Menu
What's new
By:
Filters Better Search

[R7800, R9000 & probably others] Blocklist based Firewall addon

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I’m working on the next version that will have some cool stuff.
Better rules for iptables, allowing logging.
Check for any available newer version. Maybe an upgrade command.

Also, while trying logging, I found that this is really blocking a lot attempts to connect either to the router or my NAS from blacklisted IPs. So this script is really useful in protecting router and local network:
Code: 
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=46.105.132.32 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=40202 DPT=9200 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=172.16.255.254 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=15699 PROTO=2 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=10667 PROTO=TCP SPT=45425 DPT=38398 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=193.32.163.112 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=32504 PROTO=TCP SPT=58431 DPT=3381 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=46.105.132.32 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=43161 DPT=873 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=61975 PROTO=TCP SPT=45425 DPT=37674 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=142.93.211.52 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=237 ID=6539 PROTO=TCP SPT=46682 DPT=2364 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=190.255.4.26 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=2753 PROTO=TCP SPT=45797 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=111.56.44.147 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=5509 PROTO=TCP SPT=47760 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=50031 PROTO=TCP SPT=45425 DPT=883 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=3931 PROTO=TCP SPT=45425 DPT=3598 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=87.251.74.241 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=32134 PROTO=TCP SPT=51973 DPT=756 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=172.16.255.254 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=15701 PROTO=2 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=104.206.128.70 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=241 ID=30700 PROTO=TCP SPT=50057 DPT=5432 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=6516 PROTO=TCP SPT=45425 DPT=58572 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=87.251.74.18 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x80 TTL=245 ID=11046 PROTO=TCP SPT=51205 DPT=5001 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x2
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=26830 PROTO=TCP SPT=45425 DPT=52461 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=185.176.27.2 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=31650 PROTO=TCP SPT=8080 DPT=8683 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN= OUT=brwan SRC=192.168.1.2 DST=192.168.1.255 LEN=242 TOS=0x00 PREC=0x00 TTL=64 ID=44813 DF PROTO=UDP SPT=138 DPT=138 LEN=222
[firewall-blocklist] IN= OUT=brwan SRC=192.168.1.2 DST=192.168.1.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=10105 DF PROTO=UDP SPT=138 DPT=138 LEN=215
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=194.26.29.212 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=54638 PROTO=TCP SPT=58013 DPT=3215 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=156.96.119.148 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=36922 DF PROTO=TCP SPT=18 DPT=3201 WINDOW=512 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=185.156.73.60 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=388 PROTO=TCP SPT=47677 DPT=33896 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=185.176.27.246 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=8037 PROTO=TCP SPT=58587 DPT=54249 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=156.96.119.148 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=36922 DF PROTO=TCP SPT=5 DPT=8092 WINDOW=512 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=19243 PROTO=TCP SPT=45425 DPT=28605 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=198.98.62.183 DST=192.168.1.2 LEN=121 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=UDP SPT=49117 DPT=1900 LEN=101 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=172.16.255.254 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=15703 PROTO=2 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=194.61.27.240 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=39339 PROTO=TCP SPT=47895 DPT=5445 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=8237 PROTO=TCP SPT=45425 DPT=590 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=60.190.96.235 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=238 ID=59389 PROTO=TCP SPT=43452 DPT=28515 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=185.176.27.2 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=42828 PROTO=TCP SPT=8080 DPT=8879 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=172.16.255.254 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=15705 PROTO=2 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=194.26.29.212 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=54066 PROTO=TCP SPT=58013 DPT=7385 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=92.63.196.3 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=60625 PROTO=TCP SPT=56438 DPT=9789 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=38571 PROTO=TCP SPT=45425 DPT=5096 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=94.102.56.181 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=31650 PROTO=TCP SPT=47562 DPT=9508 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=111.229.172.178 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=237 ID=25531 PROTO=TCP SPT=56070 DPT=7384 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=49338 PROTO=TCP SPT=45425 DPT=16796 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=198.108.67.83 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=34 ID=1252 PROTO=TCP SPT=21362 DPT=12301 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=170.130.187.10 DST=192.168.1.2 LEN=71 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=UDP SPT=64716 DPT=161 LEN=51 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=92.63.196.3 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=1504 PROTO=TCP SPT=56438 DPT=9889 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=194.26.29.114 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=34935 PROTO=TCP SPT=52196 DPT=5463 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
 
It is working for me now, but is a little slower to download than usual.
Likely a network related problem (overload somewhere...)

