Aegis Aegis (simple yet effective protection)

[HELLO_wORLD]

All these entries are blocked connections.

I also get a lot like these. I also get the attached logs on the Logs tab of Netgear under Administration. @HELLO_wORLD Are all these false positives?

I am asking because I get random short Internet interruptions (~5sec) on my devices (PC - Disconnections from Game Servers , MiBoxS - IPTV freezes)

Netgear ddos is known to not be very accurate and have a lot of false positive. It is also known to show a lot of horrible things probably to convince it is doing a good job...
I had to disable it on my router as it was blocking legit packets and creating problems on my LAN (don’t remember what now, that was a while ago... but I think it was blocking some legit DNS requests). It is also obscure on what it blocks and why (no way to see its rules, change them, etc...). There are a lot of discussions here on SNB or Netgear forum about it.
You can safely turn it off, and I would not be surprised if it is the cause of your LAN problems!

Aegis does a better job to block known bad IPs, and it is transparent and customizable.
It is also not responsible for any micro cuts, as it does either block or not packets (all or nothing) without changing its mind after a few seconds.

As for a real and serious DDOS protection, it is easy to add some rules in iptables.
I might add that feature in aegis at some point as I already have custom rules that are working fine.

 

[sppmaster]

Netgear ddos is known to not be very accurate and have a lot of false positive. It is also known to show a lot of horrible things probably to convince it is doing a good job...

As for a real and serious DDOS protection, it is easy to add some rules in iptables.
I might add that feature in aegis at some point as I already have custom rules that are working fine.

I vote positively for your last intentions.

and I really don't like this.

It is also obscure on what it blocks and why (no way to see its rules, change them, etc...).

Does anyone know what NAT filtering does (ther are two options - secured and open). I tend to not like undocumented features.

 

[Warlord1981]

Netgear ddos is known to not be very accurate and have a lot of false positive. It is also known to show a lot of horrible things probably to convince it is doing a good job...
I had to disable it on my router as it was blocking legit packets and creating problems on my LAN (don’t remember what now, that was a while ago... but I think it was blocking some legit DNS requests). It is also obscure on what it blocks and why (no way to see its rules, change them, etc...). There are a lot of discussions here on SNB or Netgear forum about it.
You can safely turn it off, and I would not be surprised if it is the cause of your LAN problems!

Aegis does a better job to block known bad IPs, and it is transparent and customizable.
It is also not responsible for any micro cuts, as it does either block or not packets (all or nothing) without changing its mind after a few seconds.

As for a real and serious DDOS protection, it is easy to add some rules in iptables.
I might add that feature in aegis at some point as I already have custom rules that are working fine.

Many thanks, just checked Disable Port Scan and DoS Protection and will see how it goes. Also checked Netgear's Logs and I do not have anymore DoS Attacks logs. Only [LAN access from remote].

Does anyone know what NAT filtering does (ther are two options - secured and open). I tend to not like undocumented features.

Have the same question. I know Open is better for online gaming. Other than that does it raise security concerns?

Also should we manually Port Forward with UPnP Off or just leave only UPnP On or both? (both in terms of better online gaming experience and security)

 

[HELLO_wORLD]

Many thanks, just checked Disable Port Scan and DoS Protection and will see how it goes. Also checked Netgear's Logs and I do not have anymore DoS Attacks logs. Only [LAN access from remote].

For information, traffic blocked by aegis still appears in the Netgear LAN access log, as Netgear logs it before aegis intercepts it, but if it is blocked by aegis, it will not reach your LAN.

Have the same question. I know Open is better for online gaming. Other than that does it raise security concerns?

A lot of debates about that on the net. Not documented.
If it does anything to iptables, it is easy to compare its state with and without secured.

Also should we manually Port Forward with UPnP Off or just leave only UPnP On or both? (both in terms of better online gaming experience and security)

If you can, manual port forwarding is better than UPnP.
UPnP is an open door (from LAN though) allowing whatever to change the router settings... Probably rarely a real risk, but it exists and if exploited can be bad.

