HELLO_wORLD
Very Senior Member
v3.1.0
[R7800, R9000 & probably others] Blocklist based Firewall addon
- Thread starter HELLO_wORLD
- Start date
kamoj
Very Senior Member
R. Gerrits
Very Senior Member
Thnx!
BTW just wondering, I do get a lot of warnings when iptables gets modified (see below). Is this something that is normal? Or do I have something wrong in my iptables?
I did an iptables -L, and do notice that I have some duplicate entries in chains INPUT, FORWARD and OUTPUT. Could this be a reason?
And, not related to the topic, but also I see a strange rule "ACCEPT tcp -- anywhere anywhere tcp dpt:42443" in my INPUT an OUTPUT chains.
I see in netgear forums that this is related to DLNA / Kwilt, and that it can be removed by disabling DLNA. But I don't think I have DLNA enabled (at least I cannot find it in the GUI.)
Do more people have that rule?
Code:
root@R7800:/etc$ /opt/bolemo/scripts/firewall-blocklist update
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.HELLO_wORLD
Very Senior Member
Are you having this problem with last version (3.1) or former one?
One of the last bug fixes is preventing this duplicate iptables that can occurs in some conditions. Your output is definitely not normal though.
Try the verbose mode to have more info :
/opt/bolemo/scripts/firewall-blocklist update -v
Also, if you use the last version, could you tell what
cat /tmp/FwBl_status
Returns ?
If problems are persisting, try this :
/opt/bolemo/scripts/firewall-blocklist clean
ipset destroy
net-wall restart
/opt/bolemo/scripts/firewall-blocklist update -v
I am not able to stay more on the forum tonight, but I will read your answer tomorrow and see what is going on if the problem persists.
As for DLNA, to turn it off, it is in ReadyShare->Media Server->OFF
One of the last bug fixes is preventing this duplicate iptables that can occurs in some conditions. Your output is definitely not normal though.
Try the verbose mode to have more info :
/opt/bolemo/scripts/firewall-blocklist update -v
Also, if you use the last version, could you tell what
cat /tmp/FwBl_status
Returns ?
If problems are persisting, try this :
/opt/bolemo/scripts/firewall-blocklist clean
ipset destroy
net-wall restart
/opt/bolemo/scripts/firewall-blocklist update -v
I am not able to stay more on the forum tonight, but I will read your answer tomorrow and see what is going on if the problem persists.
As for DLNA, to turn it off, it is in ReadyShare->Media Server->OFF
R. Gerrits
Very Senior Member
I have the warnings with v3.1.0, but I think I saw them also with earlier versions.
verbose mode only shows that the errors occur during restarting of the firewall
cat /tmp/FwBl_status
Returns:
Wed Apr 29 18:55:05 UTC 2020
ips: BL(keep)+WL(swap)
ipt: log+BL+WL
I'll try your cleaning steps.
In Basic -> ReadySHARE, I only have section USB Storage (Basic Settings)
I think during installation of Entware, I disabled some stuff via nvram, and then deleted all related folders from /overlay/opt
(I'm using mount --bind to mount entware directly onto /opt instead of symlinking the various folders into an existing structure)
Last edited:
Hi,
I just upgraded to latest version and got a weird error. I then performed a 'clean' and 'update' but the issue persists.
Status:
- firewall-blocklist version: v3.1.0
- iprange is not installed.
- Something is not right! Use firewall-blocklist -v status for more details <== here
- Logging is off.
- ipset filter (blocklist) is set:
WAN gateway (0.0.0.0) is in blocklist
- ipset bypass (whitelist) is set:
WAN gateway (0.0.0.0) is NOT in whitelist!
I just upgraded to latest version and got a weird error. I then performed a 'clean' and 'update' but the issue persists.
Status:
- firewall-blocklist version: v3.1.0
- iprange is not installed.
- Something is not right! Use firewall-blocklist -v status for more details <== here
- Logging is off.
- ipset filter (blocklist) is set:
WAN gateway (0.0.0.0) is in blocklist
- ipset bypass (whitelist) is set:
WAN gateway (0.0.0.0) is NOT in whitelist!
