1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

P2Partisan [v5.14/v6.07] mass IP blocking - peerblock/peerguardian for tomato

Discussion in 'Tomato Firmware' started by rs232, Oct 11, 2013.

  1. rs232

    rs232 Network Guru Member

    P2Partisan works with unwanted IPs where these lists are unwanted FQDN.

    Or said in other words blocking IPs is a job for ipset/iptables where blocking domains it's a dnsmasq job.

    Have a look at the great adblock script, perhaps it's worth asking the same question in that thread?

    :)
    rs232
     
  2. miodzicho

    miodzicho Network Newbie Member

    Code:
    ### PREPARATION ###
    loading modules
    ###########################################
    ATTENTION: ipset not found! Please check if
    your tomato release has support for ipset
    ###########################################
    loading ports 21,25,80,123,443,993,1194:1197,1194,1195,1723 exemption
    ### WHITELIST ###
    loading the whitelist
    Preparing the whitelist for the iptables
    ### BLACKLISTs ###
    loading blacklist #1 --> ***level1***
    P2PARTISAN: ... P2Partisan started.
    P2PARTISAN:
    It appears like you don't have a log-async parameter
    in your dnsmasq config. This is strongly suggested
    due to the amount of logs involved. please consider
    adding the following command under Advanced/DHCP/DNS
    /Dnsmasq Custom configuration
    
    log-async=10
    
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    All above is first run on fresh rebooted Asus Merlin
    -------------------------------------------------------------------------


    Code:
    yyyy@hedgehog:/tmp/mnt/sda1/p2partisan# ./p2partisan.sh update
    P2PARTISAN: P2Partisan AUTO UPDATE is OFF
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    P2PARTISAN: Stopping P2Partisan
    P2PARTISAN: P2Partisan AUTO UPDATE is ON
    ### PREPARATION ###
    loading modules
    Loading the ipset module
    loading ports 21,25,80,123,443,993,1194:1197,1194,1195,1723 exemption
    ### WHITELIST ###
    loading the whitelist
    Preparing the whitelist for the iptables
    ### BLACKLISTs ###
    loading blacklist #1 --> ***level1***
    P2PARTISAN: ... P2Partisan started.
    P2PARTISAN:
    It appears like you don't have a log-async parameter
    in your dnsmasq config. This is strongly suggested
    due to the amount of logs involved. please consider
    adding the following command under Advanced/DHCP/DNS
    /Dnsmasq Custom configuration
    
    log-async=10
    
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    It doesn't seems to be working....
    Any help please ?


    And some troubleshooting below :

    Code:
    yyyyy@hedgehog:/tmp/mnt/sda1/p2partisan# ./p2partisan.sh status
    tail: can't open '/var/log/messages': No such file or directory
    tail: no files
    ### P2Partisan status ####################################
            P2Partisan running: Yes
            P2Partisan autorun: No
            P2Partisan scheduled: Yes
    ### Last log recorded ####################################
    Remember your max logs per hour is set to: 6
    
    ##########################################################
    yyyy@hedgehog:/tmp/mnt/sda1/p2partisan# iptables -L INPUT -v | grep P2PARTISA
    N
    yyyyy@hedgehog:/tmp/mnt/sda1/p2partisan# iptables -L P2PARTISAN -v
    iptables: No chain/target/match by that name.
    yyyyy@hedgehog:/tmp/mnt/sda1/p2partisan#
     
  3. rs232

    rs232 Network Guru Member

    Hi, interesting...

    Can you please let us know:

    - what tomato version you are running exactly (mod + release number)?
    - Can you confirm you have ipset (just type ipset --help)
    - The output of the "lsmod" command
    - The "can't open '/var/log/messages': No such file or directory" it surprises me. Do you have log enabled on your system (Administration/Logging)? And/or do you have a Custom file log set other than /var/log/messages?
    That file must exist

    P.S.
    - The "iptables -L P2PARTISAN -v"is wrong, there's no such a table on v 2.x (P2PARTISAN-IN, P2PARTISAN-OUT and P2PARTISAN-DROP are the ones)

    let me know...
    rs232
     
  4. miodzicho

    miodzicho Network Newbie Member

    Sure, it is not Tomato - Asus Merlin
    Code:
     ipset --help
    ipset v4.5
    
    Usage: ipset -N new-set settype [options]
    
