Aegis Aegis (simple yet effective protection)

[HELLO_wORLD]

Hmm i think i get congestion/packetloss-like behaviour. Even running speedtest by ookla, the needle at some moments freezes for a second or two both in download & upload and also while talking with a friend on Discord he was losing me at the exact time needles were freezing. Removed the rules and restarted firewall, I even restarted both the modem and the router and the issue persists. Is it possible to view logs of such behaviour? Or in general monitor latency/jitter/packet loss? If I connect my PC directly to the modem everything is ok.

Additionally what are the [LAN access from remote] entries in my Netgear's Logs? I have a lot. In fact for the first time i had a warning from my Bitdfender firewall today that a port scan was detected and blocked from remote ip: 220.164.192.25

All the logs are going to /var/log/log-message
It is rotated when it is over 1000 lines, so no huge history is accessible.

The R7800 is able to handle speedtest (from LAN, not router) without congestion. I use ookla official CLI binary, and I reach about 950 Mbit/s both way (max of my bandwidth) without glitches.

Might be here the modem or ISP.

Do you have that when you use directly the modem and a PC (and not going at all through R7800)?

 

[Warlord1981]

All the logs are going to /var/log/log-message
It is rotated when it is over 1000 lines, so no huge history is accessible.

The R7800 is able to handle speedtest (from LAN, not router) without congestion. I use ookla official CLI binary, and I reach about 950 Mbit/s both way (max of my bandwidth) without glitches.

Might be here the modem or ISP.

Do you have that when you use directly the modem and a PC (and not going at all through R7800)?

When I connected the PC directly to modem I didn't notice that behaviour.

I called ISP and they said they don't see any packet loss on their side.

EDIT: Lets continue the discussion on this matter on my topic, so we won't get out off topic again. Thank you.

 

[HELLO_wORLD]

1.6.12

Added basic privacy friendly metrics code.
When upgrade is done, and only then, it sends ip (not stored, just to find country), router model (just R7800, R9000, RBR50...), and if it is installed internal or external (just "ext" or "int", no drive name sent).
It is using goat counter that is open source and cares about privacy, and all I have at the end is country (no ip), router model, aegis version being downloaded as well as installation being internal or external.

This is to have basic statistics about aegis (how many people are downloading it, where on the world, vans router models).

Once an upgrade or install is done, it does not send anything until next upgrade. Nothing is ever sent about usage, lists, etc...

Also, this upgrade from 1.6.11 to 1.6.12 won’t send anything, as the upgrade process doing it is not in 1.6.11.
It will start the following upgrade (to 1.7.0 beta or to 1.7.0 when not beta anymore).

 

[jrbmw]

I have a problem , aegis runs ok until I start the vpn.
tried different versions of voxel but still the same. Tried deleting and reinstalling,same result.Tried installing internal memory and usb.

AEGIS​

by bolemo

version 1.6.12
internal drive



STATUS COMMAND LOG TOOLS Blocklists Sources Custom Blacklist Custom Whitelist

Status @ 2021-02-24 15:57:44 (router time)​

• Something is not right!

Errors​

• iptables: VPN network range bypass rules are not right!

Detailed status

• Active WAN interface is 'ppp0'.
• Active VPN tunnel is 'tun21'.
• Sources cache directives update time: 2021-02-24 15:57:30
• Blocklist directives generation time: 2021-02-24 15:57:31
• set: firewall-start.sh is set for aegis.
• ipset: blocklist is set.
• iptables: shield chains are set.
• iptables: VPN tunnel IFO rules are set.
• iptables: WAN interface IFO rules are set.

Last shield uprear report

• shield was upreared from: aegis script @ 2021-02-24 15:57:35
• WAN interface was 'ppp0'.
• VPN tunnel was 'tun21'.
• directives: ipset blocklist was set from file.
• directives: no whitelist file was found.
• iptables: rules were UNSUCCESSFULLY (re)set!
• log daemon: was already off.

