From 3351b6f5f77dc5811dc08406a4187a7e2228f591 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 10:50:03 +0200 Subject: [PATCH 01/23] Update firewall-blocklist --- firewall-blocklist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall-blocklist b/firewall-blocklist index 9b66906..2db07de 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -32,7 +32,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then fi # checking if WAN gateway is in blocklist - if ipset -q test "$IPSET_NAME" "$WAN_GATEWAY" + if [ "$WAN_GATEWAY" != '0.0.0.0' ] && ipset -q test "$IPSET_NAME" "$WAN_GATEWAY" then WGW_IN_BL='y' else WGW_IN_BL='' fi From bfcda7bd24fc64612734c6160853e24dccfad20a Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 10:50:46 +0200 Subject: [PATCH 02/23] Update firewall-blocklist --- firewall-blocklist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall-blocklist b/firewall-blocklist index 2db07de..c88f11f 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -99,7 +99,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then exit 0 fi -SC_VERS="v3.1.0" +SC_VERS="v3.1.1" SC_PATH="$(cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" IPR_BIN="$(command -v iprange)" # IPT_MD5 & IPT_MD5_NO_WL depends on IPTBL_NAME, IPSET_NAME and IPSET_WL_NAME From ceade120c057a704d7c99c8defcb0eaa130642cd Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 10:58:49 +0200 Subject: [PATCH 03/23] Update firewall-blocklist --- firewall-blocklist | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index c88f11f..7dec76c 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -11,7 +11,7 @@ IP_LIST="$ROOT_DIR/etc/$SC_NAME.netset" INFO_FILE="/tmp/${SC_ABR}_status" WAN_GATEWAY="$(nvram get wan_gateway)" WAN_NETMASK="$(nvram get wan_netmask)" - +WAN_GATEWAY='0.0.0.0' #we are called from firewall_start.sh if [ "$1" ] && [ "$1" = "_fws" ]; then date > "$INFO_FILE" @@ -340,11 +340,15 @@ status() { # check ipset whitelist STAT_IPS_WL="$(ipset -q list $IPSET_WL_NAME -t)" - # check WAN gateway in ipset blocklist - ipset -q test "$IPSET_NAME" "$WAN_GATEWAY" && STAT_GW_IN_BL='y' || STAT_GW_IN_BL='' - - # check WAN gatewan in ipset whitelist - ipset -q test "$IPSET_WL_NAME" "$WAN_GATEWAY" && STAT_GW_IN_WL='y' || STAT_GW_IN_WL='' + if [ "$WAN_GATEWAY" = '0.0.0.0' ]; then + STAT_GW_IN_BL=''; STAT_GW_IN_WL='' + else + # check WAN gateway in ipset blocklist + ipset -q test "$IPSET_NAME" "$WAN_GATEWAY" && STAT_GW_IN_BL='y' || STAT_GW_IN_BL='' + + # check WAN gatewan in ipset whitelist + ipset -q test "$IPSET_WL_NAME" "$WAN_GATEWAY" && STAT_GW_IN_WL='y' || STAT_GW_IN_WL='' + fi # master check if [ "$STAT_IPT_MATCH_WL" -a "$STAT_IPS" -a "$STAT_IPS_WL" -a "$STAT_GW_IN_BL" -a "$STAT_GW_IN_WL" -a "$STAT_FWS" ]; then From 9ac0fdb68ce6c2f79bb4ccc9ffc59d360e51fa20 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 11:00:19 +0200 Subject: [PATCH 04/23] Update firewall-blocklist --- firewall-blocklist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall-blocklist b/firewall-blocklist index 7dec76c..639c628 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -11,7 +11,7 @@ IP_LIST="$ROOT_DIR/etc/$SC_NAME.netset" INFO_FILE="/tmp/${SC_ABR}_status" WAN_GATEWAY="$(nvram get wan_gateway)" WAN_NETMASK="$(nvram get wan_netmask)" -WAN_GATEWAY='0.0.0.0' + #we are called from firewall_start.sh if [ "$1" ] && [ "$1" = "_fws" ]; then date > "$INFO_FILE" From 00afb26c71a6461b9efb0d1cc8ee945e8ed27e5c Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 12:41:52 +0200 Subject: [PATCH 05/23] Update firewall-blocklist --- firewall-blocklist | 82 +++++++++++++++++++++++++++++++--------------- 1 file changed, 55 insertions(+), 27 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 639c628..d6ac517 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -8,6 +8,7 @@ IPSET_NAME="${SC_ABR}_BL" IPSET_WL_NAME="${SC_ABR}_WL" ROOT_DIR="/opt/bolemo" IP_LIST="$ROOT_DIR/etc/$SC_NAME.netset" +WL_FILE="$ROOT_DIR/etc/${SC_NAME}_wl.netset" INFO_FILE="/tmp/${SC_ABR}_status" WAN_GATEWAY="$(nvram get wan_gateway)" WAN_NETMASK="$(nvram get wan_netmask)" @@ -19,7 +20,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then echo -n 'ips: ' >> "$INFO_FILE" # creating ipset blocklist if needed