    Code:
    lsmod
    Module                  Size  Used by    Tainted: P
    ip_set                 12034  0
    tun                    12723  4
    ebt_ip                  1440  8
    ebtable_filter          1203  1
    ebtables               16318  1 ebtable_filter
    nf_nat_sip              5586  0
    nf_conntrack_sip       16679  1 nf_nat_sip
    nf_nat_h323             5137  0
    nf_conntrack_h323      34844  1 nf_nat_h323
    nf_nat_rtsp             3400  0
    nf_conntrack_rtsp       4268  1 nf_nat_rtsp
    nf_nat_ftp              1314  0
    nf_conntrack_ftp        5131  1 nf_nat_ftp
    ip6table_filter          893  0
    ip6table_mangle         1093  0
    nls_cp437               4643  1
    sr_mod                 11507  0
    cdrom                  33318  1 sr_mod
    cdc_ncm                 7026  0
    rndis_host              5193  0
    cdc_ether               3224  1 rndis_host
    asix                   11629  0
    usbnet                 12057  4 cdc_ncm,rndis_host,cdc_ether,asix
    mii                     3484  2 asix,usbnet
    usblp                   9354  0
    ohci_hcd               19288  0
    ehci_hcd               34220  0
    xhci_hcd               53350  0
    ufsd                  595355  0
    jnl                    27931  1 ufsd
    ext2                   55581  0
    ext4                  234233  0
    jbd2                   52386  1 ext4
    crc16                   1081  1 ext4
    ext3                  113117  0
    jbd                    45524  1 ext3
    mbcache                 5156  3 ext2,ext4,ext3
    usb_storage            34163  1
    sg                     21138  0
    sd_mod                 23159  2
    scsi_wait_scan           502  0
    scsi_mod              114857  4 sr_mod,usb_storage,sg,sd_mod
    usbcore               108178 11 cdc_ncm,rndis_host,cdc_ether,asix,usbnet,usblp,ohci_hcd,ehci_hcd,xhci_hcd,usb_storage
    jffs2                  94871  1
    zlib_deflate           19990  1 jffs2
    nf_nat_pptp             1796  0
    nf_conntrack_pptp       3739  1 nf_nat_pptp
    nf_nat_proto_gre        1047  1 nf_nat_pptp
    nf_conntrack_proto_gre     3499  1 nf_conntrack_pptp
    wl                   3955084  0
    igs                    12935  1 wl
    emf                    16229  2 wl,igs
    et                     63892  0
    ctf                    17519  0
    
    Code:
     ls /var/log/
    commit_ret
    
    Code:
     iptables -L P2PARTISAN_IN -v
    iptables: No chain/target/match by that name.
    
    It's all I think.
     
  5. rs232

    rs232 Network Guru Member

    This script is for tomato, if you're not on tomato this is not supported.

    Having said that: try to change the line:

    Code:
    ipset_test=`lsmod | grep "ipt_set" | wc -l`
    into

    Code:
    ipset_test=`lsmod | grep "ip_set" | wc -l`
    As you don't have a logfile try to set the logfile option to "0" at the beginning of the file

    If you really want this to work out of the box switch to a Shibby's mod
     
  6. miodzicho

    miodzicho Network Newbie Member

    I'm not sure if Shibby fully implemented his Tomato to ARM routers..
     
  7. rs232

    rs232 Network Guru Member

  8. The Master

    The Master LI Guru Member

    Script 100% Working on ARM Netgear R7000.
     
  9. darkknight93

    darkknight93 Networkin' Nut Member

    Just fyi: Sophos UTM

    cbl.jpg
     
  10. rs232

    rs232 Network Guru Member

    Version 2.21 released, this solves problems with some tomato versions handling ip_set modules, improves status reporting and unload modules when p2p is stopped.
    It seems stable but let me know otherwise

    rs232
     
  11. rs232

    rs232 Network Guru Member

    Can I please get a feedback on how the script is performing with many LAN clients?
    I've developed and tested this on a LAN with 4 hosts but I'm not sure how it performs after that.
    I'm specifically interested in CPU/RAM usage issues or unexpected results like slow network or crashes or else (if any of course)

    P.S. I noticed that the autorun-on for some reason doesn't run P2Partisan at startup. It's meant to but doesn't...
    Anybodyelse noticed this issue? I'm looking into this as I speak

    Thanks!
     
    The Master likes this.
  12. rs232

    rs232 Network Guru Member

    Version 2.30 released. This solved a bug with autorun/autoupdate and improves few little things.

    Also since there's some fundamental changes I suggest to:

    1) reboot your router
    2) run the upgrade/installation
    3) set autorun/autoupdate if needed
    4) run the script as usual


    Please report problems if any

    P.S. This version seems pretty stable to me

    Thanks!
     
    Last edited: May 20, 2014
    The Master and darkknight93 like this.
  13. The Master

    The Master LI Guru Member

    All ok here...thanks... working fine @R7000

    PS: Would be nice to write the blocked IP Sites in a Log File.

    This in a File:

    May 22 21:31:22 R7000 kern.alert kernel: P2Partisan Dropped: IN=vlan2 OUT=br0 SRC=xxxxx DST=xxxx LEN=54 TOS=0x00 PREC=0x00 TTL=55 ID=34787 DF PROTO=UDP SPT=40029 DPT=12610 LEN=34
     
  14. rs232

    rs232 Network Guru Member

    Today Monday, I've found the script stuck on Loading...
    I guess this is auto-update related, but perhaps it's something else.
    Can anybody please try to run the p2partisan.sh status and let me know if it operates fine or not.
    Also if you can please double check that the ls -la *.gz has the same time as the scheduler (4:30am unless you changed it in the script)

    Thanks!
     