R. Gerrits
Very Senior Member
This didn't help: also here at the step net-wall restart, I get the warnings. So problem probably already exited before I started using your blocklist.
I did notice that Kamoj's addon also changed something in the net-wall scripts, but also if I call the original (/usr/sbin/net-wall-bin restart) I see the warnings.
Last observation: output of some iptables commands gave this:
Code:
root@R7800:/$ iptables -S loc2net
-N loc2net
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP
-A loc2net -p tcp -m state --state INVALID -j DROP
Can't find library for target `TRIGGER'
-A loc2net -j TRIGGER
root@R7800:/$ iptables -S net2loc
-N net2loc
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP
Can't find library for target `CONENAT'
-A net2loc -p udp -j CONENATSo I deleted those rules that with:
iptables -D loc2net 4 (because this was the 4th rule in chain loc2net).
iptables -D net2loc 3 (because this was the 3th rule in chain net2loc).
But this doesn't solve the problem.
Also, the moment I do a net-wall restart, the deleted rules are back in iptables...
(I also deleted the unwanted rules for tcp dpt:42443, but also these came back.)
HELLO_wORLD
Very Senior Member
@R. Gerrits : yes, if after a firewall-blocklist clean you have the error doing net-wall, it is clearly not a problem related with my script. Since net-wall-bin does it, it means you would have this on stock firmware. I will look closer tomorrow (bed time for me now) at what you posted and compare with mine to see if it can help.
@NetBytes : ok, this one seems related with my script. Can you post the result of these commands:
PS: did you have this problem with previous version? And did you change your settings (wan gateway, etc...) recently?
I will study that tomorrow morning.
@NetBytes : ok, this one seems related with my script. Can you post the result of these commands:
- /opt/bolemo/scripts/firewall-blocklist status -v
- cat /tmp/FwBl_status
- iptables -S INPUT
- iptables -S OUTPUT
- iptables -S FwBl_DROP
- ipset list -n
- ipset list FwBl_WL
- ipset test FwBl_BL 0.0.0.0
- nvram get wan_gateway
- nvram get wan_netmask
PS: did you have this problem with previous version? And did you change your settings (wan gateway, etc...) recently?
I will study that tomorrow morning.
No problems with previous version. I was trying to not post so much data but here it is:
Code:
firewall-blocklist v3.1.0 - Verbose mode
Status:
- firewall-blocklist version: v3.1.0
- iprange is not installed.
- Something is not right! Use firewall-blocklist -v status for more details
- Logging is off.
Detailed status:
- /opt/scripts/firewall-start.sh exists with correct settings.
- iptables rules are set with bypass rules (whitelist):
iptables -N FwBl_DROP
iptables -A INPUT -i brwan -m set --match-set FwBl_WL src -j ACCEPT
iptables -A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP
iptables -A FORWARD -i brwan -m set --match-set FwBl_WL src -j ACCEPT
iptables -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP
iptables -A FORWARD -o brwan -m set --match-set FwBl_WL dst -j ACCEPT
iptables -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP
iptables -A OUTPUT -o brwan -m set --match-set FwBl_WL dst -j ACCEPT
iptables -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP
iptables -A FwBl_DROP -j DROP
- Logging is inactive.
- ipset filter (blocklist) is set:
WAN gateway (0.0.0.0) is in blocklist
Name: FwBl_BL
Type: hash:net
Revision: 6
Header: family inet hashsize 16384 maxelem 65536
Size in memory: 921496
References: 4
- ipset bypass (whitelist) is set:
WAN gateway (0.0.0.0) is NOT in whitelist!
