Banish as an add-on?

Continuing the discussion from Blocking Reverse Proxys from cloudflare:


Does this have a WUI?
If so this would be great as a plugin for ipfire.

I agree. However, even in this format trying it out seems to be pretty easy.

Looking at the source tarball and reading the readme it does have a menu added to the IPFire menu system. It also has a cgi page for that menu entry. Presumably that page is where you make your selections etc.

The source file does not have a standard IPFire install.sh script so the tarball is extracted in IPFire and all the archived files are placed in their locations.
If you want to uninstall it you will have to go to each directory and delete the involved files as there is no uninstall.sh script.

The banish menu page creates an additional entry for the IPFire IP Blocklist menu, which after defining the Banish list you have to go and enable on the IP Blocklist page and then you have to go and update the Firewall Rules.

It looks close to an IPFire addon but it needs the paks files (install.sh, update.sh and uninstall.sh)
The banish github site had the last updates in Jan 2019 although the file links from @cfusco are dated end of 2022 so probably not related to what is on the github site and that makes it difficult to know what else might need to be modified by the developer to make it meet the IPFire submission requirements.

So be careful with this, you will need to manually delete all installed files if you decide to uninstall it.

When I find the time, I will test it in a cloned IPFire.

2 Likes

It would be nice to know what kind of effort is required for Banish to become an official plugin. Easily Banning an ASN is an advanced feature that I fell IPFire should have.

1 Like

@helix already knows what is involved as he provided the patch submission for the IP Blocklist.

If someone else wants to support @helix then the information about what is required for submitting addons can be found here
https://wiki.ipfire.org/devel/ipfire-2-x/addon-howto

He would need to commit to providing any updates into the IPFire patch submission process and also to pick up any bug reports related to the addon. Effectively be the owner for the addon.
In the past some addons have been implemented and then the originator has stopped supporting them after a couple of updates and it has been left to one of the devs to pick up and do the work when they are not exactly sitting around with nothing to do.

I think any submission needs to convince the devs that the addon will be supported in the longer term. They will not be willing to pick it up themselves.

In terms of not getting a response from the dev mailing list one needs to remember there are around 6 or 7 core devs and there are around 200 to 300 mails per month and the devs have day jobs they need to do to pay the bills, plus work on IPFire3.x commits, plus work on maintaining the IPFire infrastructureā€¦

If a mail does not get a response you have to give it a bit of time but then you need to chase up (politely) on it. Things can get missed at busy times.

3 Likes

I have realised that I did not read through the original mail link. There was a back and forth communication with @ms finishing with

Cool. Thank you for answering those questions for me.
Is the source available in a Git repository somewhere?

It was said that the source would be uploaded to a git repo but the info on the url for the git repo was never provided.

Also if the Grantura github repo is the one that is being used by @helix then it has not been updated since 2019 so maybe something else stopped this being pursued further in the dev mailing list by him.

1 Like

I wold be quite happy to provide a git version and commit to support if I thought it would be helpful to the IPFire community but there seemed to be little interest in the tar ball of my current version of Banish.
https://people.ipfire.org/~helix/banish/Banish-002.tar.gz

Please let me know if this is incorrect Iā€™ll look again to adding Banish to IPFireā€™s git

4 Likes

The original Grantura github pages contain my original version of Banish which was a modified version of an old IPCop addon have now been superseded. I have re-written most of the original version as an addon to Ipfireā€™s IPblocklist function and is much faster as it uses ipset instead of the originals individual iptables entries. Check out the README at

https://people.ipfire.org/~helix/banish/README

3 Likes

As a member of the community, I appreciate your effort as it is. Having said that, if you can develop it into a full IPFire package, it would be also greatly appreciated.

2 Likes

@mumpitz
great idea :+1:
will be an interesting journey taking measures against this great example of a network effect

@helix
yes, we are just a few but we are there :person_shrugging:

Hey Rob!

I read through the README doc and some of the other links posted above and I am missing the obvious. What does Banish do in addition to ipblocklist? I feel like there is a detail I am completely overlooking. The is me:
:crazy_face:


EDIT:
I found the screenshots on github.com Grantura:

and this helps!

Can you add pics that show how new items are added/edited?

I will do everything possible and use my power to take action against this Internet monster, which wants to centralize the freedom of all users, the freedom of knowledge sharing and the freedom of communication to counter this threat.
They have quietly and hidden from normal users taken over large parts of the Internet and have proven with their behavior that this centralization bundles too much power in one person or even small group of people to be good for the general public or the freedom of the Internet.
Not to mention the privacy violations that take place here, because for a US company, every non-US citizen is a potential terrorist.
I take off the aluminum hat now.

Banish adds a new menu item to the ipblocklist page from which you can enable/disable your personal blocklist generated by the Banish configuration page in the IPFire menu.

In the Banish configuration page you can block on Autonomous System Number (ASN), IP Address, CIDR or FQDN. Just add your new rule such as xxx.xxx.xxx.xxx, xxx.xxx.xxx.0/24, xxx.xxx.xxx.0-xxx.xxx.xxx.255 or ASxxxxx to the ā€˜Banish Resourceā€™ input box and a remark if required (I find it useful to add a short note such as ā€œPort Scanner - 3/4/22ā€) and check ā€˜enabledā€™ and click on ā€˜addā€™. This will then be added to the ā€˜Current Rulesā€™ list below.

Resources added to the ā€˜Current Rulesā€™ list can be enabled, edited or removed by the 3 tick boxes on the end of the line.

The entry will become active on the next IP-blocklist update which is run every 15 minutes but make sure you have enabled BANISH in the IPblocklist menu and clicked the ā€˜Saveā€™ button and ā€˜Apply Changesā€™ in the ā€˜Firewall Rulesā€™ menu first. Once BANISH is enabled in the IPBlocklist menu new entries can be added or removed in the Banish menu.

Banish generates an ipset from the ā€˜Current Rulesā€™ entered into the Banish menu and is picked up as additional blocklist by the IPBlocklist feature.

The ipsets associated with AS numbers change fro time to time and will be updated when the location database is updated wihich happens bout once per week.

I have been using this version of Banish now for over 12 months without any problems.

Rob

5 Likes

Granted, this is an advanced feature, but in my opinion it is a must-have for a firewall distro like IPFire. It is also a well designed UI which makes it user friendly and allows to block ASN identifiers which otherwise it is a quite laborious process. Congratulations for this excellent work. Much appreciated.

4 Likes

Great work @helix :+1:

2 Likes