Aegis aegis: a firewall blocklist

[HELLO_wORLD]

So the problem is that for some reason, the built-in internal net-wall is not able to find firewall-start.sh even if the file exists!
Because of that problem, aegis engine cannot start (as any other rule in the file).

Is firewall-start.sh executable?
Did you do anything to /usr/sbin/net-wall?

You might want to open it and check around line 107.

The net-wall script is different if you are using stock, @Voxel or @Voxel with @kamoj add-on.
I suspect you are using @kamoj add-on. So you might want to check that with him and report this net-wall restart issue in the add-on thread (the one matching you version aka beta or not).

Hopefully, it won’t be complicated to solve.

Regards

 

[R. Gerrits]

First, the shebang should be #!/bin/sh (not bash), but that should not be the problem here.

actually, the issue is caused by the wrong shebang
the router doesn't have /bin/bash, so that is causing the not found errror

 

[HELLO_wORLD]

Problem found!
Thank you @R. Gerrits

In fact, it depends how the script is called.
/bin/sh a_script.sh would work (forcing to interpret using sh)
direct call to a_script.sh is not (looking for shebang property)

actually, the issue is caused by the wrong shebang
the router doesn't have /bin/bash, so that is causing the not found errror

 

[D3FenD3r]

changed script to #! /bin/sh


root@R9000:/$ net-wall restart
Starting Firewall...
Done!
/bin/sh: /etc/appflow/streamboost.d/40_qdiscman: not found
/bin/sh: /etc/appflow/streamboost.d/40_qdiscman: not found
root@R9000:/$

 

[D3FenD3r]

root@R9000:/$ aegis update -v
aegis 1.1.4 - Verbose mode
Initializing...
- 'firewall-start.sh' is in place and ok.
- 'aegis' is installed on external drive.
- 'post-mount.sh' is in place and ok.
Updating blocklist from sources...
- Downloading lists defined in /opt/bolemo/etc/aegis.sources
1) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
- 100%[===================>] 41.85K --.-KB/s in 0.02s

2) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
- 100%[===================>] 61.39K --.-KB/s in 0.003s

3) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
- 100%[===================>] 261.78K --.-KB/s in 0.02s

4) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/iblocklist_ciarmy_malicious.netset
- 100%[===================>] 201.62K --.-KB/s in 0.01s

5) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset
- 100%[===================>] 14.49K --.-KB/s in 0.001s

- Optimizing and reducing netset (using iprange)...
- Done.
Building ipset blocklist (34200 entries blocking 619480728 ips)...
- Created blocklist, swapping it.
- Done.
- Internal firewall does not need to be restarted.
Status:
- 'aegis' version: 1.1.4
- 'iprange' is installed: iprange 1.0.4
- 'aegis' is set and active for WAN interface (brwan).
- Filtering 619480728 IP adresses.
- WAN gateway IP range does not need to be bypassed.
- Logging is on.
Detailed status:
- 'firewall-start.sh' exists with correct settings.
- 'post-mount.sh' exists with correct settings.
- Actual router time: 2020-10-20 16:48:14
- Blocklist generation time: 2020-10-20 16:48:14
- Router firewall was last started 2020-10-20 16:48:14:
ipset blocklist was already loaded.
iptables logging rules were set.
iptables WAN rules were set.
- iptables rules are set:
WAN interface rules are set
iptables -N aegis_dst
iptables -N aegis_src
iptables -A INPUT -i brwan -m set --match-set aegis_bl src -j aegis_src
iptables -A FORWARD -i brwan -m set --match-set aegis_bl src -j aegis_src
iptables -A FORWARD -o brwan -m set --match-set aegis_bl dst -j aegis_dst
iptables -A OUTPUT -o brwan -m set --match-set aegis_bl dst -j aegis_dst
iptables -A aegis_dst -j LOG --log-prefix "[aegis] "
iptables -A aegis_dst -j DROP
iptables -A aegis_src -j LOG --log-prefix "[aegis] "
iptables -A aegis_src -j DROP
- Logging is active.
- ipset blocklist is set:
Name: aegis_bl
Type: hash:net
Revision: 6
Header: family inet hashsize 16384 maxelem 34200
Size in memory: 860268
References: 4
Number of entries: 34200
- ipset whitelist is not set.
- ipset WAN gateway bypass is not set.
root@R9000:/$

 

[kamoj]

Good you got it working.
Thank you all skilled and extremely helpful people here in the forum!!!

If you are using the kamoj add-on:
If you don't need mix your own rules with Aegis rules,
you can put your own rules in another file, e.g. /opt/scripts/firewall-start-my_own_rules.sh.
(All /opt/scripts/firewall-start*.sh are executed by the kamoj add-on version of net-wall)

changed script to #! /bin/sh


root@R9000:/$ net-wall restart
Starting Firewall...
Done!
/bin/sh: /etc/appflow/streamboost.d/40_qdiscman: not found
/bin/sh: /etc/appflow/streamboost.d/40_qdiscman: not found
root@R9000:/$

 

[D3FenD3r]

thank you all for your help .... from the heart

 

[Jauger]

@HELLO_wORLD ....is there a way to easily add an entire range of IPs to the custom blacklist? Say like
179.107.48.1 - 179.107.55.254 which is a range of about 2000?