 

[Warlord1981]

For information, traffic blocked by aegis still appears in the Netgear LAN access log, as Netgear logs it before aegis intercepts it, but if it is blocked by aegis, it will not reach your LAN.


A lot of debates about that on the net. Not documented.
If it does anything to iptables, it is easy to compare its state with and without secured.


If you can, manual port forwarding is better than UPnP.
UPnP is an open door (from LAN though) allowing whatever to change the router settings... Probably rarely a real risk, but it exists and if exploited can be bad.

Thank you for all the information!

Unfortunately i still have these small disconnections. It's driving me nuts. Is it possible to see some logs in R7800 regarding this?

 

[Jauger]

As for a real and serious DDOS protection, it is easy to add some rules in iptables.
I might add that feature in aegis at some point as I already have custom rules that are working fine.

I am really interested in your custom rules you have in iptables....

 

[HELLO_wORLD]

I am really interested in your custom rules you have in iptables....

Nothing really special.
Here is what I use:

iptables -t mangle -N bolemo_ddos
iptables -t mangle -A PREROUTING -i brwan -j bolemo_ddos
iptables -t mangle -A bolemo_ddos -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -A bolemo_ddos -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
iptables -t mangle -A bolemo_ddos -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec -j RETURN
iptables -t mangle -A bolemo_ddos -p icmp -m icmp --icmp-type 8 -j DROP
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

 

[HELLO_wORLD]

Thank you for all the information!

Unfortunately i still have these small disconnections. It's driving me nuts. Is it possible to see some logs in R7800 regarding this?

Nothing I can think of.
Are you connected through WiFi or Ethernet? Could be WiFi micro cuts (common with Windows).

 

[Warlord1981]

Nothing I can think of.
Are you connected through WiFi or Ethernet? Could be WiFi micro cuts (common with Windows).

My PC (eth) as well as my android tv box (wifi) both lose intenet.

Just checked Logs from Netgear and amongst all other entries, I see the below:

[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 19:07:35
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 18:14:14
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 17:20:54
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 16:27:34
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 15:34:14
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 14:40:54

Which means every 53 mins and 20 secs my Internet gets disconnected and reconnected? Any thoughts? I even get them with Aegis + Adguard disabled. Could this be ISP related? I have the ISP modem/router bridged with my R7800. Additional info: Everytime i restart the router Internet led stays red and i have to unplug and plug back in the WAN cable on my R7800.

 

[HELLO_wORLD]

My PC (eth) as well as my android tv box (wifi) both lose intenet.

Just checked Logs from Netgear and amongst all other entries, I see the below:

[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 19:07:35
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 18:14:14
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 17:20:54
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 16:27:34
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 15:34:14
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 14:40:54

Which means every 53 mins and 20 secs my Internet gets disconnected and reconnected? Any thoughts?

How do you get your public IP? DHCP?
Static IP or dynamic? And do you get the same IP each time?

 

[Warlord1981]

How do you get your public IP? DHCP?
Static IP or dynamic? And do you get the same IP each time?

I have the ISP cable modem/router (Arris) bridged with my R7800.

My ISP provides me with dynamic IP. Not static. Though I think it has been quite some time that I have the same. (even though I have restarted Arris modem/router several times the last few days)

I have the following config on Arris, based on my ISP's bridged mode instructions:

ADDITIONAL INFO: Everytime i restart my R7800, Internet led stays red and i have to unplug and plug back in the WAN cable on my R7800 so it can turn white. Didn't have that problem when Arris was RoutedWithNAT. (I was double NATed back then) Now that I think of these problems may have started when I bridged Arris. (next day i installed Voxel fw & Kamoj-addon for the first time, so all this time I was thinking that something on the config of my R7800 is wrong, when now it seems that something on Arris-ISP side is)

 

[HELLO_wORLD]

I have the ISP cable modem/router (Arris) bridged with my R7800.