if ! ipset -q -n list "$IPSET_NAME">/dev/null; then - if [ -r $IP_LIST ]; then + if [ -r "$IP_LIST" ]; then # netset file exists, so creating blocklist ipset from it echo -e "create $IPSET_NAME hash:net family inet\n$(sed "s/^/add $IPSET_NAME /" "$IP_LIST")" | ipset restore echo -n 'BL(load)' >> "$INFO_FILE" @@ -37,7 +38,25 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then else WGW_IN_BL='' fi - # creating whitelist if WAN gateway is in blocklist + # creating ipset whitelist if needed + if ! ipset -q -n list "$IPSET_WL_NAME">/dev/null; then + if [ -r "$WL_FILE" ]; then + # netset file exists, so creating whitelist ipset from it + echo -e "create $IPSET_WL_NAME hash:net family inet\n$(sed "s/^/add $IPSET_WL_NAME /" "$WL_FILE")" | ipset restore + echo -n '+WL(load)' >> "$INFO_FILE" + elif [ "$WGW_IN_BL" ]; then + # no netset file, creating empty whitelist ipset because needed for WAN gateway + ipset -q create "$IPSET_WL_NAME" hash:net family inet + echo -n '+WL(new)' >> "$INFO_FILE" + else + # no need for whitelist, just destroy if exists + ipset -q destroy "$IPSET_WL_NAME" + echo '' >> "$INFO_FILE" + fi + else echo -n '+WL(keep)' >> "$INFO_FILE" + fi + + # if needed, adding WAN gateway to whitelist if [ "$WGW_IN_BL" ]; then # Calculate WAN_RANGE (IP & CIDR) _CIDR=0 @@ -46,24 +65,8 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then let _CIDR+=${#_BINBITS} done WAN_RANGE="$WAN_GATEWAY/$_CIDR" - if ipset -q -n list "$IPSET_WL_NAME">/dev/null; then - # whitelist ipset is already here, make new one and swap - ipset -q destroy "$IPSET_TMP" - ipset -q create "$IPSET_TMP" hash:net family inet maxelem 1 - ipset -q add "$IPSET_TMP" "$WAN_RANGE" - ipset -q swap "$IPSET_WL_NAME" "$IPSET_TMP" - ipset -q destroy "$IPSET_TMP" - echo '+WL(swap)' >> "$INFO_FILE" - else - # whitelist ipset is not here, just create - ipset -q create "$IPSET_WL_NAME" hash:net family inet maxelem 1 - ipset -q add "$IPSET_WL_NAME" "$WAN_RANGE" - echo '+WL(new)' >> "$INFO_FILE" - fi - else - # no need for whitelist, just destroy if exists - ipset -q destroy "$IPSET_WL_NAME" - echo '' >> "$INFO_FILE" + ipset -q add "$IPSET_WL_NAME" "$WAN_RANGE" + echo '(+gw)' >> "$INFO_FILE" fi echo -n 'ipt: ' >> "$INFO_FILE" @@ -99,7 +102,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then exit 0 fi -SC_VERS="v3.1.1" +SC_VERS="v3.2.0" SC_PATH="$(cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" IPR_BIN="$(command -v iprange)" # IPT_MD5 & IPT_MD5_NO_WL depends on IPTBL_NAME, IPSET_NAME and IPSET_WL_NAME @@ -108,7 +111,8 @@ IPT_MD5_NO_WL="c0b6a9d32801426ed8daf3d936c1eefb -" IPSET_TMP="${IPSET_NAME}_tmp" SC_NICEPATH="$ROOT_DIR/scripts/$SC_NAME" SRC_LIST="$ROOT_DIR/etc/$SC_NAME.sources" -CUST_IP_LIST="$ROOT_DIR/etc/$SC_NAME.custom.netset" +CUST_BL_FILE="$ROOT_DIR/etc/$SC_NAME.custom_bl.netset" +CUST_WL_FILE="$ROOT_DIR/etc/$SC_NAME.custom_wl.netset" TMP_FILE="/tmp/$SC_NAME.tmp" FWS_DIR="/opt/scripts" FWS_FILE="$FWS_DIR/firewall-start.sh" @@ -296,9 +300,9 @@ update_iplist() { [ $_NBOK = 0 ] && { >&2 echo -e "\033[31m! Could not get any list!\033[0m"; rm "$TMP_FILE"; exit 1; } [ $_NBOK = $_TOT ] || >&2 echo -e "\033[31m! Downloaded only $_NBOK / $_TOT list(s)!\033[0m" } - if [ -r $CUST_IP_LIST ]; then - [ "$VERBOSE" ] && echo "- Adding netset from custom list ($CUST_IP_LIST)" - grep '^[0-9]' "$CUST_IP_LIST" | sed -e 's/;.*//' >>"$TMP_FILE" + if [ -r $CUST_BL_FILE ]; then + [ "$VERBOSE" ] && echo "- Adding netset from custom list ($CUST_BL_FILE)" + grep '^[0-9]' "$CUST_BL_FILE" | sed -e 's/;.*//' >>"$TMP_FILE" fi if [ -x "$IPR_BIN" ]; then [ "$VERBOSE" ] && echo "- Optimizing and reducing netset (using iprange)..." @@ -309,6 +313,24 @@ update_iplist() { fi rm "$TMP_FILE" [ "$VERBOSE" ] && echo "- Done." + + # processing whitelist if any + if [ -r $CUST_WL_FILE ]; then + [ "$VERBOSE" ] && echo -e "\033[1;36mGenerating whitelist from custom list...\033[0m" + grep '^[0-9]' "$CUST_WL_FILE" | sed -e 's/;.*//' >"$TMP_FILE" + + if [ -x "$IPR_BIN" ]; then + [ "$VERBOSE" ] && echo "- Optimizing and reducing netset (using iprange)..." + $IPR_BIN "$TMP_FILE" --ipset-reduce 20 > "$WL_FILE" + else + [ "$VERBOSE" ] && echo -e "- iprange not installed, passing optimization and reduction process.