  15. The Master

    The Master LI Guru Member

    Oh i think i have the same Problem...
    Code:
    ################# P2Partisan status #####################
    #    P2Partisan running:   Loading...
    #    P2Partisan autorun:   Yes
    #    P2Partisan scheduled: No
    #########################################################
    #    P2Partisan activity since 01:01:27 - 01/01/70
    #    Dropped connections:
    ################# Last log recorded #####################
    #    Remember your max logs per hour is set to: 1
    ######################################################### 
    after STOP and start. -> Restart dont work.
    Code:
    
    
    ################# P2Partisan status #####################
    
    # P2Partisan running: Yes
    
    # P2Partisan autorun: Yes
    
    # P2Partisan scheduled: No
    
    #########################################################
    
    # P2Partisan activity since 13:05:38 - 26/05/14
    
    # Dropped connections: 3
    
    ################# Last log recorded #####################
    
    # Remember your max logs per hour is set to: 1
    
    #########################################################
     
  16. rs232

    rs232 Network Guru Member

    Thanks for reporting this. I will investigate ASAP
    in the meantime I suggest you remove the .gz files (blacklists) and restarting the device leaving the autorun on should start automatically.

    Until I release the new version please keep the autoupdate set to off.

    brb
    rs232
     
  17. rs232

    rs232 Network Guru Member

    I think I sorted it out.

    For reference there's was a problem with the logic moving the Internet test within the start routing as the paranoia-update blocks new connections until a full update is run, this would also block the ping Internet test and put the script in an endless loop. Any ways it works now.
    I tested it both manually and with the crontable, so you can happily re-enable autorun-on and autoupdate-on with this latest version (2.31)

    I would update the script first, then reboot to get the rid of the PARANOIA-DROP entries in the iptables. You can then double check with the usual ./p2partisan.sh status

    I also removed the restart parameter from the autorun as it works better within the firewall script section.

    Thanks for reporting the bug!
    rs232
     
    Last edited: May 26, 2014
    The Master likes this.
  18. rs232

    rs232 Network Guru Member

    Another minor release published.
    This time it fixes a little problem when autorun calls the script on a remote location e.g. CIFS accessed via VPN.
    From version 2.32 the scripts sleeps until the file exists.

    NOTE: I also updated the upgrade procedure to set both autorun/autoupdate to off.
    As the code used by autorun/autoupdate has been changing quite a lot through out the versions I thought it's a good idea to un-set and set again

    rs232 :)
     
  19. The Master

    The Master LI Guru Member

    Thank you for your quick Updates...

    Are there any block sides that you recomend?! ... Because i have to disable a lot of them to work with steam and other Webpages :(
     
  20. rs232

    rs232 Network Guru Member

    Sorry what do you mean by block sides?

    About the blocking: remember there's the port whitelist that has higher priority, so webpages (80,443) are never blocked by default.

    whiteports="21,25,53,80,123,443,993,1194:1196"

    If you want to make sure Steam works add these ports to the whitelisted port section at the beginning of the p2partisan file.
    https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711
    Standard iptables syntax: "," to separate individual ports and ":" to add ranges.

    So change:
    whiteports="21,25,53,80,123,443,993,1194:1196"

    into

    whiteports="21,25,53,80,123,443,993,1194:1196,1500,3005,3101,3478:4380,27000:27050,28960"

    BTW These preferences are overwritten when you upgrade the script (as the file itself is overwritten). I'll probably look into an option to preserve the whiteports in the next release

    HTH
    :)
     
    Last edited: May 28, 2014
  21. The Master

    The Master LI Guru Member

    Hi,

    i mean recomended blocklists :D

    And i know the whiteports are there. Steam (Client and Download) is working. But a few Steamgames like Dota 2 Server (from VALVE) could not connect to the game Server (Lobby is ok but no Connection to Server at game start)... i then only see the Block in the Router Log.

    The Problem here is that the Server changed a lot or there a lot of them...see my "Whitelist" and there is still Blocking.

    My only list at the Moment is "pgl.yoyo.org" with this there is no Steam Problem.

    Code:
    # Insert here below the range of IP you want to allow
    # Do keep a comment on what the range means
    
    # BBC
    212.58.0.0-212.62.255.255
    
    # Konami
    211.132.7.225
    
    #DOTA
    111.221.77.0-111.221.77.255
    #EU
    146.66.152.0-146.66.152.255
    146.66.154.0-146.66.154.255
    146.66.155.0-146.66.155.255
    146.66.156.0-146.66.156.255
    185.25.180.0-185.25.180.255
    185.25.182.0-185.25.182.255
    185.25.183.0-185.25.183.255
    #DOTA
    #US
    192.69.96.0-192.69.96.255
    205.185.194.0-205.185.194.255
    205.196.6.0-205.196.6.255
    208.64.200.0-208.64.200.255
    208.64.201.0-208.64.201.255
    208.64.202.0-208.64.202.255
    #Dota/Steam
    157.56.52.0-157.56.52.255
    146.66.159.0-146.66.159.255
    77.67.56.0-77.67.56.255
    94.245.121.0-94.245.121.255
     
  22. The Master

    The Master LI Guru Member

    After Update to 2.32... there is no activity since time....
    and then after "restart" the script:
    STUPID ME....dont read the how to // Forget it :D...so all ok @the script

    "Run the following code within the existing p2partisan directory and then reboot"
     
  23. rs232

    rs232 Network Guru Member

    All good.
    Yes unfortunately sometime a reboot is really necessary when you change the config.
    On the bright side thought once it's stable it doesn't need attention.
     
