Hi,
I have ported a version of the old IPCop addon 'Banish' to IPFire and use it to maintain my local blacklist. Banish was one of my favorite IPCop addons but it ceased to be maintained about 10 years ago and for later versions of IPCop I installed a locally written text version of Banish to maintain the Blacklist.
This new IPFire version restores all the original GUI functionality and is currently running on an PC Engines ‐ apu2 with IPFire 2.21 (i586) - Core Update 125.
If you would like to try this addon, I have uploaded it to https://github.com/Grantura/Banish-IPFire grab the self installing file banish-ipfire.tar-1.0.1.gz and extract it to /tmp.
The install also contains an uninstall script should you want to back out at any time.
Regards
Rob Brewer
Hi Rob,
thanks for your work. I don't know the banish addon for IPCop so I've read the readme.md on your github link.
But I don't see the advantage against the way to make firewall rules over the firewall.cgi
Please share your view of things with me.
- Daniel
Bob Brewer – Sun, 6. January 2019 19:12
Hi,
I have ported a version of the old IPCop addon 'Banish' to IPFire and use it to maintain my local blacklist. Banish was one of my favorite IPCop addons but it ceased to be maintained about 10 years ago and for later versions of IPCop I installed a locally written text version of Banish to maintain the Blacklist.
This new IPFire version restores all the original GUI functionality and is currently running on an PC Engines ‐ apu2 with IPFire 2.21 (i586) - Core Update 125.
If you would like to try this addon, I have uploaded it to github.com/Grantura/Banish-IPFire grab the self installing file banish-ipfire.tar-1.0.1.gz and extract it to /tmp.
The install also contains an uninstall script should you want to back out at any time.
Regards
Rob Brewer
Daniel Weismüller wrote:
Hi Rob,
thanks for your work. I don't know the banish addon for IPCop so I've read the readme.md on your github link.
But I don't see the advantage against the way to make firewall rules over the firewall.cgi
Please share your view of things with me.
Hi Daniel
Thank you for your interest.
I have uploaded a couple of screenshots to github showing the Banish configuration page and the Banish Log page which I hope will help to show the difference with firewall.cgi.
I have a blocklist of about 150 IP Addresses, CIDR, or fully qualified domain names which have shown themselves to be long term abusers and Banish is a very good way of managing this list.
I use Banish as part of an overall blocklist to protect my mail server from abuse. I also have an in house IPFire front end addon to Fail2ban running on the mail server which uses a dynamic blocklist for short and medium term abuse with Banish used for blocking long term abuse.
I have been using various flavors of Banish with IPCop for a number of years and find it very easy to manage my blocked resources which I think would be quite difficult if I used just firewall rules.
Rob
Hi Rob,
did you see Guardian? In my opinion it does nearly the same.
- Daniel
Bob Brewer – Mon, 7. January 2019 11:07
Daniel Weismüller wrote:
Hi Rob,
thanks for your work. I don't know the banish addon for IPCop so I've read the readme.md on your github link.
But I don't see the advantage against the way to make firewall rules over the firewall.cgi
Please share your view of things with me.
Hi Daniel
Thank you for your interest.
I have uploaded a couple of screenshots to github showing the Banish configuration page and the Banish Log page which I hope will help to show the difference with firewall.cgi.
I have a blocklist of about 150 IP Addresses, CIDR, or fully qualified domain names which have shown themselves to be long term abusers and Banish is a very good way of managing this list.
I use Banish as part of an overall blocklist to protect my mail server from abuse. I also have an in house IPFire front end addon to Fail2ban running on the mail server which uses a dynamic blocklist for short and medium term abuse with Banish used for blocking long term abuse.
I have been using various flavors of Banish with IPCop for a number of years and find it very easy to manage my blocked resources which I think would be quite difficult if I used just firewall rules.
Rob
Daniel Weismüller wrote:
Hi Daniel,
Hi Rob,
did you see Guardian? In my opinion it does nearly the same.
I had looked at Guardian in the past but as I thought it was tied closely with snort I had not paid it much much attention. I've had another look and see it has an 'Ignored Hosts' facility so I tried adding a blocking entry. I'm sure it blocks but it doesn't generate iptable rules so its operation is rather unclear to me.