\n- Removing duplicates..." + sort "$TMP_FILE" | uniq > "$WL_FILE" + fi + rm "$TMP_FILE" + [ "$VERBOSE" ] && echo "- Done." + else + rm "$WL_FILE" 2>/dev/null + fi } status() { @@ -351,8 +373,14 @@ status() { fi # master check - if [ "$STAT_IPT_MATCH_WL" -a "$STAT_IPS" -a "$STAT_IPS_WL" -a "$STAT_GW_IN_BL" -a "$STAT_GW_IN_WL" -a "$STAT_FWS" ]; then - echo -e "- Firewall blocklist is set and active.\n- Filtering $(count_ip_in_ipset $IPSET_NAME) IP adresses.\n- Bypassing $(count_ip_in_ipset $IPSET_WL_NAME) IP adresses (WAN gateway and its subnet)." + if [ "$STAT_IPT_MATCH_WL" -a "$STAT_IPS" -a "$STAT_IPS_WL" -a "$STAT_FWS" ]; then + if [ "$STAT_GW_IN_BL" -a "$STAT_GW_IN_WL" ]; then + echo -e "- Firewall blocklist is set and active.\n- Filtering $(count_ip_in_ipset $IPSET_NAME) IP adresses.\n- Bypassing $(count_ip_in_ipset $IPSET_WL_NAME) IP adresses (including WAN gateway and its subnet)." + elif [ -z "$STAT_GW_IN_BL$STAT_GW_IN_WL" ]; then + echo -e "- Firewall blocklist is set and active.\n- Filtering $(count_ip_in_ipset $IPSET_NAME) IP adresses.\n- Bypassing $(count_ip_in_ipset $IPSET_WL_NAME) IP adresses." + else + echo -e "- \033[1;31mSomething is not right with the WAN gateway bypass!\033[0m Use $SC_NAME -v status for more details" + fi elif [ "$STAT_IPT_MATCH_NOWL" -a "$STAT_IPS" -a "$STAT_FWS" -a ! "$STAT_GW_IN_BL" ]; then echo -e "- Firewall blocklist is set and active.\n- Filtering $(count_ip_in_ipset $IPSET_NAME) IP adresses." elif [ -z "$STAT_IPT$STAT_IPS$STAT_IPS_WL$STAT_FWS" ]; then From 05b5903b8d4a0d54bd57e947a7b0d503775389b2 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 12:43:49 +0200 Subject: [PATCH 06/23] Update firewall-blocklist --- firewall-blocklist | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index d6ac517..f133926 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -8,7 +8,7 @@ IPSET_NAME="${SC_ABR}_BL" IPSET_WL_NAME="${SC_ABR}_WL" ROOT_DIR="/opt/bolemo" IP_LIST="$ROOT_DIR/etc/$SC_NAME.netset" -WL_FILE="$ROOT_DIR/etc/${SC_NAME}_wl.netset" +WL_FILE="$ROOT_DIR/etc/${SC_NAME}-wl.netset" INFO_FILE="/tmp/${SC_ABR}_status" WAN_GATEWAY="$(nvram get wan_gateway)" WAN_NETMASK="$(nvram get wan_netmask)" @@ -111,8 +111,8 @@ IPT_MD5_NO_WL="c0b6a9d32801426ed8daf3d936c1eefb -" IPSET_TMP="${IPSET_NAME}_tmp" SC_NICEPATH="$ROOT_DIR/scripts/$SC_NAME" SRC_LIST="$ROOT_DIR/etc/$SC_NAME.sources" -CUST_BL_FILE="$ROOT_DIR/etc/$SC_NAME.custom_bl.netset" -CUST_WL_FILE="$ROOT_DIR/etc/$SC_NAME.custom_wl.netset" +CUST_BL_FILE="$ROOT_DIR/etc/$SC_NAME.custom-bl.netset" +CUST_WL_FILE="$ROOT_DIR/etc/$SC_NAME.custom-wl.netset" TMP_FILE="/tmp/$SC_NAME.tmp" FWS_DIR="/opt/scripts" FWS_FILE="$FWS_DIR/firewall-start.sh" From 9be2fcd4cb5ce86b5699f612f40668169af3070a Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 13:08:22 +0200 Subject: [PATCH 07/23] Update firewall-blocklist --- firewall-blocklist | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index f133926..7733a54 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -34,8 +34,14 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then # checking if WAN gateway is in blocklist if [ "$WAN_GATEWAY" != '0.0.0.0' ] && ipset -q test "$IPSET_NAME" "$WAN_GATEWAY" - then WGW_IN_BL='y' - else WGW_IN_BL='' + then + WGW_IN_BL='y' + if ipset -q test "$IPSET_WL_NAME" "$WAN_GATEWAY"; + then WGW_IN_WL='y'; + else WGW_IN_WL=''; + fi + else + WGW_IN_BL='' fi # creating ipset whitelist if needed @@ -57,7 +63,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then fi # if needed, adding WAN gateway to whitelist - if [ "$WGW_IN_BL" ]; then + if [ "$WGW_IN_BL" ] && [ ! "$WGW_IN_WL" ]; then # Calculate WAN_RANGE (IP & CIDR) _CIDR=0 for _OCTET in $(echo "$WAN_NETMASK"| sed 's/\./ /g'); do From 9e7ee18bec05f4e876a6180cc758fa6a58f388df Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 13:15:26 +0200 Subject: [PATCH 08/23] Update firewall-blocklist --- firewall-blocklist | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 7733a54..328a26b 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -57,7 +57,6 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then else # no need for whitelist, just destroy if exists ipset -q destroy "$IPSET_WL_NAME" - echo '' >> "$INFO_FILE" fi else echo -n '+WL(keep)' >> "$INFO_FILE" fi @@ -72,9 +71,11 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then done WAN_RANGE="$WAN_GATEWAY/$_CIDR" ipset -q add "$IPSET_WL_NAME" "$WAN_RANGE" - echo '(+gw)' >> "$INFO_FILE" + echo -n '(+gw)' >> "$INFO_FILE" fi + echo '' >> "$INFO_FILE" + echo -n 'ipt: ' >> "$INFO_FILE" #checking if IPTBL_NAME is already set (should not); if it is, exit iptables -L "$IPTBL_NAME" >/dev/null 2>/dev/null && { echo "keep!" >> "$INFO_FILE"; exit 1; } From 926b9e49c45032732ec665c8e3aa8dfed9299088 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 13:18:56 +0200 Subject: [PATCH 09/23] Update firewall-blocklist --- firewall-blocklist | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 328a26b..0dd8dd1 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -36,9 +36,9 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then if [ "$WAN_GATEWAY" != '0.0.0.0' ] && ipset -q test "$IPSET_NAME" "$WAN_GATEWAY" then WGW_IN_BL='y' - if ipset -q test "$IPSET_WL_NAME" "$WAN_GATEWAY"; - then WGW_IN_WL='y'; - else WGW_IN_WL=''; + if ipset -q test "$IPSET_WL_NAME" "$WAN_GATEWAY" + then WGW_IN_WL='y' + else WGW_IN_WL='' fi else WGW_IN_BL='' From 4bbf133a60410233dcafd523eedbfa252907b6e7 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 13:29:39 +0200 Subject: [PATCH 10/23] Update firewall-blocklist --- firewall-blocklist | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/firewall-blocklist b/firewall-blocklist index 0dd8dd1..de62b6b 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -284,6 +284,23 @@ set_ipset() { ipset swap $IPSET_NAME $IPSET_TMP ipset destroy $IPSET_TMP [ "$VERBOSE" ] && echo "- Done." + + # whitelist + if [ -r $WL_FILE ]; then + if [ "$VERBOSE" ]; then + MAX="$(wc -l < $WL_FILE)" + NUM_IP="$(count_ip_in_file $WL_FILE)" + echo -e "\033[1;36mBuilding ipset whitelist ($MAX entries bypassing $NUM_IP ips)...\033[0m" + fi + + echo -e "create $IPSET_TMP hash:net family inet\n$(sed "s/^/add $IPSET_TMP /" $WL_FILE)" | ipset restore + [ "$VERBOSE" ] && echo "- Created whitelist, swapping it." + ipset swap $IPSET_WL_NAME $IPSET_TMP + ipset destroy $IPSET_TMP + [ "$VERBOSE" ] && echo "- Done." + else + ipset -q destroy $IPSET_WL_NAME + fi } update_iplist() { From 6d1ad8a37c57c5baaa9baaef8085c2bb3cd5b852 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 13:37:07 +0200 Subject: [PATCH 11/23] Update firewall-blocklist --- firewall-blocklist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall-blocklist b/firewall-blocklist index de62b6b..0ae88b0 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -299,7 +299,7 @@ set_ipset() { ipset destroy $IPSET_TMP [ "$VERBOSE" ] && echo "- Done." else - ipset -q destroy $IPSET_WL_NAME + ipset -q destroy "$IPSET_WL_NAME" fi } From 929ba24e21a1593b2c4935c5c34800c5a99e9aed Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 13:41:20 +0200 Subject: [PATCH 12/23] Update firewall-blocklist --- firewall-blocklist | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 0ae88b0..8c8faea 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -261,17 +261,17 @@ clean() { fi /usr/sbin/net-wall restart > /dev/null [ "$VERBOSE" ] && echo "- Built-in firewall restarted." - ipset -q destroy $IPSET_NAME - ipset -q destroy $IPSET_WL_NAME - ipset -q destroy $IPSET_TMP + ipset -q destroy "$IPSET_NAME" + ipset -q destroy "$IPSET_WL_NAME" + ipset -q destroy "$IPSET_TMP" [ "$VERBOSE" ] && echo "- Cleaned ipsets." - [ -e $TMP_FILE ] && rm $TMP_FILE + [ -e "$TMP_FILE" ] && rm "$TMP_FILE" nvram unset log_firewall_blocklist [ "$VERBOSE" ] && echo -e "- Removed temporary files.\n- Cleaning done." } set_ipset() { - [ -r $IP_LIST ] || { >&2 echo -e "\033[31m! $IP_LIST not readable!\033[0m"; exit 1; } + [ -r "$IP_LIST" ] || { >&2 echo -e "\033[31m! $IP_LIST not readable!