 Detailed status:                                                                                       
 - /opt/scripts/firewall-start.sh exists with correct settings.                                 
 - Actual router time: Sat May  2 14:56:24 UTC 2020                                             
 - Blocklist generation time: Sat May  2 14:56:24 UTC 2020                                                   
 - Router firewall was last started Sat May  2 14:56:24 UTC 2020:                                             
 ipset blocklist was already loaded and was kept.                       
  blocklist rules were added to iptables.                                                 
 - iptables rules are set:                                                         
  iptables -N FwBl_DROP                                                                                               
   iptables -A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP
  iptables -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP         
iptables -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP       
    iptables -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP                 
 iptables -A FwBl_DROP -j DROP     
 - Logging is inactive.
 - ipset filter (blocklist) is set:                                   
 Name: FwBl_BL                                                               
Type: hash:net                                                                   
Revision: 6                                                                                         
Header: family inet hashsize 16384 maxelem 65536                   
 Size in memory: 991012                                                   
 References: 4                                                                                   
  Number of entries: 44909                                                             
  - ipset bypass (whitelist) is not set

V3.2.1

Recommanded upgrade procedure:

/opt/bolemo/scripts/firewall-blocklist clean
/opt/bolemo/scripts/firewall-blocklist upgrade
/opt/bolemo/scripts/firewall-blocklist update

@KW. : after upgrade & update, could you do:

/opt/bolemo/scripts/firewall-blocklist status -v

And post output, to check if all is ok?
Thank you

 

[R. Gerrits]

For some reason the auto-update didn't work. But it seems to work great when I did from scratch from your site.

strange, I also just upgraded and that went flawless:

root@R7800:~$ /opt/bolemo/scripts/firewall-blocklist clean -v
firewall-blocklist v3.2.0 - Verbose mode
Cleaning...
- /opt/scripts/firewall-start.sh has no other rules; removed it.
- Built-in firewall restarted.
- Cleaned ipsets.
- Removed temporary files.
- Cleaning done.
Status:
- firewall-blocklist version: v3.2.0
- iprange is installed: iprange 1.0.4
- Firewall blocklist is not active; Settings are clean.
- Logging is off.
Detailed status:
- /opt/scripts/firewall-start.sh does not exist or does not have firewall-blocklist settings.
- iptables rules are not set.
- Logging is inactive.
- ipset filter (blocklist) does not exist.
- ipset bypass (whitelist) is not set.

root@R7800:~$ /opt/bolemo/scripts/firewall-blocklist upgrade -v
firewall-blocklist v3.2.0 - Verbose mode
Upgrading:
- Version installed: v3.2.0
- Version found: v3.2.1                    
? Do you want to upgrade from v3.2.0 to v3.2.1 (y/n)? y
- Downloading:
/tmp/firewall-blocklist.dl     100%[==================================================>]  24.29K  --.-KB/s    in 0.01s  
- Script installed to /opt/bolemo/scripts/firewall-blocklist

(used verbose on the commands because wanted to see more detail)

 

[HELLO_wORLD]

Again, it is likely to be a little difference between environment in R7800 and R9000
The most important is that the script is working and reporting correct setup.
Will look closer at this upgrade bug on R9000 ( @KW. , I might need you to test), but I will likely look at that another day...

 

[KW.]

I totally agree! Thank you so very much for your help. And of cause i will jump to test it when you release something new.

I cant notice any decrease in my performance with this great extra layer of security. Checked internet speed and also felt if I noticed if anything is going slower on my network. Not noticed any drawbacks. Thank you again so very much!

Now I just have two challenges to solve. Get this entware going with iprange. This I will try to solve on my own before i ask for help

But I would like to put the blacklist updates on Kamoj addon but have no idea what to put in these boxes. If it some easy command to put in there I would love to get some help with it, if its no big task

Again, it is likely to be a little difference between environment in R7800 and R9000
The most important is that the script is working and reporting correct setup.
Will look closer at this upgrade bug on R9000 ( @KW. , I might need you to test), but I will likely look at that another day...

 

[HELLO_wORLD]

Cron job is

15 3 * * * /bin/sh /opt/bolemo/scripts/firewall-blocklist update

So when: 15 3 * * *
And command: /bin/sh /opt/bolemo/scripts/firewall-blocklist update

I totally agree! Thank you so very much for your help. And of cause i will jump to test it when you release something new.