 

[HELLO_wORLD]

Yep, it accepts IP with CIDR extension.
For your example just add this line in the custom blacklist file:

179.107.48.1/21

 

[Jauger]

Yep, it accepts IP with CIDR extension.
For your example just add this line in the custom blacklist file:

179.107.48.1/21

Thank you sir.....I thought it was that simple but wanted to be sure.................on a side note if anyone wants to really see the benifits of aegis just add 8.8.8.8 & 8.8.4.4 (google dns)to your custom-blacklist....this is the sure way of blocking those hardcoded dns devices

 

[Sizzlechest]

Just asking... Is there a way to apply this list to dnscrypt-proxy? It has an IP blacklist feature, too.

 

[HELLO_wORLD]

It depends on the specs dnscrypt-proxy black lists.

But if it is already blocked by aegis, there is no need to put it anywhere else as all incoming traffic from the list and outgoing traffic to the list will be blocked.

Moreover, DNS blocking is generally useful when blocking domains and subdomains more than plain IPs. So lists in DNS blocking and firewall blocking are often different.

Just asking... Is there a way to apply this list to dnscrypt-proxy? It has an IP blacklist feature, too.

 

[D3FenD3r]

it seems that it does not log me
ping a blocked ip should report it in the log?

root@R9000:/tmp/mnt/sdc1/bolemo/etc$ aegis status -v
aegis 1.1.4 - Verbose mode
Status:
- 'aegis' version: 1.1.4
- 'iprange' is installed: iprange 1.0.4
- 'aegis' is set and active for WAN interface (brwan).
- Filtering 619488946 IP adresses.
- WAN gateway IP range does not need to be bypassed.
- Logging is on.
Detailed status:
- 'firewall-start.sh' exists with correct settings.
- 'post-mount.sh' exists with correct settings.
- Actual router time: 2020-10-22 00:47:33
- Blocklist generation time: 2020-10-22 00:47:33
- Router firewall was last started 2020-10-22 00:47:33:
     ipset blocklist was already loaded.
     iptables logging rules were set.
     iptables WAN rules were set.
- iptables rules are set:
     WAN interface rules are set
     iptables -N aegis_dst
     iptables -N aegis_src
     iptables -A INPUT -i brwan -m set --match-set aegis_bl src -j aegis_src
     iptables -A FORWARD -i brwan -m set --match-set aegis_bl src -j aegis_src
     iptables -A FORWARD -o brwan -m set --match-set aegis_bl dst -j aegis_dst
     iptables -A OUTPUT -o brwan -m set --match-set aegis_bl dst -j aegis_dst
     iptables -A aegis_dst -j LOG --log-prefix "[aegis] "
     iptables -A aegis_dst -j DROP
     iptables -A aegis_src -j LOG --log-prefix "[aegis] "
     iptables -A aegis_src -j DROP
- Logging is active.
- ipset blocklist is set:
     Name: aegis_bl
     Type: hash:net
     Revision: 6
     Header: family inet hashsize 16384 maxelem 49834
     Size in memory: 1056492
     References: 4
     Number of entries: 49834
- ipset whitelist is not set.
- ipset WAN gateway bypass is not set.
root@R9000:/tmp/mnt/sdc1/bolemo/etc$
root@R9000:/tmp/mnt/sdc1/bolemo/etc$ ping 1.19.0.0
PING 1.19.0.0 (1.19.0.0): 56 data bytes
ping: sendto: Operation not permitted
root@R9000:/tmp/mnt/sdc1/bolemo/etc$
root@R9000:/tmp/mnt/sdc1/bolemo/etc$ aegis log -v
aegis 1.1.4 - Verbose mode
Log:
If the log is empty, to be sure it is enabled, use the status parameter.
root@R9000:/tmp/mnt/sdc1/bolemo/etc$
root@R9000:/tmp/mnt/sdc1/bolemo/etc$

 

[D3FenD3r]

from http://172.16.0.1/bolemo/aegis.htm

Time: 2020-10-19 12:30:38
Command: /usr/bin/aegis -v status -html
Output:

aegis 1.1.4 - Verbose mode
Status:
- 'aegis' version: 1.1.4
- 'iprange' is installed: iprange 1.0.4
- Something is not right! Use 'aegis -v status' for more details
- Logging is off.
Detailed status:
- 'firewall-start.sh' exists with correct settings.
- 'post-mount.sh' exists with correct settings.
- Actual router time: 2020-10-19 12:30:38
- Blocklist generation time: 2020-10-19 12:30:38
- Router firewall was last started 2020-10-19 12:30:38:
     ipset blocklist was loaded from blocklist file.
     iptables WAN rules were set.
- iptables rules are not set.
- Logging is inactive.
- ipset blocklist is set:
     Name: aegis_bl
     Type: hash:net
     Revision: 6
     Header: family inet hashsize 16384 maxelem 48950
     Size in memory: 1042212
     References: 0
     Number of entries: 48950
- ipset whitelist is not set.
- ipset WAN gateway bypass is not set.