\033[0m"; exit 1; } if [ "$VERBOSE" ]; then MAX="$(wc -l < $IP_LIST)" @@ -299,7 +299,7 @@ set_ipset() { ipset destroy $IPSET_TMP [ "$VERBOSE" ] && echo "- Done." else - ipset -q destroy "$IPSET_WL_NAME" + ipset -q destroy "$IPSET_WL_NAME" 2>/dev/null fi } From b87b64e1328b2407f8107eb42d482e242386411c Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 13:45:32 +0200 Subject: [PATCH 13/23] Update firewall-blocklist --- firewall-blocklist | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 8c8faea..4f1bbd2 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -109,7 +109,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then exit 0 fi -SC_VERS="v3.2.0" +SC_VERS="v3.2.1" SC_PATH="$(cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" IPR_BIN="$(command -v iprange)" # IPT_MD5 & IPT_MD5_NO_WL depends on IPTBL_NAME, IPSET_NAME and IPSET_WL_NAME @@ -259,6 +259,7 @@ clean() { [ "$VERBOSE" ] && echo "- $FWS_FILE has no other rules; removed it." fi fi + rm "$INFO_FILE" 2>/dev/null /usr/sbin/net-wall restart > /dev/null [ "$VERBOSE" ] && echo "- Built-in firewall restarted." ipset -q destroy "$IPSET_NAME" @@ -299,7 +300,7 @@ set_ipset() { ipset destroy $IPSET_TMP [ "$VERBOSE" ] && echo "- Done." else - ipset -q destroy "$IPSET_WL_NAME" 2>/dev/null + ipset -q destroy "$IPSET_WL_NAME" >/dev/null fi } From 1918ddd7a949afcbfa5f5c713ec64fe305bb6e61 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 13:57:06 +0200 Subject: [PATCH 14/23] Update firewall-blocklist --- firewall-blocklist | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 4f1bbd2..c8f6f6b 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -280,10 +280,15 @@ set_ipset() { echo -e "\033[1;36mBuilding ipset blocklist ($MAX entries blocking $NUM_IP ips)...\033[0m" fi - echo -e "create $IPSET_TMP hash:net family inet\n$(sed "s/^/add $IPSET_TMP /" $IP_LIST)" | ipset restore - [ "$VERBOSE" ] && echo "- Created blocklist, swapping it." - ipset swap $IPSET_NAME $IPSET_TMP - ipset destroy $IPSET_TMP + if ipset -q list -n "$IPSET_NAME">/dev/null; then + echo -e "create $IPSET_TMP hash:net family inet\n$(sed "s/^/add $IPSET_TMP /" $IP_LIST)" | ipset restore + [ "$VERBOSE" ] && echo "- Created blocklist, swapping it." + ipset swap "$IPSET_NAME" "$IPSET_TMP" + ipset destroy $IPSET_TMP + else + echo -e "create $IPSET_NAME hash:net family inet\n$(sed "s/^/add $IPSET_NAME /" $IP_LIST)" | ipset restore + [ "$VERBOSE" ] && echo "- Created blocklist." + fi [ "$VERBOSE" ] && echo "- Done." # whitelist @@ -294,13 +299,18 @@ set_ipset() { echo -e "\033[1;36mBuilding ipset whitelist ($MAX entries bypassing $NUM_IP ips)...\033[0m" fi - echo -e "create $IPSET_TMP hash:net family inet\n$(sed "s/^/add $IPSET_TMP /" $WL_FILE)" | ipset restore - [ "$VERBOSE" ] && echo "- Created whitelist, swapping it." - ipset swap $IPSET_WL_NAME $IPSET_TMP - ipset destroy $IPSET_TMP + if ipset -q list -n "$IPSET_WL_NAME">/dev/null; then + echo -e "create $IPSET_TMP hash:net family inet\n$(sed "s/^/add $IPSET_TMP /" $WL_FILE)" | ipset restore + [ "$VERBOSE" ] && echo "- Created whitelist, swapping it." + ipset swap $IPSET_WL_NAME $IPSET_TMP + ipset destroy $IPSET_TMP + else + echo -e "create $IPSET_WL_NAME hash:net family inet\n$(sed "s/^/add $IPSET_WL_NAME /" $WL_FILE)" | ipset restore + [ "$VERBOSE" ] && echo "- Created whitelist." + fi [ "$VERBOSE" ] && echo "- Done." else - ipset -q destroy "$IPSET_WL_NAME" >/dev/null + ipset -q destroy "$IPSET_WL_NAME" fi } From 0007a994de0ed729440312f8a45a78c6e0681608 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 13:59:49 +0200 Subject: [PATCH 15/23] Update firewall-blocklist --- firewall-blocklist | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index c8f6f6b..8648bc0 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -15,7 +15,7 @@ WAN_NETMASK="$(nvram get wan_netmask)" #we are called from firewall_start.sh if [ "$1" ] && [ "$1" = "_fws" ]; then - date > "$INFO_FILE" + /bin/date > "$INFO_FILE" echo -n 'ips: ' >> "$INFO_FILE" # creating ipset blocklist if needed @@ -109,7 +109,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then exit 0 fi -SC_VERS="v3.2.1" +SC_VERS="v3.2.0" SC_PATH="$(cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" IPR_BIN="$(command -v iprange)" # IPT_MD5 & IPT_MD5_NO_WL depends on IPTBL_NAME, IPSET_NAME and IPSET_WL_NAME From 4b5be2c302f9a58c9e34b9875eeab98e2faa13e0 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 14:14:32 +0200 Subject: [PATCH 16/23] Update firewall-blocklist --- firewall-blocklist | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 8648bc0..75a7c87 