Name: FwBl_WL
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 1
Size in memory: 320
References: 4
root@R7800:/opt/bolemo/scripts$ cat /tmp/FwBl_status
Wed Apr 29 22:30:53 GMT 2020
ips: BL(keep)+WL(swap)
ipt: BL+WL
root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ iptables -S INPUT
-P INPUT DROP
-A INPUT -i brwan -m set --match-set FwBl_WL src -j ACCEPT
-A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i host0 -j ACCEPT
-A INPUT -i LeafNets -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -i brwan -p igmp -j ACCEPT
-A INPUT -i brwan -j brwan_in
-A INPUT -i br0 -j br0_in
-A INPUT -j common
-A INPUT -j reject
root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ iptables -S OUTPUT
-P OUTPUT DROP
-A OUTPUT -o brwan -m set --match-set FwBl_WL dst -j ACCEPT
-A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o host0 -j ACCEPT
-A OUTPUT -o LeafNets -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1701 -j ACCEPT
-A OUTPUT -p ipv6 -j ACCEPT
-A OUTPUT -o brwan -p udp -m udp --dport 67:68 -j ACCEPT
-A OUTPUT -o brwan -p igmp -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
-A OUTPUT -o brwan -j fw2net
-A OUTPUT -o br0 -j fw2loc
-A OUTPUT -j common
-A OUTPUT -j reject
root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ iptables -S FwBl_DROP
-N FwBl_DROP
-A FwBl_DROP -j DROP
root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ ipset list -n
FwBl_BL
FwBl_WL
root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ ipset list FwBl_Bl_WL
ipset v6.24: The set with the given name does not exist
root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ ipset list FwBl_BL 0.0.0.0
ipset v6.24: Unknown argument 0.0.0.0
Try `ipset help' for more information.
root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ nvram get wan_gateway
0.0.0.0
root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ nvram get wan_netmask
0.0.0.0
Last edited:
HELLO_wORLD
Very Senior Member
Ok, the problem is with the WAN gateway that is 0.0.0.0/0.
This is a very special range of adresses that is not valid (invalid CIDR) if treated like a regular netset. It is ‘legal’ as it means the entire local network. You do not have to change that address that. I will just change my script to ignore this specific set.
Next release will be today, with also possibility to have custom whitelist.
This is a very special range of adresses that is not valid (invalid CIDR) if treated like a regular netset. It is ‘legal’ as it means the entire local network. You do not have to change that address that. I will just change my script to ignore this specific set.
Next release will be today, with also possibility to have custom whitelist.
Didn't know what u meant, but I found it. Edited the post to use it.@NetBytes please use the 'Code' box in the Insert icon instead of the raw code.
This is new ground for me if you have the time I would like to ask a few questions.
Do I understand it correctly if this type of Blocklist is like putting an open source "antivirus" on your network that blocks known malware locations?
I am sure you already wrote it somewhere but I didn't comprehend it But as i understand you download blocklists? I guess it is some great people that like you do allot of work and put in allot of effort just to give other people security and that these lists need to be updated all the time. Do you have to maintain these lists or will it update by itself from the trusted source you choosed?
If you have a adblock on your router, does this differ? Is it a point to have both this and adblock with the existing lists of bad sites that some adblock lists claim they offer?
Last but not least should a fool like me try it or is it to advanced. In English is it easy to use?
Thank you allot have tried to do some research but left out with these questions and ask with curiosity and great respect for you work!
PS: I wait for your next release and will try it anyway
Do I understand it correctly if this type of Blocklist is like putting an open source "antivirus" on your network that blocks known malware locations?
I am sure you already wrote it somewhere but I didn't comprehend it
But as i understand you download blocklists? I guess it is some great people that like you do allot of work and put in allot of effort just to give other people security and that these lists need to be updated all the time. Do you have to maintain these lists or will it update by itself from the trusted source you choosed?If you have a adblock on your router, does this differ? Is it a point to have both this and adblock with the existing lists of bad sites that some adblock lists claim they offer?
Last but not least should a fool like me try it or is it to advanced. In English is it easy to use?
Thank you allot have tried to do some research but left out with these questions and ask with curiosity and great respect for you work!
PS: I wait for your next release and will try it anyway
HELLO_wORLD
Very Senior Member
HELLO_wORLD
Very Senior Member
Sure
In a way yes.
What it does exactly is filtering (blocking) IP adresses transiting between internet (WAN) and the local network (LAN).
Yes, the script downloads lists that the user can define in a specific file. I put some well known and maintained lists by default, they are indeed open source and documented. Any user can change, remove or add their own sources.I am sure you already wrote it somewhere but I didn't comprehend it
The lists can be updated automatically with cron. The easiest way to do that is using @kamoj ’s addon. I might integrate that into the script one day.