Debug

• device info: R7800 R7800 V1.0.2.82.2SF
• aegis info: aegis 1.6.12-int
• status codes: ck:1557|pb:64|wn:0|wifpp0|wnt:195.213.35.223|tif:tun21|tnt:10.39.0.222|blc:619647669|wlc:0|log:1
• info file: 103951|ppp0|tun21
• timestamps: inf:1614182255|cch:1614182250|bld:1614182251|wld:
• conf:
  • aegis.wan=net-iface
  • aegis.tun=net-iface
  • aegis.log=log
  • aegis.up=1
  • aegis_web.log=subsection
• iptables engine rules:
  • -N aegis_dst
  • -N aegis_src
  • -A INPUT -i ppp0 -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
  • -A INPUT -i tun21 -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
  • -A FORWARD -i ppp0 -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
  • -A FORWARD -o ppp0 -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
  • -A FORWARD -i tun21 -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
  • -A FORWARD -o tun21 -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
  • -A OUTPUT -o ppp0 -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
  • -A OUTPUT -o tun21 -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
  • -A aegis_dst -d 10.39.0.222/32 -o tun21 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
  • -A aegis_src -s 10.39.0.222/32 -i tun21 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_src -m comment --comment "aegis drop incoming" -j DROP
• ipset engine sets:
  • blocklist:
    • Name: aegis_bl
    • Type: hash:net
    • Revision: 7
    • Header: family inet hashsize 16384 maxelem 51087 bucketsize 12 initval 0xb339ef08
    • Size in memory: 1184472
    • References: 8
    • Number of entries: 51087

 

[HELLO_wORLD]

I have a problem , aegis runs ok until I start the vpn.
tried different versions of voxel but still the same. Tried deleting and reinstalling,same result.Tried installing internal memory and usb.

AEGIS​

by bolemo

version 1.6.12
internal drive



STATUS COMMAND LOG TOOLS Blocklists Sources Custom Blacklist Custom Whitelist

Status @ 2021-02-24 15:57:44 (router time)​

• Something is not right!

Errors​

• iptables: VPN network range bypass rules are not right!

Detailed status

• Active WAN interface is 'ppp0'.
• Active VPN tunnel is 'tun21'.
• Sources cache directives update time: 2021-02-24 15:57:30
• Blocklist directives generation time: 2021-02-24 15:57:31
• set: firewall-start.sh is set for aegis.
• ipset: blocklist is set.
• iptables: shield chains are set.
• iptables: VPN tunnel IFO rules are set.
• iptables: WAN interface IFO rules are set.

Last shield uprear report

• shield was upreared from: aegis script @ 2021-02-24 15:57:35
• WAN interface was 'ppp0'.
• VPN tunnel was 'tun21'.
• directives: ipset blocklist was set from file.
• directives: no whitelist file was found.
• iptables: rules were UNSUCCESSFULLY (re)set!
• log daemon: was already off.

Debug

• device info: R7800 R7800 V1.0.2.82.2SF
• aegis info: aegis 1.6.12-int
• status codes: ck:1557|pb:64|wn:0|wifpp0|wnt:195.213.35.223|tif:tun21|tnt:10.39.0.222|blc:619647669|wlc:0|log:1
• info file: 103951|ppp0|tun21
• timestamps: inf:1614182255|cch:1614182250|bld:1614182251|wld:
• conf:
  • aegis.wan=net-iface
  • aegis.tun=net-iface
  • aegis.log=log
  • aegis.up=1
  • aegis_web.log=subsection
• iptables engine rules:
  • -N aegis_dst
  • -N aegis_src
  • -A INPUT -i ppp0 -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
  • -A INPUT -i tun21 -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
  • -A FORWARD -i ppp0 -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
  • -A FORWARD -o ppp0 -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
  • -A FORWARD -i tun21 -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
  • -A FORWARD -o tun21 -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
  • -A OUTPUT -o ppp0 -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
  • -A OUTPUT -o tun21 -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
  • -A aegis_dst -d 10.39.0.222/32 -o tun21 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
  • -A aegis_src -s 10.39.0.222/32 -i tun21 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_src -m comment --comment "aegis drop incoming" -j DROP
• ipset engine sets:
  • blocklist:
    • Name: aegis_bl
    • Type: hash:net
    • Revision: 7
    • Header: family inet hashsize 16384 maxelem 51087 bucketsize 12 initval 0xb339ef08
    • Size in memory: 1184472
    • References: 8
    • Number of entries: 51087

All seems ok (iptables and ipset), meaning aegis is doing its job for you. Now, the status check reports wrongly an error, and it clearly should not.