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -44,6 +44,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then WGW_IN_BL='' fi + NO_WL='' # creating ipset whitelist if needed if ! ipset -q -n list "$IPSET_WL_NAME">/dev/null; then if [ -r "$WL_FILE" ]; then @@ -57,6 +58,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then else # no need for whitelist, just destroy if exists ipset -q destroy "$IPSET_WL_NAME" + NO_WL='y' fi else echo -n '+WL(keep)' >> "$INFO_FILE" fi @@ -86,7 +88,14 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then iptables -A "$IPTBL_NAME" -j DROP # creating the required iptables - if [ "$WGW_IN_BL" ]; then + if [ "$NO_WL" ]; then + # creating iptables without whitelist + iptables -I INPUT 1 -i brwan -m set --match-set "$IPSET_NAME" src -j $IPTBL_NAME + iptables -I OUTPUT 1 -o brwan -m set --match-set "$IPSET_NAME" dst -j $IPTBL_NAME + iptables -I FORWARD 1 -i brwan -m set --match-set "$IPSET_NAME" src -j $IPTBL_NAME + iptables -I FORWARD 2 -o brwan -m set --match-set "$IPSET_NAME" dst -j $IPTBL_NAME + echo 'BL' >> "$INFO_FILE" + else # creating iptables with whitelist iptables -I INPUT 1 -i brwan -m set --match-set "$IPSET_WL_NAME" src -j ACCEPT iptables -I INPUT 2 -i brwan -m set --match-set "$IPSET_NAME" src -j $IPTBL_NAME @@ -97,13 +106,6 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then iptables -I FORWARD 3 -o brwan -m set --match-set "$IPSET_WL_NAME" dst -j ACCEPT iptables -I FORWARD 4 -o brwan -m set --match-set "$IPSET_NAME" dst -j $IPTBL_NAME echo 'BL+WL' >> "$INFO_FILE" - else - # creating iptables without whitelist - iptables -I INPUT 1 -i brwan -m set --match-set "$IPSET_NAME" src -j $IPTBL_NAME - iptables -I OUTPUT 1 -o brwan -m set --match-set "$IPSET_NAME" dst -j $IPTBL_NAME - iptables -I FORWARD 1 -i brwan -m set --match-set "$IPSET_NAME" src -j $IPTBL_NAME - iptables -I FORWARD 2 -o brwan -m set --match-set "$IPSET_NAME" dst -j $IPTBL_NAME - echo 'BL' >> "$INFO_FILE" fi exit 0 From 4e567083cc9a000a98e00bd485951a311423c39d Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 14:20:36 +0200 Subject: [PATCH 17/23] Update firewall-blocklist --- firewall-blocklist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall-blocklist b/firewall-blocklist index 75a7c87..225bf3c 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -468,7 +468,7 @@ status() { [ "$STAT_GW_IN_BL" ] && _CLR='\033[36m' || _CLR='\033[31m' if [ "$STAT_GW_IN_WL" ] then echo -e " ${_CLR}WAN gateway ($WAN_GATEWAY) is in whitelist\033[0m" - else echo -e " \033[31mWAN gateway ($WAN_GATEWAY) is NOT in whitelist!\033[0m" + elif [ "$STAT_GW_IN_BL" ] echo -e " \033[31mWAN gateway ($WAN_GATEWAY) is NOT in whitelist!\033[0m" fi echo -e "\033[35m$STAT_IPS_WL\033[0m" | sed -e 's/^/ /g' else From 26e84547532b5b9ecc48f441842e686a854fa967 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 14:23:03 +0200 Subject: [PATCH 18/23] Update firewall-blocklist --- firewall-blocklist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall-blocklist b/firewall-blocklist index 225bf3c..4253905 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -468,7 +468,7 @@ status() { [ "$STAT_GW_IN_BL" ] && _CLR='\033[36m' || _CLR='\033[31m' if [ "$STAT_GW_IN_WL" ] then echo -e " ${_CLR}WAN gateway ($WAN_GATEWAY) is in whitelist\033[0m" - elif [ "$STAT_GW_IN_BL" ] echo -e " \033[31mWAN gateway ($WAN_GATEWAY) is NOT in whitelist!\033[0m" + elif [ "$STAT_GW_IN_BL" ]; then echo -e " \033[31mWAN gateway ($WAN_GATEWAY) is NOT in whitelist!\033[0m" fi echo -e "\033[35m$STAT_IPS_WL\033[0m" | sed -e 's/^/ /g' else From 7eb12d75716c4b6a5524deeb4e123caff6ad7f45 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 14:36:56 +0200 Subject: [PATCH 19/23] Update firewall-blocklist --- firewall-blocklist | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 4253905..a22f77f 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -294,7 +294,7 @@ set_ipset() { [ "$VERBOSE" ] && echo "- Done." # whitelist - if [ -r $WL_FILE ]; then + if [ -s $WL_FILE ]; then if [ "$VERBOSE" ]; then MAX="$(wc -l < $WL_FILE)" NUM_IP="$(count_ip_in_file $WL_FILE)" @@ -356,12 +356,15 @@ update_iplist() { [ "$VERBOSE" ] && echo -e "\033[1;36mGenerating whitelist from custom list...