  24. The Master

    The Master LI Guru Member

    Is it possible to add a Logfile Funktion to the script?! I know i ask a while ago but i got no answer :D...

    Would be nice because it is possible to STORE ALL Block Sides from the Script.

    Thx
     
  25. rs232

    rs232 Network Guru Member

    Yes that's actually a good idea. The point is: if you log everything in the syslog it will kill the system in case of tons of connections
    Having an external log file instead is not intrusive but difficult to consultate as you'll have to use the shell. Also a log rotation must be implemented.
    Let me have a think about it...

    Thanks for the tip
     
    The Master likes this.
  26. The Master

    The Master LI Guru Member

    Feel free to use my unit as a Test Unit :D
     
  27. The Master

    The Master LI Guru Member

    Oh...my Script stoped working... dont know why...


    Start it again... have a look on it....
     
    Last edited: May 28, 2014
  28. rs232

    rs232 Network Guru Member

    Oh strange...

    Anything in the logs that might help?
    What were the last p2partisan recorded actions?

    Let me know if this happens again please!

    Thanks
    rs232
     
  29. The Master

    The Master LI Guru Member

    Thats the strange thing.... NOTHING in the Log...I see if it happens again :)
     
  30. rs232

    rs232 Network Guru Member

    After you mentioned this I had a look into re-creating a problem. I've just noticed that if the p2partisan directory becomes unavailable (e.g. unplug USB or restart the cifs host) the script goes into loading. And you get lot of calls into the logs, which I found strange, to the storage from p2partisan. I'm not sure why it's behaving like that right now but I'll have a think about...

    I'm also not sure if it's the same cause of your problem but I will try to address in the next release.

    It would be nice to get additional details if you can get any...
    when was your last p2partisan drop log? No need to know the time, but did it coincide with anything else on your system?

    Thanks!
     
  31. The Master

    The Master LI Guru Member

    Stgatus from right now... strange no drop no nothing :D...ok seems ok for now!!!


     
  32. rs232

    rs232 Network Guru Member

    Dropped connection 0 doesn't sound right unless you've just restarted it.
    Where are you running the script from? cifs? usb?

    Thanks
     
  33. The Master

    The Master LI Guru Member

    USB (2.0) @R7000

    Maybe its because i am running at the Moment only one script.

    pgl.yoyo.org.gz

    AND i have the adblock script running from the Forum :D AND at the Moment not mutch traffic
     
  34. The Master

    The Master LI Guru Member

    Any News about the Progress with the "extern" Logfile?!

    Thx
     
  35. rs232

    rs232 Network Guru Member

    I'm looking into it as I speak. Right here right now I wouldn't know how to implement this so I'm reading up a bit... leave it with me
     
    Last edited: Jun 2, 2014
    The Master likes this.
  36. The Master

    The Master LI Guru Member

    Hangs Again @ Loading :( No Log info.... maybe Loginfo bevor
    Jun 3 17:11:53 because this is my first log entry :(


    Router:R7000 @Shibby 119 with 4gb Usb 2.0 @2.0 Port
    Code:
    ################### P2Partisan ##########################
    #    Release version: v2.32 (27/05/2014)
    ################# P2Partisan status #####################
    #    P2Partisan running:   Loading...
    #    P2Partisan autorun:   Yes
    #    P2Partisan scheduled: Yes
    #########################################################
    #    P2Partisan activity since: 04:30:03 - 02/06/14
    #    Dropped connections:
    ################# Last log recorded #####################
    #    Remember your max logs per hour is set to: 6
    ######################################################### 
     
  37. rs232

    rs232 Network Guru Member

    This is related to the autoupdate have you run the complete update procedure as per post 1?

    What do you have in the crontable?

    type:

    cru l | grep P2Partisan

    you should see:

    30 4 * * 1 /cifs1/p2partisan/p2partisan.sh paranoia-update #P2Partisan-update#

    If you upgraded few times perhaps it's a good idea to run a fresh install...
     
  38. rs232

    rs232 Network Guru Member

    I still didn't find a "smart" way to achieve this. For the time being I suggest you increase the maxloghour to something high like 200 or so. Once you identify what it is blocked, add the it to the whiteports and decrease the maxloghour again

    Also remember when you change the options at the beginning of the file a quick p2partisan.sh restart is enough to make it effective
     
  39. rs232

    rs232 Network Guru Member

    The stuck on "Loading..." is now resolved on version 2.40. Thanks for reporting this.