Thank you for the pointer but I am much happier with the way I am familiar with YMMV!
Kind Regards
Rob
Hi,
On 06.01.2019 19:12, Bob Brewer wrote:
Hi,
I have ported a version of the old IPCop addon 'Banish' to IPFire and use it to maintain my local blacklist. Banish was one of my favorite IPCop addons but it ceased to be maintained about 10 years ago and for later versions of IPCop I installed a locally written text version of Banish to maintain the Blacklist.
This new IPFire version restores all the original GUI functionality and is currently running on an PC Engines ‐ apu2 with IPFire 2.21 (i586) - Core Update 125.
If you would like to try this addon, I have uploaded it to https://github.com/Grantura/Banish-IPFire grab the self installing file banish-ipfire.tar-1.0.1.gz and extract it to /tmp.
The install also contains an uninstall script should you want to back out at any time. ...
Being curious - as always - I tried to install Banish on my testmachine.
But the install script has a problem:
***SNIP*** [root@ipfiretest Banish-IPFire]# ./install_Banish.sh Starting Banish-IPFire 1.0.1 installation
Checking if files extracted to /tmp....OK! Checking files.........................OK! ...OK! Backing up files.....................Done! Extracting files.....................Done! Installing system files..............Done! Appending to files...................Done! Starting Banish......................./install_Banish.sh: line 258: /etc/rc.d/init.d/banish: No such file or directory Done! Cleaning up..........................Done! ***SNAP***
It seems that line 170 uses the wrong destination:
... /bin/cp -p Banish/etc/rc.d/init.d/rc.banish /etc/rc.d/init.d/ ...
This should have been '/etc/rc.d/init.d/banish'!?
The symlinks in line 173-175 are therefore affected, too. Banish won't start.
I corrected this manually, seems to work.
Testing...
Best, Matthias
Matthias Fischer wrote:
Being curious - as always - I tried to install Banish on my testmachine.
But the install script has a problem:
***SNIP*** [root@ipfiretest Banish-IPFire]# ./install_Banish.sh Starting Banish-IPFire 1.0.1 installation
Checking if files extracted to /tmp....OK! Checking files.........................OK! ...OK! Backing up files.....................Done! Extracting files.....................Done! Installing system files..............Done! Appending to files...................Done! Starting Banish......................./install_Banish.sh: line 258: /etc/rc.d/init.d/banish: No such file or directory Done! Cleaning up..........................Done! ***SNAP***
It seems that line 170 uses the wrong destination:
... /bin/cp -p Banish/etc/rc.d/init.d/rc.banish /etc/rc.d/init.d/ ...
This should have been '/etc/rc.d/init.d/banish'!?
The symlinks in line 173-175 are therefore affected, too. Banish won't start.
I corrected this manually, seems to work.
Testing...
Ahhh... I made a late change to the init system and thought I had tested it out ok on my test system here before I uploaded it.
Thank you for the feedback, I'll create a corrected 0.2 version and upload it to github.
Rob
Bob Brewer wrote:
Matthias Fischer wrote:
Being curious - as always - I tried to install Banish on my testmachine.
But the install script has a problem:
***SNIP*** [root@ipfiretest Banish-IPFire]# ./install_Banish.sh Starting Banish-IPFire 1.0.1 installation
Checking if files extracted to /tmp....OK! Checking files.........................OK! ...OK! Backing up files.....................Done! Extracting files.....................Done! Installing system files..............Done! Appending to files...................Done! Starting Banish......................./install_Banish.sh: line 258: /etc/rc.d/init.d/banish: No such file or directory Done! Cleaning up..........................Done! ***SNAP***
It seems that line 170 uses the wrong destination:
... /bin/cp -p Banish/etc/rc.d/init.d/rc.banish /etc/rc.d/init.d/ ...
This should have been '/etc/rc.d/init.d/banish'!?
The symlinks in line 173-175 are therefore affected, too. Banish won't start.
I corrected this manually, seems to work.
Testing...
Ahhh... I made a late change to the init system and thought I had tested it out ok on my test system here before I uploaded it.
Thank you for the feedback, I'll create a corrected 0.2 version and upload it to github.