\033[0m" grep '^[0-9]' "$CUST_WL_FILE" | sed -e 's/;.*//' >"$TMP_FILE" - if [ -x "$IPR_BIN" ]; then - [ "$VERBOSE" ] && echo "- Optimizing and reducing netset (using iprange)..." - $IPR_BIN "$TMP_FILE" --ipset-reduce 20 > "$WL_FILE" - else - [ "$VERBOSE" ] && echo -e "- iprange not installed, passing optimization and reduction process.\n- Removing duplicates..." - sort "$TMP_FILE" | uniq > "$WL_FILE" + if [ -s "$TMP_FILE" ]; then + if [ -x "$IPR_BIN" ]; then + [ "$VERBOSE" ] && echo "- Optimizing and reducing netset (using iprange)..." + $IPR_BIN "$TMP_FILE" --ipset-reduce 20 > "$WL_FILE" + else + [ "$VERBOSE" ] && echo -e "- iprange not installed, passing optimization and reduction process.\n- Removing duplicates..." + sort "$TMP_FILE" | uniq > "$WL_FILE" + fi + else echo '- No IP set found.' fi rm "$TMP_FILE" [ "$VERBOSE" ] && echo "- Done." From 2760d7ac9fba6ae48f0a64ff38e2972127657b46 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 14:51:21 +0200 Subject: [PATCH 20/23] Update firewall-blocklist --- firewall-blocklist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewall-blocklist b/firewall-blocklist index a22f77f..384fe09 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -7,7 +7,7 @@ IPTBL_NAME="${SC_ABR}_DROP" IPSET_NAME="${SC_ABR}_BL" IPSET_WL_NAME="${SC_ABR}_WL" ROOT_DIR="/opt/bolemo" -IP_LIST="$ROOT_DIR/etc/$SC_NAME.netset" +IP_LIST="$ROOT_DIR/etc/${SC_NAME}-bl.netset" WL_FILE="$ROOT_DIR/etc/${SC_NAME}-wl.netset" INFO_FILE="/tmp/${SC_ABR}_status" WAN_GATEWAY="$(nvram get wan_gateway)" From afd583c2131a0ab54c01e6790cf458d92afea87c Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 15:03:24 +0200 Subject: [PATCH 21/23] Update firewall-blocklist --- firewall-blocklist | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 384fe09..45e54ac 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -23,11 +23,11 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then if [ -r "$IP_LIST" ]; then # netset file exists, so creating blocklist ipset from it echo -e "create $IPSET_NAME hash:net family inet\n$(sed "s/^/add $IPSET_NAME /" "$IP_LIST")" | ipset restore - echo -n 'BL(load)' >> "$INFO_FILE" + echo -n 'BL(+load)' >> "$INFO_FILE" else # no netset file, creating empty blocklist ipset ipset -q create "$IPSET_NAME" hash:net family inet - echo -n 'BL(new)' >> "$INFO_FILE" + echo -n 'BL(+new)' >> "$INFO_FILE" fi else echo -n 'BL(keep)' >> "$INFO_FILE" fi @@ -36,6 +36,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then if [ "$WAN_GATEWAY" != '0.0.0.0' ] && ipset -q test "$IPSET_NAME" "$WAN_GATEWAY" then WGW_IN_BL='y' + echo -n '(gw)' >> "$INFO_FILE" if ipset -q test "$IPSET_WL_NAME" "$WAN_GATEWAY" then WGW_IN_WL='y' else WGW_IN_WL='' @@ -64,7 +65,9 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then fi # if needed, adding WAN gateway to whitelist - if [ "$WGW_IN_BL" ] && [ ! "$WGW_IN_WL" ]; then + [ "$WGW_IN_BL" ] && if [ "$WGW_IN_WL" ]; then + echo -n '(gw)' >> "$INFO_FILE" + else # Calculate WAN_RANGE (IP & CIDR) _CIDR=0 for _OCTET in $(echo "$WAN_NETMASK"| sed 's/\./ /g'); do From 4fa0b7528f642a517f55079362bec9e580ec5398 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 15:08:18 +0200 Subject: [PATCH 22/23] Update firewall-blocklist --- firewall-blocklist | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/firewall-blocklist b/firewall-blocklist index 45e54ac..4e69041 100644 --- a/firewall-blocklist +++ b/firewall-blocklist @@ -51,17 +51,17 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then if [ -r "$WL_FILE" ]; then # netset file exists, so creating whitelist ipset from it echo -e "create $IPSET_WL_NAME hash:net family inet\n$(sed "s/^/add $IPSET_WL_NAME /" "$WL_FILE")" | ipset restore - echo -n '+WL(load)' >> "$INFO_FILE" + echo -n '/WL(+load)' >> "$INFO_FILE" elif [ "$WGW_IN_BL" ]; then # no netset file, creating empty whitelist ipset because needed for WAN gateway ipset -q create "$IPSET_WL_NAME" hash:net family inet - echo -n '+WL(new)' >> "$INFO_FILE" + echo -n '/WL(+new)' >> "$INFO_FILE" else # no need for whitelist, just destroy if exists ipset -q destroy "$IPSET_WL_NAME" NO_WL='y' fi - else echo -n '+WL(keep)' >> "$INFO_FILE" + else echo -n '/WL(keep)' >> "$INFO_FILE" fi # if needed, adding