I rewrote this almost entirely in 1.7.0.

Would you mind trying the beta version? Easy to revert to 1.6.12 if needed.

 

[jrbmw]

Tried, to update nothing updates

oot@R7800:/$
root@R7800:/$ aegis unset
root@R7800:/$ aegis upgrade -repo=beta

Upgrading:
- version installed: 1.6.12
- new version available: 1.7.0b4
? do you want to upgrade from 1.6.12 to 1.7.0b4 (y/n)? y

root@R7800:/$
root@R7800:/$

 

[HELLO_wORLD]

Tried, to update nothing updates

oot@R7800:/$
root@R7800:/$ aegis unset
root@R7800:/$ aegis upgrade -repo=beta

Upgrading:
- version installed: 1.6.12
- new version available: 1.7.0b4
? do you want to upgrade from 1.6.12 to 1.7.0b4 (y/n)? y

root@R7800:/$
root@R7800:/$

That is odd. Have you tried more than once?

And if you do just aegis upgrade and reapply 1.6.12, does it have the same problem?

 

[jrbmw]

Tried several times with same result


root@R7800:/$
root@R7800:/$ aegis upgrade

Upgrading:
- version installed: 1.6.12
- you have already the latest version: 1.6.12
? do you want to reapply it (y/n)? y

- Downloading:
/tmp/aegis.dl 100%[===================>] 67.07K --.-KB/s in 0.02s
- Script installed to /opt/bolemo/scripts/aegis
- downloading Web Companion:
/tmp/aegis.dl 100%[===================>] 23.34K --.-KB/s in 0.007s
- Web Companion htm file installed to /opt/bolemo/www/aegis.htm
/tmp/aegis.dl 100%[===================>] 18.61K --.-KB/s in 0.002s
- Web Companion cgi file installed to /opt/bolemo/www/cgi-bin/aegis_web.cgi
root@R7800:/$
root@R7800:/$

 

[HELLO_wORLD]

Tried several times with same result


root@R7800:/$
root@R7800:/$ aegis upgrade

Upgrading:
- version installed: 1.6.12
- you have already the latest version: 1.6.12
? do you want to reapply it (y/n)? y

- Downloading:
/tmp/aegis.dl 100%[===================>] 67.07K --.-KB/s in 0.02s
- Script installed to /opt/bolemo/scripts/aegis
- downloading Web Companion:
/tmp/aegis.dl 100%[===================>] 23.34K --.-KB/s in 0.007s
- Web Companion htm file installed to /opt/bolemo/www/aegis.htm
/tmp/aegis.dl 100%[===================>] 18.61K --.-KB/s in 0.002s
- Web Companion cgi file installed to /opt/bolemo/www/cgi-bin/aegis_web.cgi
root@R7800:/$
root@R7800:/$

Ok, that is very strange.

What if you do: aegis upgrade -repo=master
It should get 1.6.12

If it works, would you try again? Maybe a GitHub glitch when you tried?

 

[jrbmw]

still didnt update

root@R7800:/$
root@R7800:/$ aegis upgrade -repo=master

Upgrading:
- version installed: 1.6.12
- you have already the latest version: 1.6.12
? do you want to reapply it (y/n)? n

root@R7800:/$
root@R7800:/$ aegis unset
root@R7800:/$ aegis upgrade -repo=beta

Upgrading:
- version installed: 1.6.12
- new version available: 1.7.0b4
? do you want to upgrade from 1.6.12 to 1.7.0b4 (y/n)? y

root@R7800:/$
root@R7800:/$

 

[HELLO_wORLD]

still didnt update

root@R7800:/$
root@R7800:/$ aegis upgrade -repo=master

Upgrading:
- version installed: 1.6.12
- you have already the latest version: 1.6.12
? do you want to reapply it (y/n)? n

root@R7800:/$
root@R7800:/$ aegis unset
root@R7800:/$ aegis upgrade -repo=beta

Upgrading:
- version installed: 1.6.12
- new version available: 1.7.0b4
? do you want to upgrade from 1.6.12 to 1.7.0b4 (y/n)? y

root@R7800:/$
root@R7800:/$

And if you reapply (answering y) 1.6.12 using aegis upgrade -repo=master
Does it download or does it do the same as using -repo=beta?