    P.S. I have tested 2.40 for over a week and it seems stable to me. Please let me know if any problem
     
    The Master likes this.
  40. The Master

    The Master LI Guru Member

    Thanks for you hard work... all fine here :)
     
  41. Spektrat

    Spektrat Reformed Router Member

    RS232,

    As per request I will post here.

    The trouble so far is actually the CIFS1 mount.

    What I want in the end is really this:
    1. Using and being able to update (automatically preferred) public Blacklist
    2. Using a list/text doc from my USB memory attached to the router, managed and updated by replacing a list of IP-range, IP-network or individual IP's.
    3. A list/text doc with IP's that are accepted and overrides the Blacklisted.

    Is this possible?

    The CIFS mount problem:
    CIFS1.jpg

    Thank you RS232 for your tolerance and your ability to be helpful.

    /Spektrat
     
  42. rs232

    rs232 Network Guru Member

    1) Check the CIFS permissions and retry, if you do use a username and password you might need to change the security type
    2) Opposite if your CIFS is publicly accessible chances are that you just need to add a bogus username and password (yes bogus, any would do) in the tomato GUI and retry
     
  43. Spektrat

    Spektrat Reformed Router Member

    rs232 and y'all,

    Up n' runnin'! (I think).

    Still some issues and questions.

    DURING INSTALLATION:
    "Loading the ipset modules loading ports 21,25,53,80,443,1194:1196 exemption"

    In the file (in the CiFS share) called "iptables-add" these ports are set to accept traffic like this "ports 21,25,53,80,443,1194:1196 -j ACCEPT"

    The reason for my questions is simply to understand the usage and effects as I was able to connect (from the outside) by using a port not listed. If I was not supposded to be able to, something is wrong.

    QUESTIONS:
    Are other ports supposed to be blocked?
    How are these ports used?

    "It appears like you don't have a log-async parameter in your dnsmasq config. This is strongly suggested due to the amount of logs involved. please consider adding the following command under Advanced/DHCP/DNS/Dnsmasq Custom configuration"

    QUESTION:
    What parameters should I set?

    BLACKLIST LEVELS:
    By looking in the text file it says:
    "## Generic lists, additional available here: https://www.iblocklist.com/lists.php
    # NOTE: enable with caution, with too many lists you might run of RAM on your router!
    #level1"

    In my Cifs share I have a Zip file called "Level1.zip"

    QUESTIONS:
    Is every weblink in the text file to lists enabled, if not how to enable?
    Do I need more Zip files to get more unwanted traffic?

    LOGS:
    I would really like to keep logging to the maximum, but not choke the router.

    QUESTION:
    Possible to flush (and delete from router) all logs to my CIFS1 share (if YES, please tell me how:)?

    IPSETS:
    I would like to incorporate a text file with my own wanted blocks.

    QUESTION: Any scripts ready for this here for a newbie like myself?


    Thank you for looking!

    /Spektrat
     

    Attached Files:

    Last edited: Aug 16, 2014
  44. Spektrat

    Spektrat Reformed Router Member

    If someone can give me a clue where to look for the information, it would be great.
    If it is impossible to solve, please say so.

    It is a pain to read ALL the posts and understand it all at the same time. The fact that there are so many threads around this topic raises a flag of some sort to me. It should be easier to implement security and why not have a feature built in to FW to enable upload of a simple list created by a standard. We are trying to block out IP addresses in range or as a single IP, not cows, aeroplanes and gravel.

    We can all point out a FW upgrade in the interface and enhance the system, but pointing out a text file for security is not possible?

    I have sent an email to Shibby with suggestions some time ago before I joined here, but no answer.

    Is there a newbie group that I can join?

    Cheers and thanks for reading.

    P.S. The script done by rs232 is great. More of that...
     
  45. rs232

    rs232 Network Guru Member


    Let's go in order:

    your Cifs seems ok as far as I can see.

    1) The reason why you could connect to a port not whitelisted from the outside is because most likely your source IP is not blacklisted by the default lists. If you're unclear on this point read up on peerblock and P2P filtering. P2Partisan is pretty much peerblock on a tomato router nothing more nothing less.

    2) No, other ports are not implicitly being blocked. The order is:
    a) allow the white ports first
    b) block traffic from or to any IP in the blacklist
    c) allow everything else​

    3) Ty to add at the top of your custom dns config: e.g.
    log-async=3

    4) I don't understand the question on weblinks sorry, can you re-word?

    5) Sure, but it depends of what you router can handle. Look at the beginning of the p2partisan.sh file you'll find a parameter called maxloghour. Be aware of what you're doing!