At least, with the editable sources file, it is easy to switch to other servers if needed.

NetBytes said:
Looks like whatever was going on is now fixed? Both links are returning data again.
Click to expand...
 
Thank you!

Coming from you, the master of add-ons, it is a strong compliment.
kamoj said:
Really nice addon!:cool:
Click to expand...

There is a version 2.5 in the pipes, that will use iprange (allowing to optimize the blocklist for better efficiency), that should be released in the coming days.
 
HELLO_wORLD said:
There is a version 2.5 in the pipes, that will use iprange (allowing to optimize the blocklist for better efficiency), that should be released in the coming days.
Click to expand...

Just curious on how you're going to provide the iprange binary...
If you plan on including a version that you compiled yourself on your router, that might not be a good thing.
Because then it will only work on routers that also have entware. (and potentially even need the same version of entware as you).

And if you make entware a requirement, then probably better to try to get iproute in the entware repo, so that it can be maintained just as any other entware package
 
That is exactly what I had in mind.
I don’t think iprange is using any Entware dependency, and I think it’s own libraries are compiled in the binary, but that is an interesting point.

I will copy iprange in /tmp and unmount the disk with Entware, then try it. If it works, we know for sure it is fine.

If it does not, no worries, because my script can work without iprange installed, and in that case, I will have to suggest @Voxel if he is willing to include iprange in his repo.

R. Gerrits said:
Just curious on how you're going to provide the iprange binary...
If you plan on including a version that you compiled yourself on your router, that might not be a good thing.
Because then it will only work on routers that also have entware. (and potentially even need the same version of entware as you).

And if you make entware a requirement, then probably better to try to get iproute in the entware repo, so that it can be maintained just as any other entware package
Click to expand...
 
Well, just tested... iprange does not work without Entware, so thank you @R. Gerrits for making me aware of this!

Unless there is a way to compile iprange and have it either self sufficient or dependent only on what is in the firmware, Entware is the way to go. I will ask @Voxel if he could add it to his repo (should not be too difficult as we already know it compiles fine, it is simple, and not updated often at all...)

I can easily adapt my script to that situation (it is already pretty much ready for it).

R. Gerrits said:
Just curious on how you're going to provide the iprange binary...
If you plan on including a version that you compiled yourself on your router, that might not be a good thing.
Because then it will only work on routers that also have entware. (and potentially even need the same version of entware as you).

And if you make entware a requirement, then probably better to try to get iproute in the entware repo, so that it can be maintained just as any other entware package
Click to expand...
 
@Voxel very kindly accepted to make an iprange firmware addon (ipk), that installs it directly in /usr/bin

I tested and it works perfectly.

I also adapted my code to deal with that, and next release will be able to use iprange if installed (either from ipk or self compiled in Entware).
 
just also installed your firewall block-list add-on.
It seems to be working fine.

But any reason why it would be blocking these packets?
[firewall-blocklist] IN= OUT=brwan SRC=94.213.xx.xxx DST=10.10.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53667 DF PROTO=UDP SPT=54774 DPT=53 LEN=40
[firewall-blocklist] IN= OUT=brwan SRC=94.213.xx.xxx DST=10.10.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=929 DF PROTO=UDP SPT=50222 DPT=53 LEN=40

94.213.xx.xxx is the public IP of my router.
10.10.10.10 is DNS server in my test-environment, behind a separate firewall. So this router doesn't know it. (my normal internal subnet is 192.168.1.0/24)

Edit: Nevermind, apparently I was missing a route for that 10.10.10.0/24 subnet, so it was trying to route this traffic to internet. And I can imagine that the firewall would block traffic for private ranges on the public interface
 
Last edited:
R. Gerrits said:
Edit: Nevermind, apparently I was missing a route for that 10.10.10.0/24 subnet, so it was trying to route this traffic to internet. And I can imagine that the firewall would block traffic for private ranges on the public interface
Click to expand...