I try to figure out if the problem is from using the argument -repo or not. If the download is successful when you use -repo=master, this is extremely strange, because the download process is exactly the same, just the url changes: one is from https://github.com/bolemo/aegis/raw/master/... and the other from https://github.com/bolemo/aegis/raw/beta/...

And it works for me (and apparently very one else).

Also does it stall or just quits instantly?



I will give you a way to install it manually

 

[jrbmw]

root@R7800:/$
root@R7800:/$ aegis upgrade -repo=master

Upgrading:
- version installed: 1.6.12
- you have already the latest version: 1.6.12
? do you want to reapply it (y/n)? y

- Downloading:
/tmp/aegis.dl 100%[===================>] 67.07K --.-KB/s in 0.02s
- Script installed to /opt/bolemo/scripts/aegis
- downloading Web Companion:
/tmp/aegis.dl 100%[===================>] 23.34K --.-KB/s in 0.02s
- Web Companion htm file installed to /opt/bolemo/www/aegis.htm
/tmp/aegis.dl 100%[===================>] 18.61K --.-KB/s in 0.003s
- Web Companion cgi file installed to /opt/bolemo/www/cgi-bin/aegis_web.cgi
root@R7800:/$
root@R7800:/$

 

[HELLO_wORLD]

root@R7800:/$
root@R7800:/$ aegis upgrade -repo=master

Upgrading:
- version installed: 1.6.12
- you have already the latest version: 1.6.12
? do you want to reapply it (y/n)? y

- Downloading:
/tmp/aegis.dl 100%[===================>] 67.07K --.-KB/s in 0.02s
- Script installed to /opt/bolemo/scripts/aegis
- downloading Web Companion:
/tmp/aegis.dl 100%[===================>] 23.34K --.-KB/s in 0.02s
- Web Companion htm file installed to /opt/bolemo/www/aegis.htm
/tmp/aegis.dl 100%[===================>] 18.61K --.-KB/s in 0.003s
- Web Companion cgi file installed to /opt/bolemo/www/cgi-bin/aegis_web.cgi
root@R7800:/$
root@R7800:/$

Ok, this is puzzling.


Could you try this (to check if there is a weird blocking between you and GitHub for the beta repo):
wget -vO- https://github.com/bolemo/aegis/raw/beta/aegis >/dev/null

You should have something like:

--2021-02-24 18:57:32--  https://github.com/bolemo/aegis/raw/beta/aegis
Resolving github.com... 140.82.121.3
Connecting to github.com|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/bolemo/aegis/beta/aegis [following]
--2021-02-24 18:57:38--  https://raw.githubusercontent.com/bolemo/aegis/beta/aegis
Resolving raw.githubusercontent.com... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 69754 (68K) [text/plain]
Saving to: 'STDOUT'

-                                 100%[============================================================>]  68.12K  --.-KB/s    in 0.02s  

2021-02-24 18:57:38 (4.32 MB/s) - written to stdout [69754/69754]

 

[jrbmw]

root@R7800:/$
root@R7800:/$ wget -vO- https://github.com/bolemo/aegis/raw/beta/aegis >/dev/null
--2021-02-24 18:10:56-- https://github.com/bolemo/aegis/raw/beta/aegis
Resolving github.com... 140.82.121.3
Connecting to github.com|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/bolemo/aegis/beta/aegis [following]
--2021-02-24 18:10:56-- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis
Resolving raw.githubusercontent.com... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 69754 (68K) [text/plain]
Saving to: 'STDOUT'

- 100%[===================>] 68.12K --.-KB/s in 0.02s

2021-02-24 18:10:56 (3.24 MB/s) - written to stdout [69754/69754]

root@R7800:/$
root@R7800:/$

 

[jrbmw]

I can wait until the new version is released from beta

 

[HELLO_wORLD]

root@R7800:/$
root@R7800:/$ aegis upgrade -repo=master

Upgrading:
- version installed: 1.6.12
- you have already the latest version: 1.6.12
? do you want to reapply it (y/n)? y