    6) You can't save logs on cifs but.... you can install syslog on your computer (e.g. on Windows you could try kiwisyslog) and ask tomato to log to a syslog facility (the ip address of your pc/nas whatever it is). Look into the Administration/Logging. Disable Log internally and enable Log To Remote System

    7) Leave this with me you actually highlighted a current p2partian limitation as you can't add your own IPs. I'll see if I can create a new version to accommodate this function.
    I could perhaps add a filterling list like:
    a) block custom black IPs first
    b) allow the white ports
    c) block traffic from or to any IP in the blacklist
    d) allow everything else

    Thanks for the questions, it's always good to hear a different opinion. From your post I picked up that perhaps a brief explanation on plain English should be added to the first post and also a custom black list it's a very nice feature to have

    rs232
     
    Last edited: Aug 18, 2014
  46. rs232

    rs232 Network Guru Member

    I have just released version 2.51:
    - changed default action from 'DROP' to 'REJECT --reject-with icmp-proto-unreachable'
    - added support for custom black IPs via blacklist-custom file
    - optimizations

    As usual please report any problem/feedback

    Thanks!
    rs232
     
  47. koitsu

    koitsu Network Guru Member

    An ICMP response code (not type!) of this sort type may confuse IP stacks -- because the protocol is in fact reachable (just not for this particular destination). You should be using one of the following:

    --reject-with icmp-net-prohibited (ICMP type 3, ICMP code 9)
    --reject-with icmp-admin-prohibited (ICMP type 3, ICMP code 13)

    You could alternately use --reject-with icmp-host-prohibited (ICMP type 3, ICMP code 10) for the first, but I'd recommend the former since an individual host, network-wise, is just a /32.
     
  48. rs232

    rs232 Network Guru Member

    Hi Koitsu, thanks for the input. The reason why I piked up the icmp-proto-unreachable goes back to the reason of having such a script running on the router. I actually wanted to cut any communication short. I guess the two option you suggested might (I'm guessing) trigger the communication to happen on a different port, where instead saying "sorry I don't talk your language" would tell TCP/IP to prevent any additional attempt even on different ports. I have decided to change from passive DROP to active REJECT as an unsuccessful P2P client (different software do react in different ways though) will try to hammer your IP in all sort of way and specifically retrying periodically even when a first attempt was unsuccessful.
    I am not 100% sure the protocol-unreachable does any better/worst than what you suggested, but if you think that what I used might confuse TCP/IP I think it a good result for an unwanted IP of course

    :)
    rs232
     
  49. koitsu

    koitsu Network Guru Member

    Respectfully (no judgement!): this statement indicates you don't actually understand what --reject-with does at all + how TCP/IP networking works.

    ICMP is the "control" layer
    (first paragraph) for underlying IP-based transport protocols (read: TCP and UDP). It's not just used by things like ping or ICMP-based traceroute -- it's an important part of IP transport in general (hint: PMTU discovery is accomplished with ICMP). But I'm sure (hope?) you've seen people giving traceroute or ping results online, where suddenly the result shows something like "Destination unreachable". Ever wonder how that message gets obtained/determined? The answer is ICMP. Here's a crappy post on the netfilter list explaining what REJECT actually does, but I'll explain it more verbosely.

    As you know, you have two modes you can use with iptables/netfilter to throw away packets: DROP and REJECT.

    DROP causes netfilter to literally discard the packet and do nothing else -- the client has no idea that the router just threw out the packet, and the client IP stack will (probably) continue to retry until an internal timeout is reached (depends on the program/application). Think of it like when trying to visit a website whose network is experiencing 100% packet loss -- your browser just sits there trying to talk to something and its packets are going off into a black hole.

    REJECT causes netfilter to discard the packet and send back and ICMP response to the source, effectively telling it "the packet that you just sent, relating to sourceip/port and destip/port? It's been rejected (ICMP type 3, destination unreachable). Reason: (ICMP code)". The ICMP code can vary. The argument passed to --reject-with is what's defining the ICMP code. Underlying IP stacks behave differently depending upon the ICMP type and ICMP code returned, so it's usually best to return the one that is most applicable to the situation -- in this case, that would be one of the two I mentioned in my previous post. The one you chose, icmp-proto-unreachable, is ICMP type 3 code 2, which indicates to the client that the actual protocol they attempted to use (ex. TCP, UDP, etc.) is an unacceptable protocol, which simply isn't true.

    With REJECT and TCP (and only TCP!), there is also TCP RST that can be returned to the client, using --reject-with tcp-reset. This is not an ICMP message -- this is purely TCP. In this situation there is no "rejection", instead the client in the middle of the TCP session gets a TCP RST and the client then knows the socket should be closed. However how the application chooses to behave upon a TCP RST is up to it; it may decide to retry, but then again it may not.

    In effect, what REJECT does is for the client to quickly know why its packet was rejected by the router. It allows a client's IP stack to know immediately what is going on, rather than sit in loops having to retry things that will just get ignored anyway.

    I should be very clear in my description (because people from the Internet often find things of mine and then reference them as some kind of doctrine):

    When it comes to internal traffic (ex. LANs), using REJECT is highly preferred compared to DROP because it allows the client to know quickly what just happened. But it all depends on what the administrator wants -- many network administrators choose to use DROP because they don't want the client (even on the LAN) to know anything (I disagree with this attitude).