My ISP provides me with dynamic IP. Not static. Though I think it has been quite some time that I have the same. (even though I have restarted Arris modem/router several times the last few days)

I have the following config on Arris, based on my ISP's bridged mode instructions:

View attachment 31042

View attachment 31043
View attachment 31044


ADDITIONAL INFO: Everytime i restart my R7800, Internet led stays red and i have to unplug and plug back in the WAN cable on my R7800 so it can turn white. Didn't have that problem when Arris was RoutedWithNAT. (I was double NATed back then) Now that I think of these problems may have started when I bridged Arris. (next day i installed Voxel fw & Kamoj-addon for the first time, so all this time I was thinking that something on the config of my R7800 is wrong, when now it seems that something on Arris-ISP side is)

I am not familiar with the bridge mode.
I see the lease from your modem to the LAN is 1 hour (3600 seconds), so close to the 53 minutes you experience.

I thing what is going on is something like every 53 minutes, your router reconfigures its network interface (even with same settings), and it creates an interruption.

I suspect messing with one of net-lan, net-br, br-mode or net-wan scripts can help, but again, I am no expert in bridge mode, so I have no experience in which scripts are involved here and how, so you may open a specific thread about that issue (not aegis related), and I am sure you will get the right help. I will also be interested to read the answer.

 

[Warlord1981]

I am not familiar with the bridge mode.
I see the lease from your modem to the LAN is 1 hour (3600 seconds), so close to the 53 minutes you experience.

I thing what is going on is something like every 53 minutes, your router reconfigures its network interface (even with same settings), and it creates an interruption.

I suspect messing with one of net-lan, net-br, br-mode or net-wan scripts can help, but again, I am no expert in bridge mode, so I have no experience in which scripts are involved here and how, so you may open a specific thread about that issue (not aegis related), and I am sure you will get the right help. I will also be interested to read the answer.

The lease of 3600secs is for the LAN when the modem/router acts as a DHCP server, however when in bridge mode this is disabled.

I will make a new thread, thanks you for your help and apologies for the offtopic!

 

[HELLO_wORLD]

The lease of 3600secs is for the LAN when the modem/router acts as a DHCP server, however when in bridge mode this is disabled.

I will make a new thread, thanks you for your help and apologies for the offtopic!

No problem

 

[HELLO_wORLD]

1.6.11

No functional change.
Allow to upgrade to 1.7.0 beta for whoever wants to try.

 

[Warlord1981]

Nothing really special.
Here is what I use:

iptables -t mangle -N bolemo_ddos
iptables -t mangle -A PREROUTING -i brwan -j bolemo_ddos
iptables -t mangle -A bolemo_ddos -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -A bolemo_ddos -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
iptables -t mangle -A bolemo_ddos -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec -j RETURN
iptables -t mangle -A bolemo_ddos -p icmp -m icmp --icmp-type 8 -j DROP
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

Many thanks for these rules! So we just copy all of them into /opt/scripts/firewall-start.sh script and restart firewall?

 

[HELLO_wORLD]

Many thanks for these rules! So we just copy all of them into /opt/scripts/firewall-start.sh script and restart firewall?

Exactly

 

[Warlord1981]

Exactly

Hmm i think i get congestion/packetloss-like behaviour. Even running speedtest by ookla, the needle at some moments freezes for a second or two both in download & upload and also while talking with a friend on Discord he was losing me at the exact time needles were freezing. Removed the rules and restarted firewall, I even restarted both the modem and the router and the issue persists. Is it possible to view logs of such behaviour? Or in general monitor latency/jitter/packet loss? If I connect my PC directly to the modem everything is ok.

Additionally what are the [LAN access from remote] entries in my Netgear's Logs? I have a lot. In fact for the first time i had a warning from my Bitdfender firewall today that a port scan was detected and blocked from remote ip: 220.164.192.25

 

[R. Gerrits]

today I had an issue, after upgrading to 1.6.11 via WebGUI, it no longer wanted to start...