Anyway, once it is setup, it is pretty much maintenance free.
It works differently and is complementary.
Ad blocking works with http(s) protocol and dns resolution (domain names).
A firewall blocklist is blocking raw ip adresses.
The goal is slightly different as a firewall blocklist will focus on protecting from bogus IPs, known malware servers or hacked servers, known hacking adresses... well places you want to protect yourself from. It is possible to use a firewall blocklist for some ad blocking, but this is not the best way to do it.
An ad-blocker will focus on blocking ads.
Simple answer: they are complementary and you can use both.
I tried to make this script as user friendly as possible.Last but not least should a fool like me try it or is it to advanced. In English is it easy to use?
Unfortunately, it still requires to have a minimum knowledge to access the router (telnet or ssh), and a USB drive named optware.
I might change the install script to allow installation without a USB drive.
Also, installation and setup is done via telnet or ssh only. One day maybe, a web interface...
You’re welcome, thank you for your interest!Thank you allot have tried to do some research but left out with these questions and ask with curiosity and great respect for you work!
PS: I wait for your next release and will try it anyway
HELLO_wORLD
Very Senior Member
@R. Gerrits , I did not have much time today to look at your problem.Even if it is not related to my script, it seems simpler to talk about this here, but maybe we should open a new thread?
One other person reported having the same iptables warnings, so this is a problem related with the internal firewall and some router settings. I don’t have those warnings, but I do have the same output for net2loc and loc2net chains.
For info/comparison, here is my entire iptables output:
One other person reported having the same iptables warnings, so this is a problem related with the internal firewall and some router settings. I don’t have those warnings, but I do have the same output for net2loc and loc2net chains.
For info/comparison, here is my entire iptables output:
Code:
root@HERMES:~$ iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N FwBl_DROP
-N all2all
-N br0_fwd
-N br0_in
-N brwan_fwd
-N brwan_in
-N common
-N fw2loc
-N fw2net
-N icmpdef
-N igmp_fwd
-N loc2fw
-N loc2loc
-N loc2net
-N net2all
-N net2fw
-N net2loc
-N reject
-A INPUT -i brwan -m set --match-set FwBl_WL src -j ACCEPT
-A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i host0 -j ACCEPT
-A INPUT -i LeafNets -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -i brwan -p igmp -j ACCEPT
-A INPUT -i brwan -j brwan_in
-A INPUT -i br0 -j br0_in
-A INPUT -j common
-A INPUT -j reject
-A FORWARD -i brwan -m set --match-set FwBl_WL src -j ACCEPT
-A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP
-A FORWARD -o brwan -m set --match-set FwBl_WL dst -j ACCEPT
-A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP
-A FORWARD -i brwan -j brwan_fwd
-A FORWARD -i br0 -j br0_fwd
-A FORWARD -j common
-A FORWARD -j reject
-A OUTPUT -o brwan -m set --match-set FwBl_WL dst -j ACCEPT
-A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o host0 -j ACCEPT
-A OUTPUT -o LeafNets -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1701 -j ACCEPT
-A OUTPUT -p ipv6 -j ACCEPT
-A OUTPUT -o brwan -p igmp -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
-A OUTPUT -o brwan -j fw2net
-A OUTPUT -o br0 -j fw2loc
-A OUTPUT -j common
-A OUTPUT -j reject
-A FwBl_DROP -j DROP
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP
-A all2all -j common
-A all2all -j reject
-A br0_fwd -o brwan -j loc2net
-A br0_fwd -o br0 -j loc2loc
-A br0_in -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A br0_in -j loc2fw
-A brwan_fwd -o br0 -j net2loc
-A brwan_in -p icmp -m icmp --icmp-type 8 -j DROP
-A brwan_in -j net2fw
-A common -p icmp -j icmpdef
-A common -p tcp -m state --state INVALID -j DROP
-A common -p udp -m udp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable
-A common -p udp -m udp --dport 445 -j REJECT --reject-with icmp-port-unreachable
-A common -p tcp -m tcp --dport 135 -j reject
-A common -p udp -m udp --dport 1900 -j DROP
-A common -d 255.255.255.255/32 -j DROP
-A common -d 224.0.0.0/4 -j DROP
-A common -p udp -m state --state NEW -m udp --sport 53 -j DROP
-A common -d 192.168.1.255/32 -j DROP