WAN gateway to whitelist @@ -108,7 +108,7 @@ if [ "$1" ] && [ "$1" = "_fws" ]; then iptables -I FORWARD 2 -i brwan -m set --match-set "$IPSET_NAME" src -j $IPTBL_NAME iptables -I FORWARD 3 -o brwan -m set --match-set "$IPSET_WL_NAME" dst -j ACCEPT iptables -I FORWARD 4 -o brwan -m set --match-set "$IPSET_NAME" dst -j $IPTBL_NAME - echo 'BL+WL' >> "$INFO_FILE" + echo 'BL/WL' >> "$INFO_FILE" fi exit 0 From 30ae3b4b4e1cf9ab70df68715c24342dc29cc615 Mon Sep 17 00:00:00 2001 From: bolemo Date: Thu, 30 Apr 2020 15:40:33 +0200 Subject: [PATCH 23/23] Update README.md --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 02f2d57..e3ba32a 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Firewall blocklist script for Netgear R7800 Router with Voxel firmware. Should work with several other Netgear routers as well. ## Version -3.1.0 +3.2.0 ## Prerequisite * You need to have Voxel's Firmware: https://www.voxel-firmware.com @@ -14,7 +14,7 @@ Should work with several other Netgear routers as well. ## Install * Connect to router's terminal with ssh or telnet * Go to the attached drive (USB): `cd /mnt/optware/` (or change optware by the mountpoint of your drive) -* Copy and paste the following command: `wget -qO- https://github.com/bolemo/firewall-blocklist/archive/v3.1.0.tar.gz | tar xzf - --one-top-level=fbl --strip-components 1` +* Copy and paste the following command: `wget -qO- https://github.com/bolemo/firewall-blocklist/archive/v3.2.0.tar.gz | tar xzf - --one-top-level=fbl --strip-components 1` * Make install script executable: `chmod +x fbl/install.sh` * Run install script: `fbl/install.sh` * Answer `y` if you want to install iprange @@ -35,13 +35,15 @@ Since version 2, you do not need to go through the whole installation process to The comnand `/opt/bolemo/scripts/firewall-blocklist info` will show the installed version and the latest version available online. The `/opt/bolemo/scripts/firewall-blocklist upgrade` command will also show installed and latest version available and ask if you want to upgrade if the online version is different than the one installed. +After an upgrade, it is strongly advised to perform `/opt/bolemo/scripts/firewall-blocklist clean` then `/opt/bolemo/scripts/firewall-blocklist update` + ## Usage Usage: `/opt/bolemo/scripts/firewall-blocklist COMMAND [OPTION(S)]` ### Valid commands (only one): * `restart` - setup ipset and iptables then restarts internal firewall -* `update_set` - generates `firewall-blocklist.netset` from servers in `firewall-blocklist.sources` -* `load_set` - loads `firewall-blocklist.netset` into ipset then restarts internal firewall +* `update_set` - generates `firewall-blocklist-bl.netset` from servers in `firewall-blocklist.sources` +* `load_set` - loads `firewall-blocklist-bl.netset` into ipset then restarts internal firewall * `update` - update_set then load_set [probably what you want to use] * `clean` - clean ipset and iptables rules from setup created by this script * `help` - displays help @@ -59,7 +61,9 @@ The file `/opt/bolemo/etc/firewall-blocklist.sources` contains the list of serve You can find a lot of lists on internet. One great source are the lists from FireHOL: http://iplists.firehol.org/ -Since version 3.1, you can have your own custom list of IPs or netsets (IPs with cidr netmask): just create a file named `firewall-blocklist.custom.netset` in `/opt/bolemo/etc/` with your own list. Next tile you will perform a `firewall-blocklist update`, it will integrate your custom list to the master blocklist. +Since version 3.1, you can have your own custom blacklist of IPs or netsets (IPs with cidr netmask): just create a file named `firewall-blocklist.custom-bl.netset` in `/opt/bolemo/etc/` with your own list. Next tile you will perform a `firewall-blocklist update`, it will integrate your custom list to the master blocklist. + +Since version 3.2, you can have your own custom whitelist of IPs or netsets (IPs with cidr netmask): just create a file named `firewall-blocklist.custom-wl.netset` in `/opt/bolemo/etc/` with your own list. Next tile you will perform a `firewall-blocklist update`, it will integrate your custom list to the master whitelist. ## Logging ### Enabling