Looking closer line 170 should have been:
/bin/cp -p Banish/etc/rc.d/init.d/rc.banish /etc/rc.d/init.d/rc.banish
then the symlinks would be OK
Rob
Hi,
On 07.01.2019 13:38, Bob Brewer wrote:
Bob Brewer wrote:
Matthias Fischer wrote:
... But the install script has a problem:
...
Ahhh... I made a late change to the init system and thought I had tested it out ok on my test system here before I uploaded it.
Thank you for the feedback, I'll create a corrected 0.2 version and upload it to github.
Looking closer line 170 should have been:
/bin/cp -p Banish/etc/rc.d/init.d/rc.banish /etc/rc.d/init.d/rc.banish
then the symlinks would be OK ...
Some findings:
1. For keeping the "naming conventions" in '/etc/init.d', I'd suggest to name this script just 'banish', not 'rc.banish'. This way it can be found more easily. Every other script in this dir is named accordingly to the program its starting/stopping...
2. With '1.0.2', installation throws no errors anymore, but I can't add any IP-Addresses. List stays empty. And everytime 'BanishGeo.cgi' is opened, '/var/log/httpd/error_log' says:
***SNIP*** ... Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time] [-R number] [-m flag] hostname [server] -a is equivalent to -v -t ANY -c specifies query class for non-IN data -C compares SOA records on authoritative nameservers -d is equivalent to -v -i IP6.INT reverse lookups -l lists all hosts in a domain, using AXFR -m set memory debugging flag (trace|record|usage) -N changes the number of dots allowed before root lookup is done -r disables recursive processing -R specifies number of retries for UDP packets -s a SERVFAIL response should stop query -t specifies the query type -T enables TCP/IP mode -v enables verbose output -V print version number and exit -w specifies to wait forever for a reply -W specifies how long to wait for a reply -4 use IPv4 query transport only -6 use IPv6 query transport only ... ***SNAP**
It seems there are some syntax errors in 'BanishGeo.cgi' (line 773!?).
3. $Lang::tr{'apply'} - used in 'BanishGeo.cgi' line 232 - is missing in the language-files.
4. Uninstaller didn't remove '/var/ipfire/menu.d/EX-banish.menu' and 'EX-Banishlog.menu'. They're not shown anymore, but files are still there.
5. None of the given URLs is working here: http://wiki.sidsolutions.net/ => "Can't be found". http://banish.sidsolutions.net is redirected to ww2.banish.sidsolutions.net => no answer...
HTH, Matthias
Hi Matthias,
Matthias Fischer wrote:
Thank you for your response
...
Some findings:
- For keeping the "naming conventions" in '/etc/init.d', I'd suggest to
name this script just 'banish', not 'rc.banish'. This way it can be found more easily. Every other script in this dir is named accordingly to the program its starting/stopping...
rc.banish is the original IPCop name for the init script, but I can follow convention and change it to banish.
- With '1.0.2', installation throws no errors anymore, but I can't add
any IP-Addresses. List stays empty. And everytime 'BanishGeo.cgi' is opened, '/var/log/httpd/error_log' says:
***SNIP*** ... Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time] [-R number] [-m flag] hostname [server] -a is equivalent to -v -t ANY -c specifies query class for non-IN data -C compares SOA records on authoritative nameservers -d is equivalent to -v -i IP6.INT reverse lookups -l lists all hosts in a domain, using AXFR -m set memory debugging flag (trace|record|usage) -N changes the number of dots allowed before root lookup is done -r disables recursive processing -R specifies number of retries for UDP packets -s a SERVFAIL response should stop query -t specifies the query type -T enables TCP/IP mode -v enables verbose output -V print version number and exit -w specifies to wait forever for a reply -W specifies how long to wait for a reply -4 use IPv4 query transport only -6 use IPv6 query transport only ... ***SNAP**
It seems there are some syntax errors in 'BanishGeo.cgi' (line 773!?).
After a bit of investigation, this is caused by a default blank entry creeping into the banish_config file presumably a CR/LF that shouldn't be there. If you delete the blank line in the BanishGeo.cgi display (with the dustbin icon all should be OK. I used a test banish_config file for my original testing and didn't see this error.