-A common -d 192.168.0.255/32 -j DROP
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP
-A fw2loc -j ACCEPT
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP
-A fw2net -p udp -m state --state NEW -m multiport --dports 520,5050,53,123,6060,67,68 -j ACCEPT
-A fw2net -p tcp -m state --state NEW -m multiport --dports 119,25,80,2345,3495,7070,20,21,5050,6060 -j ACCEPT
-A fw2net -j ACCEPT
-A icmpdef -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A igmp_fwd -d 224.0.0.0/4 -i brwan -p udp -j ACCEPT
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP
-A loc2fw -p udp -m state --state NEW -m multiport --dports 161,162 -j DROP
-A loc2fw -j ACCEPT
-A loc2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2loc -j ACCEPT
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP
-A loc2net -p tcp -m state --state INVALID -j DROP
Can't find library for target `TRIGGER'
-A loc2net -j TRIGGERkamoj
Very Senior Member
Yes, please start another thread.
( I had similar issues with ipv6: https://www.snbforums.com/threads/doubts-about-r7800-firmware-ipv6-support.55215/#post-468417 )
( I had similar issues with ipv6: https://www.snbforums.com/threads/doubts-about-r7800-firmware-ipv6-support.55215/#post-468417 )
Thank you very much for your answers now I think I understand the theory of this and even more thank you for making this available. It is really something I want on my router. Im on a r9000 and this posts headline "R7800 & probably others"makes me a bit scared.
But that also means that I can do some good and test it and let you know how it works on r9000. Even if my father believes that testing new stuff or even clicking to fast on electronics can make it explode, it never happened to me.
I'll leave my comfort zone and try to learn something new. Have never dealt with crons and stuff. But the short time I've been on this forum and the unbelievable support you get from you guys with skills I feel I already learned allot and its time for a new challenge
I hope I will find time this evening to try to get this working. But I will report back as soon as I got it running.
Thank you again!
But that also means that I can do some good and test it and let you know how it works on r9000. Even if my father believes that testing new stuff or even clicking to fast on electronics can make it explode, it never happened to me.
I'll leave my comfort zone and try to learn something new. Have never dealt with crons and stuff. But the short time I've been on this forum and the unbelievable support you get from you guys with skills I feel I already learned allot and its time for a new challenge
I hope I will find time this evening to try to get this working. But I will report back as soon as I got it running.
Thank you again!
Sure
In a way yes.
What it does exactly is filtering (blocking) IP adresses transiting between internet (WAN) and the local network (LAN).
Yes, the script downloads lists that the user can define in a specific file. I put some well known and maintained lists by default, they are indeed open source and documented. Any user can change, remove or add their own sources.
The lists can be updated automatically with cron. The easiest way to do that is using @kamoj ’s addon. I might integrate that into the script one day.
Anyway, once it is setup, it is pretty much maintenance free.
It works differently and is complementary.
Ad blocking works with http(s) protocol and dns resolution (domain names).
A firewall blocklist is blocking raw ip adresses.
The goal is slightly different as a firewall blocklist will focus on protecting from bogus IPs, known malware servers or hacked servers, known hacking adresses... well places you want to protect yourself from. It is possible to use a firewall blocklist for some ad blocking, but this is not the best way to do it.
An ad-blocker will focus on blocking ads.
Simple answer: they are complementary and you can use both.
I tried to make this script as user friendly as possible.
Unfortunately, it still requires to have a minimum knowledge to access the router (telnet or ssh), and a USB drive named optware.
I might change the install script to allow installation without a USB drive.
Also, installation and setup is done via telnet or ssh only. One day maybe, a web interface...
You’re welcome, thank you for your interest!
Sadly the setup did not work for me and I could not install iprange.