    When it comes to external traffic (ex. requests directed at your WAN IP from the Internet), specifically inbound, using DROP is absolutely mandatory. You do not want to use REJECT because it would allow for your router to effectively become a DoS reflector of sorts -- all someone has to do is send a packet with a spoofed source address/port and your router would start sending back ICMP type 3 messages to the recipient system (the spoofed source address) that has no knowledge of it, essentially being DoS'd by you with ICMP type 3 messages which it can't even correlate with anything it knows of.

    I don't think you need to immediately roll out a new version of your program with the ICMP code fixed, but it's something that you should definitely do for 2.52 and beyond.
     
  50. rs232

    rs232 Network Guru Member

    P2Patisan 3.00 released:

    p2partisan v3.00
    - split P2PARTISAN-DROP chain into two: P2PARTISAN-DROP-IN/P2PARTISAN-DROP-OUT
    - split DROP is used for the WAN and REJECT for the LAN
    - reject is now specifying --reject-with icmp-admin-prohibited
    - changed the status command to reflect the change
    - White ports have no limit of 15 entries any more
    - added extra rule to process outbound LAN traffic as soon as it hits br0
    - speed improvement
     
  51. AndreDVJ

    AndreDVJ Addicted to LI Member

    All right, let's see how it goes. Many thanks for the update!
    Code:
    root@WNR3500L:/tmp/mnt/storage/p2partisan# ./p2partisan.sh status
    ################### P2Partisan ##########################
    #  Release version: v3.00 (27/08/2014)
    ################# P2Partisan status #####################
    #  P2Partisan running:  Yes
    #  P2Partisan autorun:  Yes
    #  P2Partisan scheduled: Yes
    #########################################################
    #  P2Partisan activity since: 18:01:50 - 27/08/14
    #  Dropped connections inbound: 0
    #  Rejected connections outbound: 0
    ################# Last log recorded #####################
    #  Remember your max logs per hour is set to: 100
    #########################################################
     
  52. The Master

    The Master LI Guru Member

    Got a Error Message :(
    Code:
    root@R7000:/tmp/mnt/4gb/p2partisan# p2partisan.sh status
    p2partisan.sh: line 113: syntax error: unexpected "}" (expecting "done")

    Last Line is 113:

    Code:
        iptables -A PARANOIA-DROP -m limit --limit $maxloghour/hour --limit-burst 5 -j LOG --log-prefix "P2Partisan Rejected (paranoia): " --log-level 1 2> /dev/null
        iptables -A PARANOIA-DROP -j DROP
        iptables -I wanin 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
        iptables -I wanout 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
        iptables -I INPUT 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
        iptables -I OUTPUT 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
    }
    AND:

    I REinstall the WHOLE Script it removes all old Files but in the *.sh File is the WRONG Foldername i Install it /mnt/4gb/.... and in the script its ALWAYS Cifs1 :(
     
    Last edited: Aug 28, 2014
  53. koitsu

    koitsu Network Guru Member

    This is a legitimate bug. Relevant code, with line numbers:

    Code:
    ...
    85 pblock() {
    86         plog "P2PArtisan: Applying paranoia block"
    87         iptables -N PARANOIA-DROP 2> /dev/null
    ...
    94         while [ $rounds -gt 0 ]
    95         do
    ...
    104         rounds=`echo $(( $rounds - 1 ))`
    105         donea
    106
    ...
    112         iptables -I OUTPUT 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
    113 }
    ...
    
    Look very closely at line 105. That line should read done, not donea. Fix that and the error should go away. (The interpreter doesn't know the while loop has ended (missing done statement), hence "unexpected }" (which is what closes the pblock() function altogether).

    Also, the formatting/indentation throughout this script is awful. Certain things are tabbed in while others are not. It's very, very hard to follow. The modus operandi seems to be "avoid indentation on long lines" -- the solution to which is to use \ for line continuation. This would make some of the iptables rules easier to read.

    I really wish Linux's firewalling stacks would stop screwing around with having to call a command-line program repeatedly and instead just make a configuration file (I've been through ipfwadm, ipchains, and now iptables -- ugh!). OpenBSD/FreeBSD pf (pf.conf) is just beautiful and very easy to read (here's another example, see bottom of page).
     
    Last edited: Aug 28, 2014
    The Master likes this.
  54. The Master

    The Master LI Guru Member



    WORKING :D

    So there are 2 Bugs in this Version :(
     
  55. rs232

    rs232 Network Guru Member

    Sorry about that I think the CTRL+A I typed to select the whole script to paste into pastebin might have had an unwanted effect (or the CTRL wasn't pressed properly)

    Any ways before I publish the minor bugfix, please try version 3.01 from here:
    http://pastebin.com/raw.php?i=bPHBa1tW

    p.s. this version also solves a minor issue with the paranoia-update
     
    Last edited: Aug 28, 2014
    The Master and koitsu like this.
  56. The Master

    The Master LI Guru Member

    Thx for Version 3.01!!