- $Lang::tr{'apply'} - used in 'BanishGeo.cgi' line 232 - is missing in
the language-files.
This is a problem with the original banish distribution files. Maybe there was a translation in IPCop which IPFire doesn't have, I'll add one to these lang files if I can find the appropriate translations.
- Uninstaller didn't remove '/var/ipfire/menu.d/EX-banish.menu' and
'EX-Banishlog.menu'. They're not shown anymore, but files are still there.
Looks like I missed those in the uninstall script. I'll add them.
- None of the given URLs is working here:
http://wiki.sidsolutions.net/ => "Can't be found". http://banish.sidsolutions.net is redirected to ww2.banish.sidsolutions.net => no answer...
I am aware that sidsolutions is no longer there and removed quite a lot of code with links to his site and must have missed these. Thank you for finding them.
In the original Banish there were 2 cgi control pages a Banish_Settings.cgi and the BanishGeo.cgi. For IPFire I combined the 2 pages which puts the Viewing Options box at the top of the BanishGeo.cgi page. Also in the original there were 2 optional Banish.cgi pages and the BanishGeo.cgi page was only installed if Geo::IP::PurePerl was installed. As IPFire seems to always install this I didn't bother with the non-Geo page.
HTH,
Yes it has, thank you very for your time to look at this. Look out for 0.3 which should have the errors corrected
Matthias
As an aside I'm running Core Update 126 on my test box and noticed what I think is a typo in log.dat for the captive translation entry. I think line 84 should be:
'captive' => $Lang::tr{'Captive'}, with a capital 'C' and not:
'captive' => $Lang::tr{'captive'},
Kind Regards
Rob
On 07.01.2019 20:28, Bob Brewer wrote:
Hi Matthias,
Matthias Fischer wrote:
Thank you for your response
No problem - you're welcome... ;-)
Some findings:
- For keeping the "naming conventions" in '/etc/init.d', I'd suggest to
name this script just 'banish', not 'rc.banish'. This way it can be found more easily. Every other script in this dir is named accordingly to the program its starting/stopping...
rc.banish is the original IPCop name for the init script, but I can follow convention and change it to banish.
For further testing, I changed the name to '/etc/init.d/banish' - and renamed the corresponding symlinks.
But still I can't add any entries. Page reloads, list stays empty. GUI stays empty and 'iptables' chains, too. Rule(s) seem(s) to be deleted right before/after adding!?
Here I tried to add '50.22.0.0/15: ... 22:08:56 banish : Remove Banish rules 22:08:56 banish : Removing Banished entries 22:08:56 banish : Load Banish rules 22:08:56 banish : Adding Banished entries to DROP 22:08:56 banish : Regel hinzugefügt: 50.22.0.0/15 22:08:56 banish : Remove Banish rules 22:08:56 banish : Removing Banished entries 22:08:56 banish : Load Banish rules 22:08:56 banish : Adding Banished entries to DROP 22:08:56 banish : Regel gelöscht: ...
For entries to add, must the testmachine be online!?
- With '1.0.2', installation throws no errors anymore, but I can't add
any IP-Addresses. List stays empty. And everytime 'BanishGeo.cgi' is opened, '/var/log/httpd/error_log' says:
***SNIP*** ... Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time] [-R number] [-m flag] hostname [server] ... ***SNAP**
It seems there are some syntax errors in 'BanishGeo.cgi' (line 773!?).
After a bit of investigation, this is caused by a default blank entry creeping into the banish_config file presumably a CR/LF that shouldn't be there. If you delete the blank line in the BanishGeo.cgi display (with the dustbin icon all should be OK. I used a test banish_config file for my original testing and didn't see this error.
Ok, after deleting the empty line, this error is gone, but: see above.
- $Lang::tr{'apply'} - used in 'BanishGeo.cgi' line 232 - is missing in
the language-files.
This is a problem with the original banish distribution files. Maybe there was a translation in IPCop which IPFire doesn't have, I'll add one to these lang files if I can find the appropriate translations.
- Uninstaller didn't remove '/var/ipfire/menu.d/EX-banish.menu' and
'EX-Banishlog.menu'. They're not shown anymore, but files are still there.
Looks like I missed those in the uninstall script. I'll add them.