- Downloading:
/tmp/aegis.dl 100%[===================>] 67.07K --.-KB/s in 0.02s
- Script installed to /opt/bolemo/scripts/aegis
- downloading Web Companion:
/tmp/aegis.dl 100%[===================>] 23.34K --.-KB/s in 0.02s
- Web Companion htm file installed to /opt/bolemo/www/aegis.htm
/tmp/aegis.dl 100%[===================>] 18.61K --.-KB/s in 0.003s
- Web Companion cgi file installed to /opt/bolemo/www/cgi-bin/aegis_web.cgi
root@R7800:/$
root@R7800:/$

If the wget test I sent before worked (I see that while I write here you answered) here is how you can install beta manually:

aegis unset
wget -qO- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis >/opt/bolemo/scripts/aegis
wget -qO- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis.htm >/opt/bolemo/www/aegis.htm
wget -qO- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis_web.cgi >/opt/bolemo/www/cgi-bin/aegis_web.cgi
aegis up

Now, why the upgrade to beta from aegis is not working for you is beyond me at this point...

 

[HELLO_wORLD]

I can wait until the new version is released from beta

That will be very soon

 

[blueliner]

Tried, to update nothing updates

oot@R7800:/$
root@R7800:/$ aegis unset
root@R7800:/$ aegis upgrade -repo=beta

Upgrading:
- version installed: 1.6.12
- new version available: 1.7.0b4
? do you want to upgrade from 1.6.12 to 1.7.0b4 (y/n)? y

root@R7800:/$
root@R7800:/$

Aegis has been running great for me...thank you HELLO_wORLD!

However, I too have had some recent struggles with upgrades - at least from the web ui. I had never used the web ui until 1.6.9 and found I like it! I used it to upgrade to 1.6.10 and could not get Aegis to start afterwards. I recall the debug log had an error message at the time. I ended up reinstalling Aegis from the router console and all went well. I have never had a problem downloading/installing via wget and didn't think more about it.

But today I upgraded from 1.6.10 to 1.6.12 via the web ui - and once again Aegis would not re-start (even though the upgrade/restart dialog showed success with no errors). The Aegis status on the web ui showed the shield was down, but I think Aegis-info showed everything running. Perhaps this is the intended behavior and a manual restart is required (even though I thought the update dialog includes restart?). Restarting from the router console did not seem to fix the problem. I was able to restart Aegis from the web ui and all is good now.

I apologize for not having better information - Aegis has been so dependable for me that I haven't been paying much attention and didn't think this may be a problem with Aegis (and perhaps it isn't). I will be more watchful the next time I have an opportunity to upgrade.

BL

 

[jrbmw]

This is what I get

root@R7800:/$
root@R7800:/$ aegis unset
wget -qO- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis >/opt/bolemo/scripts/aegis
^@wget -qO- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis.htm >/opt/bolemo/www/aegis.htm
^@wget -qO- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis_web.cgi >/opt/bolemo/www/cgi-bin/aegis_web.cgi
^@aegis uproot@R7800:/$ wget -qO- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis >/opt/bolemo/scripts/aegis
root@R7800:/$ wget -qO- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis.htm >/opt/bolemo/www/aegis.htm
root@R7800:/$ wget -qO- https://raw.githubusercontent.com/bolemo/aegis/beta/aegis_web.cgi >/opt/bolemo/www/cgi-bin/aegis_web.cgi
root@R7800:/$ aegis up
Problems:
- set: post-mount.sh is not set for aegis!
- iptables: current aegis rules were modified since last uprear!
Status:
- shield is up for: WAN interface (ppp0) and VPN tunnel (tun21).
- blocking a total of 619647669 IP addresses (global: 619647669, WAN only: 0, VPN only: 0).
- bypassing 0 IP addresses (global: 0, WAN only: 0, VPN only: 0).
- logging is disabled.
root@R7800:/$
root@R7800:/$

 

[jrbmw]

aegis gui disappeared. Tried to install from but nothing


root@R7800:/$
root@R7800:/$ aegis status
root@R7800:/$
root@R7800:/$ aegis upgrade
root@R7800:/$
root@R7800:/$ aegis web -install
root@R7800:/$
root@R7800:/$