I cant notice any decrease in my performance with this great extra layer of security. Checked internet speed and also felt if I noticed if anything is going slower on my network. Not noticed any drawbacks. Thank you again so very much!

Now I just have two challenges to solve. Get this entware going with iprange. This I will try to solve on my own before i ask for help

But I would like to put the blacklist updates on Kamoj addon but have no idea what to put in these boxes. If it some easy command to put in there I would love to get some help with it, if its no big task

 

[HELLO_wORLD]

I totally agree! Thank you so very much for your help. And of cause i will jump to test it when you release something new.

Can you try this (and report output, after answering y):

echo -n "Question (answer by y)? "; read A; echo -e "\n-$A-"; [ "$A" = 'y' ] && echo "OK" || echo "NOT OK"

 

[KW.]

echo -n "Question (answer by y)? "; read A; echo -e "\n-$A-"; [ "$A" = 'y' ] && echo "OK" || echo "NOT OK"Question (answer by y)? y                                                                                                                                                          --     
NOT OK                                                                                                               
  root@R9000:/$ y                                                                                                       
 /bin/ash: y: not found

 

[HELLO_wORLD]

Ok, this is definitely behaving differently than on R7800.

Could you try this:

read -p "Type y? " A ; echo "answer:$A"

And this

A='y'; [ "$A" = 'y' ] && echo "OK" || echo "NOT OK"

echo -n "Question (answer by y)? "; read A; echo -e "\n-$A-"; [ "$A" = 'y' ] && echo "OK" || echo "NOT OK"Question (answer by y)? y                                                                                                                                                          --    
NOT OK                                                                                                              
  root@R9000:/$ y                                                                                                      
 /bin/ash: y: not found

 

[KW.]

EDIT: This is fun but I have no clue of what you are doing or looking for

Command 1

root@R9000:/$ read -p "Type y? " A ; echo "answer:$A"                                                      
Type y? y                                                                                                                                                                

answer:
 root@R9000:/$ y            
/bin/ash: y: not found

Command 2

A='y'; [ "$A" = 'y' ] && echo "OK" || echo "NOT OK"
 OK

 

[KW.]

This is a bit off topic for this thread but I clearly dont have the skills to set up entware. I found some tutorials and have bombarded my router with desperate commands from threads here and other places so now Im a bit worried what is inside that thing. I will have to give up iprange and hope that your script someday can get iprange to the R9000. I wiill go to sleep with this damning message in my mind.

/opt/bin/opkg install iprange                                     
Unknown package 'iprange'.                                                       
Collected errors:                                                                             
* opkg_install_cmd: Cannot install package iprange.

 

[HELLO_wORLD]

Don’t worry about that error message.
It did not install anything: the architecture was not matching (R9000 and R7800 CPUs are different) so install of iprange aborted.
It did not leave any messy file in your router.

And for my test commands, they are harmless. I am simply trying to figure the R9000 behavior to some commands to be able to make my script (the upgrade function) work on R9000.
It did help, and I think I see what the problem is. I know have to find a solution (not easy without having a R9000 to test).

Good night!

This is a bit off topic for this thread but I clearly dont have the skills to set up entware. I found some tutorials and have bombarded my router with desperate commands from threads here and other places so now Im a bit worried what is inside that thing. I will have to give up iprange and hope that your script someday can get iprange to the R9000. I wiill go to sleep with this damning message in my mind.

/opt/bin/opkg install iprange                                    
Unknown package 'iprange'.                                                      
Collected errors:                                                                            
* opkg_install_cmd: Cannot install package iprange.

 

[KW.]

No you missunderstood me. I am not worried at all about your testing commands and gladly try some more if you need I was talking about allot of own commands that I was throwing in to it to try to get entware work from everywere (just vented some frustration).

Im not even a tiny little bit worried about your stuff and great help you know what you are doing. I see that it was easy to missunderstand me when i read it again.

 

[HELLO_wORLD]

Thanks.

When you can, could you try this (and report output):

echo -n "say y: "; A=$(head -n1); echo $A

Bed time here...

No you missunderstood me. I am not worried at all about your testing commands and gladly try some more if you need I was talking about allot of own commands that I was throwing in to it to try to get entware work from everywere (just vented some frustration).

Im not even a tiny little bit worried about your stuff and great help you know what you are doing. I see that it was easy to missunderstand me when i read it again.

 

[KW.]

Nothing happend what i could see-

echo -n "say y: "; A=$(head -n1); echo $A                                                   
  say y: y           
root@R9000:/$