Didn't yet find the cause, but I did once get this strange errors:

root@R7800:~$ aegis down
config:609: can't map '/usr/lib/libconfig.so'
config: can't load library 'libconfig.so'

root@R7800:~$ aegis up
/usr/bin/aegis: /usr/bin/aegis: 1112: Cannot fork
! Too many parameters!

eventually I got it running again. But no clue what went wrong.
See below for the things I did via SSH, after the intial upgrade / start attempts via the WebGUI failed.
Perhaps it helps:

root@R7800:~$ aegis unset
root@R7800:~$ aegis upgrade

Upgrading:
- version installed: 1.6.11
- you have already the latest version: 1.6.11     
? do you want to reapply it (y/n)? y
root@R7800:~$ aegis up     
root@R7800:~$ aegis status
Status:
- Shield is down.
- Logging is disabled.
root@R7800:~$ aegis up
/usr/bin/aegis: /usr/bin/aegis: 1112: Cannot fork
! Too many parameters!
aegis 1.6.11
Usage: aegis COMMAND [OPTION(S)]
COMMANDS (only one) and their specific options:
up                  - (re)starts aegis shield protection
   -net-wall          + by restarting the internal firewall
   -refresh           + with updated shield directives
   -log-enable        + with logging enabled
   -log-disable       + with logging disabled
   -wan-no-bypass     + without WAN network range bypass
   -vpn-no-bypass     + without VPN network range bypass
 down               - stops aegis shield protection
 refresh            - updates shield directives from sources and custom lists
   -custom-only       + will refresh directives only from custom lists (using offline cache for sources)
 log -enable        - enables logging
 log -disable       - disables logging
 log -show          - displays the log report
   -lines=N           + will display N last lines (N being the number of lines to show)
 log -live          - displays the log report live (CTRL-C to exit)
 log -get-history   - show the history size for the log file /var/log/log-aegis
 log -set-history=N - sets the history size to N records for the log file /var/log/log-aegis
 unset              - stops and unsets aegis shield
   -rm-config         + and removes aegis configuration file
   -rm-symlink        + and removes the symlink /usr/bin/aegis
   -rm-web            + and removes Web Companion
   -rm-log            + and removes log file
 help               - displays help (this)
 info               - displays info on this script
 status             - displays status
 upgrade            - downloads and installs latest version
 web -install       - downloads and installs Web Companion
 web -remove        - removes Web Companion
 test -ip=IP        - test if IP is blocked or not by aegis
GENERAL OPTIONS (none, one or more, can be used with any command):
 -v                 + verbose mode (level 1)
 -vv                + verbose mode (level 2)
 -vvv               + verbose mode (level 3)
 -q                 + quiet mode (no output)
root@R7800:~$ aegis down  
config:609: can't map '/usr/lib/libconfig.so'
config: can't load library 'libconfig.so'
root@R7800:~$ aegis status
Status:
- Something is not right!
- Logging is enabled.
Errors:
- iptables: shield chains are not right!
root@R7800:~$ aegis up
root@R7800:~$ aegis down
root@R7800:~$ aegis up -vvv
aegis 1.6.11 - Verbose mode [level 3]
Initializing...
- Configuration file is set.
- 'firewall-start.sh' is in place and ok.
- 'aegis' is installed on external drive.
- 'post-mount.sh' is in place and ok.
Uprearing aegis shield...
- Enabling logging.
- Done.
Status:
- Something is not right!
- Logging is enabled.
Errors: (CODE: 16)
- iptables: shield chains are not right!
Detailed status: (CODE: 15)
- Active WAN interface is 'brwan'.
- no VPN tunnel found.
- Actual router time: 2021-02-23 14:12:46
- Sources cache directives update time: 2021-02-23 14:09:49
- Blocklist directives generation time: 2021-02-23 14:09:49
- Whitelist directives generation time: 2021-02-23 14:09:49
- set: firewall-start.sh is set for aegis.