;-)
- None of the given URLs is working here:
http://wiki.sidsolutions.net/ => "Can't be found". http://banish.sidsolutions.net is redirected to ww2.banish.sidsolutions.net => no answer...
I am aware that sidsolutions is no longer there and removed quite a lot of code with links to his site and must have missed these. Thank you for finding them.
Most of them are in the language files...
Besides, all "umlauts" are looking weird in the log, as seen above:
... 21:49:50 banish : Adding Banished entries to DROP 21:49:50 banish : Regel hinzugefügt: 50.22.0.0/15 ^^^ ... 21:50:41 banish : Regel gelöscht: ^^^ ...
In the original Banish there were 2 cgi control pages a Banish_Settings.cgi and the BanishGeo.cgi. For IPFire I combined the 2 pages which puts the Viewing Options box at the top of the BanishGeo.cgi page. Also in the original there were 2 optional Banish.cgi pages and the BanishGeo.cgi page was only installed if Geo::IP::PurePerl was installed. As IPFire seems to always install this I didn't bother with the non-Geo page.
HTH,
Yes it has, thank you very for your time to look at this. Look out for 0.3 which should have the errors corrected ... As an aside I'm running Core Update 126 on my test box and noticed what I think is a typo in log.dat for the captive translation entry. I think line 84 should be:
'captive' => $Lang::tr{'Captive'}, with a capital 'C' and not:
'captive' => $Lang::tr{'captive'}, ...
It seems so. I'm running heavily tuned language files here, so I overlooked this. I'll take a look.
Best, Matthias
Matthias Fischer wrote:
But still I can't add any entries. Page reloads, list stays empty. GUI stays empty and 'iptables' chains, too. Rule(s) seem(s) to be deleted right before/after adding!?
Here I tried to add '50.22.0.0/15: ... 22:08:56 banish : Remove Banish rules 22:08:56 banish : Removing Banished entries 22:08:56 banish : Load Banish rules 22:08:56 banish : Adding Banished entries to DROP 22:08:56 banish : Regel hinzugefügt: 50.22.0.0/15 22:08:56 banish : Remove Banish rules 22:08:56 banish : Removing Banished entries 22:08:56 banish : Load Banish rules 22:08:56 banish : Adding Banished entries to DROP 22:08:56 banish : Regel gelöscht: ...
For entries to add, must the testmachine be online!?
It would seem so, my test box is connected with a static ip to the orange interface of my main IPFire box. The DNS is set to my ISPs DNS.
I tried reloading the rules with the red interface disconnected and iptables complains "iptables v1.6.2: host/network `xxx.yy.zz' not found" when trying to write rules for a FQDN. Presumably iptables needs an operating DNS to generate the rules. Other IP Address and CIDRs seem to load OK though. Re-connecting the red interface restored functionality.
- $Lang::tr{'apply'} - used in 'BanishGeo.cgi' line 232 - is missing in
the language-files.
This is a problem with the original banish distribution files. Maybe there was a translation in IPCop which IPFire doesn't have, I'll add one to these lang files if I can find the appropriate translations.
I checked /var/ipfire/langs/en.pl and there is a translation for 'apply' as: 'apply' => 'Apply now' and in de.pl as: 'apply' => 'Jetzt anwenden'. The button on the Filter rule on my box is shown as 'Apply now' so it looks like the translation is working OK here.
Besides, all "umlauts" are looking weird in the log, as seen above:
... 21:49:50 banish : Adding Banished entries to DROP 21:49:50 banish : Regel hinzugefügt: 50.22.0.0/15 ^^^ ... 21:50:41 banish : Regel gelöscht: ^^^
I think this must be an apache problem. The umlauts in the lang files display OK in a text console on my box but I don't have any umlauts in my message logs to compare. Do the words display correctly if you grep the banish entries in /var/log/messages?
'captive' => $Lang::tr{'Captive'}, with a capital 'C' and not:
It seems so. I'm running heavily tuned language files here, so I overlooked this. I'll take a look.
I see you generated a patch - glad I could help :)
I'll upload a 0.3 version with your suggestions
Regards
Rob
-
Bob Brewer -
Daniel Weismüller -
Matthias Fischer