Exactly, one of the sources I put by default (firehol_level1)
is blocking (among many others) private ranges as they should never be found on internet (and if they do, they are more than suspicious), they are called fullbogons.
http://iplists.firehol.org/?ipset=firehol_level1
 
V3.0.0
 
Readme says:
The /opt/bolemo/scripts/firewall-blocklist upgrade command will also show installed and latest version available and ask if you want to upgrade if the online version is different than the one installed.
Click to expand...

Just used it to upgrade from v2.0.1 to v3.0.0, but it didn't show anything and also didn't ask anything.

Also, is it true that only a fresh install using install.sh install iprange, but an upgrade from an older version to v3.0.0 doesn't?
 
Yes and no

It is true that an upgrade from v2 to v3 won’t offer to install iprange (while installing from install script does).

However, you can install iprange separately.
Download (wget, curl or to computer then to router...) this: https://voxel-firmware.com/Downloads/iprange_1.0.4-1_ipq806x.ipk
And install it using the command /bin/opkg install iprange_1.0.4-1_ipq806x.ipk

PS: /opt/bolemo/scripts/firewall-blocklist info or /opt/bolemo/scripts/firewall-blocklist status should confirm to you you are now using v3.

PSS: I realized I did not answer exactly to your question. With version v2, the upgrade was not asking before upgrading, and would only show something in verbose mode. With v3, the upgrade is always verbose, and asks before upgrading.

R. Gerrits said:
Readme says:


Just used it to upgrade from v2.0.1 to v3.0.0, but it didn't show anything and also didn't ask anything.

Also, is it true that only a fresh install using install.sh install iprange, but an upgrade from an older version to v3.0.0 doesn't?
Click to expand...
 
Last edited:
V3.0.1
 
You must log in or register to reply here.

Similar threads

HELLO_wORLD
Aegis aegis: a firewall blocklist
7 8 9
Replies
177
Views
20K
HELLO_wORLD
HELLO_wORLD
HELLO_wORLD
Aegis Aegis (simple yet effective protection)
15 16 17
Replies
327
Views
36K
Jake77
J
Viktor Jaep
VPNMON VPNMON-R2 v2.65 -Jan 27, 2024- DISCONTINUED - Upgrade to VPNMON-R3 Available! (#3)
6 7 8
Replies
144
Views
22K
Viktor Jaep
Viktor Jaep
HELLO_wORLD
[R7800 utility] nvram-utils
Replies
7
Views
4K
HELLO_wORLD
HELLO_wORLD
arabesc
Tutorial HOWTO use Voxel/Entware/miniupnpd on R7800/R9000 router
Replies
0
Views
3K
arabesc
arabesc
Similar threads
Thread starter Title Forum Replies Date
M Kamoj Kamoj Addon 5.5 Beta for Netgear R7800/R8900/R9000 with Voxel FW - Continuation NETGEAR AC Routers and Adapters (Wi-Fi 5) 3
R Release New official R7800 firmware NETGEAR AC Routers and Adapters (Wi-Fi 5) 5
Voxel Voxel Custom firmware build for R7800 v. 1.0.2.111SF NETGEAR AC Routers and Adapters (Wi-Fi 5) 11
Voxel Voxel Custom firmware build for R7800 v. 1.0.2.110SF NETGEAR AC Routers and Adapters (Wi-Fi 5) 15
Voxel Voxel Custom firmware build for R7800 v. 1.0.2.109SF NETGEAR AC Routers and Adapters (Wi-Fi 5) 8
Voxel Voxel Custom firmware build for R7800 v. 1.0.2.108SF NETGEAR AC Routers and Adapters (Wi-Fi 5) 12
R R7800; adding USB WiFi adapter NETGEAR AC Routers and Adapters (Wi-Fi 5) 7
Voxel Voxel Custom firmware build for R7800 v. 1.0.2.107SF NETGEAR AC Routers and Adapters (Wi-Fi 5) 20
Voxel Voxel Custom firmware build for R7800 v. 1.0.2.106SF NETGEAR AC Routers and Adapters (Wi-Fi 5) 26
P R9000 WiFi suddenly stopped working NETGEAR AC Routers and Adapters (Wi-Fi 5) 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 999 (members: 20, guests: 979)
Top