- set: post-mount.sh is set for aegis.
- ipset: blocklist is set.
- ipset: whitelist is set.
Last shield uprear report: (CODE: 1-13-197-2)
- shield was upreared from: firewall-start.sh @ 2021-02-23 14:12:46
- WAN interface was 'brwan'.
- No VPN tunnel was found.
- directives: ipset blocklist was already set and identical to file.
- directives: ipset whitelist was already set and identical to file.
- iptables: rules were already set.
- iptables: rules for WAN interface in place.
- iptables: whitelist bypass rules in place.
- iptables: logging rules in place.
- log daemon: was already on.
iptables:
- no aegis rules are set.
ipset 'whitelist':
- Name: aegis_wl
- Type: hash:net
- Revision: 7
- Header: family inet hashsize 1024 maxelem 1 bucketsize 12 initval 0x221d1c55
- Size in memory: 412
- References: 0
- Number of entries: 1
ipset 'blocklist':
- Name: aegis_bl
- Type: hash:net
- Revision: 7
- Header: family inet hashsize 16384 maxelem 49492 bucketsize 12 initval 0x8ea85440
- Size in memory: 1152872
- References: 0
- Number of entries: 49492
root@R7800:~$ aegis up -vvv
aegis 1.6.11 - Verbose mode [level 3]
Initializing...
- Configuration file is set.
- 'firewall-start.sh' is in place and ok.
- 'aegis' is installed on external drive.
- 'post-mount.sh' is in place and ok.
Uprearing aegis shield...
- Enabling logging.
- Done.
Status:
- Shield is up for WAN interface (brwan).
- Filtering 619667812 IP adresses.
- Bypassing 1 IP adresses.
- Logging is enabled.
Detailed status: (CODE: 1439)
- Active WAN interface is 'brwan'.
- no VPN tunnel found.
- Actual router time: 2021-02-23 14:13:45
- Sources cache directives update time: 2021-02-23 14:09:49
- Blocklist directives generation time: 2021-02-23 14:09:49
- Whitelist directives generation time: 2021-02-23 14:09:49
- set: firewall-start.sh is set for aegis.
- set: post-mount.sh is set for aegis.
- ipset: blocklist is set.
- ipset: whitelist is set.
- iptables: shield chains are set.
- iptables: whitelist rules are set.
- iptables: aegis logging rules are set.
- iptables: WAN interface IFO rules are set.
Last shield uprear report: (CODE: 3-13-198-2)
- shield was upreared from: aegis script @ 2021-02-23 14:13:44
- WAN interface was 'brwan'.
- No VPN tunnel was found.
- directives: ipset blocklist was already set and identical to file.
- directives: ipset whitelist was already set and identical to file.
- iptables: rules were (re)set.
- iptables: rules for WAN interface in place.
- iptables: whitelist bypass rules in place.
- iptables: logging rules in place.
- log daemon: was already on.
iptables:
- iptables -N aegis_dst
- iptables -N aegis_src
- iptables -A INPUT -i brwan -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
- iptables -A FORWARD -i brwan -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
- iptables -A FORWARD -o brwan -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
- iptables -A OUTPUT -o brwan -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
- iptables -A aegis_dst -m set --match-set aegis_wl dst -m comment --comment "in aegis whitelist" -j RETURN
- iptables -A aegis_dst -j LOG --log-prefix "[aegis] "
- iptables -A aegis_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
- iptables -A aegis_src -m set --match-set aegis_wl src -m comment --comment "in aegis whitelist" -j RETURN
- iptables -A aegis_src -j LOG --log-prefix "[aegis] "
- iptables -A aegis_src -m comment --comment "aegis drop incoming" -j DROP
ipset 'whitelist':
- Name: aegis_wl
- Type: hash:net
- Revision: 7
- Header: family inet hashsize 1024 maxelem 1 bucketsize 12 initval 0x221d1c55
- Size in memory: 412
- References: 2
- Number of entries: 1
ipset 'blocklist':
- Name: aegis_bl
- Type: hash:net
- Revision: 7
- Header: family inet hashsize 16384 maxelem 49492 bucketsize 12 initval 0x8ea85440
- Size in memory: 1152872
- References: 4
- Number of entries: 49492
root@R7800:~$