Iprange problem:
Install info:
"Something is not working"
Iprange problem:
Code:
iprange does not seem to be installed.
Do you want to install iprange into internal flash (/usr/bin)? [y/n] -y
Installing iprange...
Unknown package 'iprange'.
Collected errors:
* pkg_hash_fetch_best_installation_candidate: Packages for iprange found, but incompatible with the architectures configured
* opkg_install_cmd: Cannot install package iprange.
Done!Install info:
Code:
The script is properly installed.
- firewall-blocklist version: v3.2.0
- This is the last version.
- iprange is not installed."Something is not working"
Code:
firewall-blocklist v3.2.0 - Verbose mode
Initializing...
/opt/scripts/firewall-start.sh is in place and ok
Updating blocklist from sources...
- Downloading lists defined in /opt/bolemo/etc/firewall-blocklist.sources 1) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset - 100%
[===================>] 38.91K --.-KB/s in 0.003s 2) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset - 100%
[===================>] 274.35K --.-KB/s in 0.04s 3) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset - 100%
[===================>] 258.58K --.-KB/s in 0.02s 4) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/iblocklist_ciarmy_malicious.netset 100%
[===================>] 203.26K --.-KB/s in 0.01s 5) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset - 100%
[===================>] 14.49K --.-KB/s in 0.02s - iprange not installed, passing optimization and reduction process. - Removing duplicates...
- Done.
Building ipset blocklist (45300 entries blocking 619991870 ips)... -
Created blocklist, swapping it.
- Done.
Restarting firewall...
iptables v1.4.21: mark: bad mark value for option "--mark", or out of range. Try `iptables -h' or 'iptables --help' for more information. grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^
- Built-in firewall restarted.
Status:
- firewall-blocklist version: v3.2.0
- iprange is not installed.
- Something is not right!
Use firewall-blocklist -v status for more details
- Logging is off.
Detailed status:
- /opt/scripts/firewall-start.sh exists with correct settings.
- iptables rules are not set properly: iptables -N FwBl_DROP iptables -A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP iptables -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP iptables -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP iptables -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP iptables -A FwBl_DROP -j DROP
- Logging is inactive.
- ipset filter (blocklist) is set: blocklist is not used by iptables
Name: FwBl_BL
Type: hash:net
Revision: 6
Header: family inet hashsize 16384 maxelem 65536 Size in memory: 998068 References: 4
Number of entries: 45300
- ipset bypass (whitelist) is not set.HELLO_wORLD
Very Senior Member
Ok, there are two problems:
- iprange: you have a R9000 right? Seems that the iprange firmware addon only works with R7800. You could still install it with Entware, but you would have to install Entware first... Anyway, iprange is great and I recommend to install it as it does strong optimizations, however, it is not mandatory and the blocklist script can work without it.
- the error you have with the script is not related to iprange not being installed. I am not sure at this stage if it is a problem related to differences between R9000 and R7800 or something else. In theory, my script should be able to work on R9000. I will study your output.
Similar threads
Similar threads
Similar threads
-
Kamoj Kamoj Addon 5.5 Beta for Netgear R7800/R8900/R9000 with Voxel FW - Continuation
- Started by matttt22
- Replies: 3
-
Release New official R7800 firmware
- Started by ResistingLurch
- Replies: 5
-
Voxel Custom firmware build for R7800 v. 1.0.2.111SF- Started by Voxel
- Replies: 11
-
Voxel Custom firmware build for R7800 v. 1.0.2.110SF
- Started by Voxel
- Replies: 15
-
Voxel Custom firmware build for R7800 v. 1.0.2.109SF
- Started by Voxel
- Replies: 8
-
Voxel Custom firmware build for R7800 v. 1.0.2.108SF
- Started by Voxel
- Replies: 12
-
-
Voxel Custom firmware build for R7800 v. 1.0.2.107SF
- Started by Voxel
- Replies: 20
-
Voxel Custom firmware build for R7800 v. 1.0.2.106SF
- Started by Voxel
- Replies: 26
-
R9000 WiFi suddenly stopped working
- Started by parthenogenesis
- Replies: 3