 

[R. Gerrits]

aegis log -v is calling dmesg and filtering the result.

I checked this also on my R7800 -> dmesg is not showing any kernel messages.
So perhaps a bug in the firmware???
But I notice you have a R9000. So would be strange that dmesg stopped working on 2 different firmwares.

Can someone else test this aswell ??

 

[HELLO_wORLD]

pings to blocked IPs are blocked and logged (hence the “Operation not permitted”)

@kamoj informed me that R9000 is not good with dmesg.
Try this:

/bin/grep -F aegis /var/log/log-message

However, @D3FenD3r your second post shows that logging is off...
You can always manually check that iptables is logging aegis using:

iptables -S | grep -F LOG

I am finalizing an update with a lot of optimizations, better logging (using /var/log instead of dmesg), and with a really nice html page. I will publish the update in a few days or weeks.

 

[kamoj]

I've been running with a change of:

dmesg | grep -F "$SC_NAME" | while IFS= read -r LINE; do

to:

grep "$SC_NAME" /var/log/log-message | while IFS= read -r LINE; do

 

[D3FenD3r]

root@R9000:/$ /bin/grep -F aegis /var/log/log-message
33181:[aegis] IN=brwan OUT= MAC=a0:40:a0:76:e1:1f:54:e0:32:ca:69:00:08:00 SRC=94.102.51.28 DST=185.178.92.149 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=18068 PROTO=TCP SPT=54930 DPT=3337 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
33270:[aegis] IN=brwan OUT= MAC=a0:40:a0:76:e1:1f:54:e0:32:ca:69:00:08:00 SRC=185.175.93.23 DST=185.178.92.149 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=37935 PROTO=TCP SPT=48436 DPT=5932 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
33298:[aegis] IN=brwan OUT= MAC=a0:40:a0:76:e1:1f:54:e0:32:ca:69:00:08:00 SRC=45.145.185.47 DST=185.178.92.149 LEN=40 TOS=0x08 PREC=0x20 TTL=51 ID=37901 PROTO=TCP SPT=53950 DPT=52869 WINDOW=27261 RES=0x00 SYN URGP=0 MARK=0x10
33308:[aegis] IN=brwan OUT= MAC=a0:40:a0:76:e1:1f:54:e0:32:ca:69:00:08:00 SRC=165.227.161.29 DST=185.178.92.149 LEN=75 TOS=0x00 PREC=0x00 TTL=52 ID=24620 DF PROTO=UDP SPT=30301 DPT=8083 LEN=55 MARK=0x10
33312:[aegis] IN=brwan OUT= MAC=a0:40:a0:76:e1:1f:54:e0:32:ca:69:00:08:00 SRC=147.203.238.18 DST=185.178.92.149 LEN=68 TOS=0x00 PREC=0x00 TTL=239 ID=54321 PROTO=UDP SPT=53580 DPT=111 LEN=48 MARK=0x10
33323:[aegis] IN=brwan OUT= MAC=a0:40:a0:76:e1:1f:54:e0:32:ca:69:00:08:00 SRC=103.145.13.118 DST=185.178.92.149 LEN=445 TOS=0x00 PREC=0xC0 TTL=50 ID=54990 DF PROTO=UDP SPT=5080 DPT=5060 LEN=425 MARK=0x1
33350:[aegis] IN=brwan OUT= MAC=a0:40:a0:76:e1:1f:54:e0:32:ca:69:00:08:00 SRC=128.14.141.126 DST=185.178.92.149 LEN=40 TOS=0x08 PREC=0x20 TTL=236 ID=54321 PROTO=TCP SPT=47920 DPT=11 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x10
33373:[aegis] IN=brwan OUT= MAC=a0:40:a0:76:e1:1f:54:e0:32:ca:69:00:08:00 SRC=45.129.33.84 DST=185.178.92.149 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=53972 PROTO=TCP SPT=47808 DPT=35615 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
root@R9000:/$
root@R9000:/$ iptables -S | grep -F LOG
-A aegis_dst -j LOG --log-prefix "[aegis] "
-A aegis_src -j LOG --log-prefix "[aegis] "
Can't find library for target `TRIGGER'
root@R9000:/$

 

[D3FenD3r]

other sites like http://iplists.firehol.org/
where is it ?

 

[HELLO_wORLD]

other sites like http://iplists.firehol.org/
where is it ?

On the left:

All IP lists monitored

• By Category
• By Maintainer
• Alphabetically