 

[HELLO_wORLD]

today I had an issue, after upgrading to 1.6.11 via WebGUI, it no longer wanted to start...

Didn't yet find the cause, but I did once get this strange errors:

root@R7800:~$ aegis down
config:609: can't map '/usr/lib/libconfig.so'
config: can't load library 'libconfig.so'

root@R7800:~$ aegis up
/usr/bin/aegis: /usr/bin/aegis: 1112: Cannot fork
! Too many parameters!

eventually I got it running again. But no clue what went wrong.
See below for the things I did via SSH, after the intial upgrade / start attempts via the WebGUI failed.
Perhaps it helps:

root@R7800:~$ aegis unset
root@R7800:~$ aegis upgrade

Upgrading:
- version installed: 1.6.11
- you have already the latest version: 1.6.11    
? do you want to reapply it (y/n)? y
root@R7800:~$ aegis up    
root@R7800:~$ aegis status
Status:
- Shield is down.
- Logging is disabled.
root@R7800:~$ aegis up
/usr/bin/aegis: /usr/bin/aegis: 1112: Cannot fork
! Too many parameters!
aegis 1.6.11
Usage: aegis COMMAND [OPTION(S)]
COMMANDS (only one) and their specific options:
up                  - (re)starts aegis shield protection
   -net-wall          + by restarting the internal firewall
   -refresh           + with updated shield directives
   -log-enable        + with logging enabled
   -log-disable       + with logging disabled
   -wan-no-bypass     + without WAN network range bypass
   -vpn-no-bypass     + without VPN network range bypass
down               - stops aegis shield protection
refresh            - updates shield directives from sources and custom lists
   -custom-only       + will refresh directives only from custom lists (using offline cache for sources)
log -enable        - enables logging
log -disable       - disables logging
log -show          - displays the log report
   -lines=N           + will display N last lines (N being the number of lines to show)
log -live          - displays the log report live (CTRL-C to exit)
log -get-history   - show the history size for the log file /var/log/log-aegis
log -set-history=N - sets the history size to N records for the log file /var/log/log-aegis
unset              - stops and unsets aegis shield
   -rm-config         + and removes aegis configuration file
   -rm-symlink        + and removes the symlink /usr/bin/aegis
   -rm-web            + and removes Web Companion
   -rm-log            + and removes log file
help               - displays help (this)
info               - displays info on this script
status             - displays status
upgrade            - downloads and installs latest version
web -install       - downloads and installs Web Companion
web -remove        - removes Web Companion
test -ip=IP        - test if IP is blocked or not by aegis
GENERAL OPTIONS (none, one or more, can be used with any command):
-v                 + verbose mode (level 1)
-vv                + verbose mode (level 2)
-vvv               + verbose mode (level 3)
-q                 + quiet mode (no output)
root@R7800:~$ aegis down 
config:609: can't map '/usr/lib/libconfig.so'
config: can't load library 'libconfig.so'
root@R7800:~$ aegis status
Status:
- Something is not right!
- Logging is enabled.
Errors:
- iptables: shield chains are not right!
root@R7800:~$ aegis up
root@R7800:~$ aegis down
root@R7800:~$ aegis up -vvv
aegis 1.6.11 - Verbose mode [level 3]
Initializing...
- Configuration file is set.
- 'firewall-start.sh' is in place and ok.
- 'aegis' is installed on external drive.
- 'post-mount.sh' is in place and ok.
Uprearing aegis shield...
- Enabling logging.
- Done.
Status:
- Something is not right!
- Logging is enabled.
Errors: (CODE: 16)
- iptables: shield chains are not right!
Detailed status: (CODE: 15)
- Active WAN interface is 'brwan'.
- no VPN tunnel found.
- Actual router time: 2021-02-23 14:12:46
- Sources cache directives update time: 2021-02-23 14:09:49
- Blocklist directives generation time: 2021-02-23 14:09:49
- Whitelist directives generation time: 2021-02-23 14:09:49
- set: firewall-start.sh is set for aegis.
- set: post-mount.sh is set for aegis.
- ipset: blocklist is set.
- ipset: whitelist is set.
Last shield uprear report: (CODE: 1-13-197-2)
- shield was upreared from: firewall-start.sh @ 2021-02-23 14:12:46
