Closed gsanchietti closed 2 months ago
Testing image version: 8-23.05.3-ns.0.0.5-rc2-37-g9791e89
Almost everything perfect. Now banip configuration is correctly created based on interfaces configuration, I created and removed many times WAN interfaces and the config file is alway correct:
root@NethSec-Z1:~# uci show banip
banip.global=banip
banip.global.ban_enabled='1'
banip.global.ban_debug='0'
banip.global.ban_autodetect='0'
banip.global.ban_logterm='Exit before auth from' 'luci: failed login' 'error: maximum authentication attempts exceeded' 'sshd.*Connection closed by.*\[preauth\]' 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' 'received a suspicious remote IP '\''.*'\'''
banip.global.ban_fetchcmd='curl'
banip.global.ban_protov4='1'
banip.global.ban_ifv4='WAN1' 'WAN2' 'WAN3'
banip.global.ban_ifv6='WAN1' 'WAN2' 'WAN3'
banip.global.ban_trigger='WAN1' 'WAN2' 'WAN3'
banip.global.ban_dev='eth1' 'eth2' 'eth3'
Unfortunately nft rules are not updated after WAN creation/deletion, this means that this section:
chain wan-input {
.
.
iifname != { "eth1", "eth3" } counter packets 0 bytes 0 accept
remains the same after WAN creation/deletion even if banip database has changed.
a command like /etc/init.d/banip restart
is necessary to fix the nft part, a simple banip reload
seems to not work.
Testing image version: 8-23.05.3-ns.0.0.5-rc2-49-g4387921
Testing image version: 8-23.05.3-ns.0.0.5-rc2-51-gab0415e
Everything works as expected.
There is an issue with the autodetection feature in BanIP, especially in the presence of multi-WAN setups. The autodetection of WAN interfaces does not always work correctly.
Steps to reproduce
Expected behavior
The autodetection feature should accurately identify all WAN interfaces and devices used for monitoring, ensuring that blocklists are applied correctly on all WANs.
Actual behavior
Autodetection may fail to identify all WAN interfaces and devices accurately, leading to incomplete blocklist application on certain WANs.
Check wan-input banip chain:
The line containing the
ifname
directive should check all existing wans.Components
NethSecurity version: 8-23.05.3-ns.0.0.5-rc2-9-gb67b1d3