- WAN interface was 'brwan'.
- No VPN tunnel was found.
- directives: ipset blocklist was already set and identical to file.
- directives: ipset whitelist was already set and identical to file.
- iptables: rules were already set.
- iptables: rules for WAN interface in place.
- iptables: whitelist bypass rules in place.
- iptables: logging rules in place.
- log daemon: was already on.
iptables:
- no aegis rules are set.
ipset 'whitelist':
- Name: aegis_wl
- Type: hash:net
- Revision: 7
- Header: family inet hashsize 1024 maxelem 1 bucketsize 12 initval 0x221d1c55
- Size in memory: 412
- References: 0
- Number of entries: 1
ipset 'blocklist':
- Name: aegis_bl
- Type: hash:net
- Revision: 7
- Header: family inet hashsize 16384 maxelem 49492 bucketsize 12 initval 0x8ea85440
- Size in memory: 1152872
- References: 0
- Number of entries: 49492
root@R7800:~$ aegis up -vvv
aegis 1.6.11 - Verbose mode [level 3]
Initializing...
- Configuration file is set.
- 'firewall-start.sh' is in place and ok.
- 'aegis' is installed on external drive.
- 'post-mount.sh' is in place and ok.
Uprearing aegis shield...
- Enabling logging.
- Done.
Status:
- Shield is up for WAN interface (brwan).
- Filtering 619667812 IP adresses.
- Bypassing 1 IP adresses.
- Logging is enabled.
Detailed status: (CODE: 1439)
- Active WAN interface is 'brwan'.
- no VPN tunnel found.
- Actual router time: 2021-02-23 14:13:45
- Sources cache directives update time: 2021-02-23 14:09:49
- Blocklist directives generation time: 2021-02-23 14:09:49
- Whitelist directives generation time: 2021-02-23 14:09:49
- set: firewall-start.sh is set for aegis.
- set: post-mount.sh is set for aegis.
- ipset: blocklist is set.
- ipset: whitelist is set.
- iptables: shield chains are set.
- iptables: whitelist rules are set.
- iptables: aegis logging rules are set.
- iptables: WAN interface IFO rules are set.
Last shield uprear report: (CODE: 3-13-198-2)
- shield was upreared from: aegis script @ 2021-02-23 14:13:44
- WAN interface was 'brwan'.
- No VPN tunnel was found.
- directives: ipset blocklist was already set and identical to file.
- directives: ipset whitelist was already set and identical to file.
- iptables: rules were (re)set.
- iptables: rules for WAN interface in place.
- iptables: whitelist bypass rules in place.
- iptables: logging rules in place.
- log daemon: was already on.
iptables:
- iptables -N aegis_dst
- iptables -N aegis_src
- iptables -A INPUT -i brwan -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
- iptables -A FORWARD -i brwan -m set --match-set aegis_bl src -m comment --comment "incoming in aegis blocklist" -j aegis_src
- iptables -A FORWARD -o brwan -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
- iptables -A OUTPUT -o brwan -m set --match-set aegis_bl dst -m comment --comment "outgoing in aegis blocklist" -j aegis_dst
- iptables -A aegis_dst -m set --match-set aegis_wl dst -m comment --comment "in aegis whitelist" -j RETURN
- iptables -A aegis_dst -j LOG --log-prefix "[aegis] "
- iptables -A aegis_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
- iptables -A aegis_src -m set --match-set aegis_wl src -m comment --comment "in aegis whitelist" -j RETURN
- iptables -A aegis_src -j LOG --log-prefix "[aegis] "
- iptables -A aegis_src -m comment --comment "aegis drop incoming" -j DROP
ipset 'whitelist':
- Name: aegis_wl
- Type: hash:net
- Revision: 7
- Header: family inet hashsize 1024 maxelem 1 bucketsize 12 initval 0x221d1c55
- Size in memory: 412
- References: 2
- Number of entries: 1
ipset 'blocklist':
- Name: aegis_bl
- Type: hash:net
- Revision: 7
- Header: family inet hashsize 16384 maxelem 49492 bucketsize 12 initval 0x8ea85440
- Size in memory: 1152872
- References: 4
- Number of entries: 49492
root@R7800:~$

Very strange issue...

I don’t think it is directly related to aegis. Seems like there were too many running processes, and aegis was denied by the kernel to fork a process (probably here wc or sed), so it could not properly assess its parameters ($*).

And the other error is from config (nvram).

It looks like you had a memory issue or many running process at this time. It likely calmed down and when you retried, it worked.