    I found somthing strange...

    Code:
    root@R7000:/tmp/mnt/4gb/p2partisan# p2partisan.sh update
    P2PARTISAN: P2Partisan AUTO UPDATE is OFF
    P2PARTISAN: Unloading ipset modules
    P2PARTISAN: Stopping P2Partisan
    P2PARTISAN: P2Partisan AUTO RUN is OFF
    P2PARTISAN: P2Partisan AUTO RUN is ON
    P2PARTISAN: P2Partisan AUTO UPDATE is ON
    ### PREPARATION ###
    Loading the ipset modules
    ### CUSTOM BLACKLIST ###
    blacklist-custom file -> 1 entries found
    loading blacklist #0 --> ***Custom IP blacklist***
    ### WHITELIST ###
    loading whitelisted ports 21,25,53,80,123,443,1194:1196 exemption
    preparing the IP whitelist for the iptables
    loading the IP whitelist
    ### BLACKLISTs ###
    loading blacklist #1 --> ***level1***
    loading blacklist #2 --> ***spywere***
    loading blacklist #3 --> ***hijacked***
    loading blacklist #4 --> ***yoyo***
    loading blacklist #5 --> ***ads***
    P2PARTISAN: ... P2Partisan started.
    P2PARTISAN: log-async found under dnsmasq -> OK
    Why is there:"
    P2PARTISAN: P2Partisan AUTO RUN is OFF
    P2PARTISAN: P2Partisan AUTO RUN is ON"

    ????
     
  57. rs232

    rs232 Network Guru Member

    Hi, thanks for that.
    It's really nothing to be worried about. It's wanted and it's just a fresh clean way to re-run p2partisan after a list update is applied. Also remember the update parameter is the way forward when things go wrong as it wipes all the p2partisan running setting does a fresh start.

    rs232
     
  58. The Master

    The Master LI Guru Member

    And a HANG again :(

    Code:
    root@R7000:/tmp/home/root# /tmp/mnt/4gb/p2partisan/p2partisan.sh status
    ################### P2Partisan ##########################
    #       Release version: v3.01 (28/08/2014)
    ################# P2Partisan status #####################
    #       P2Partisan running:   Loading...
    #       P2Partisan autorun:   Yes
    #       P2Partisan scheduled: Yes
    #########################################################
    #       P2Partisan activity since: 21:30:10 - 30/08/14
    #       Dropped connections inbound:
    #       Rejected connections outbound:
    ################# Last log recorded #####################
    #       Remember your max logs per hour is set to: 3



    After a Update all ok for now :D


     
  59. rs232

    rs232 Network Guru Member

    The stuck on Loading... is normal for up to let's say 30 seconds on a R7000 and it is visible only if you have 2 sessions opens and you run status while on one while the second is starting/updating. However if it is stuck there it doesn't sound good!
    If you went through many upgrades rebooting once is never a bad idea ;-)

    rs232
     
  60. The Master

    The Master LI Guru Member

    No this was Really a "HANG" because the script is running around 3-4 hours!!! And not for 30 sec.

    Then i made a update and Status and you see all ok!
     
  61. rs232

    rs232 Network Guru Member

    Thanks for reporting that, it could be a one off as a consequence of the upgrade. But let me know if this happens again, and if you do find this problem again, before running update again please send me the output of the following commands:

    Code:
    iptables -nvL
    ls -la /var/run
    ls -la /yourp2partisandir/
    rs232
     
  62. The Master

    The Master LI Guru Member

    okok...

    Seems to work for now...

    Code:
    root@R7000:/tmp/home/root# /tmp/mnt/4gb/p2partisan/p2partisan.sh status
    ################### P2Partisan ##########################
    #       Release version: v3.01 (28/08/2014)
    ################# P2Partisan status #####################
    #       P2Partisan running:   Yes
    #       P2Partisan autorun:   Yes
    #       P2Partisan scheduled: Yes
    #########################################################
    #       P2Partisan activity since: 01:21:43 - 31/08/14
    #       Dropped connections inbound: 277
    #       Rejected connections outbound: 327
    ################# Last log recorded #####################
    #       Remember your max logs per hour is set to: 3
    Aug 31 16:29:56 R7000 kern.alert kernel: P2Partisan Rejected: IN=br0 OUT=vlan2 S
    RC=192.168.1.200 DST=159.153.235.32 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=13217 D
    F PROTO=TCP SPT=49440 DPT=9988 WINDOW=8192 RES=0x00 SYN URGP=0
    #########################################################
     
  63. rak99

    rak99 Network Newbie Member

    Just wanted to say huge thanks, I'm finally able to block iplists on my router with ease! If I encounter any bugs I'll post them in this thread.
     
  64. WaLLy3K

    WaLLy3K Serious Server Member

    I'm regularly finding that after a change that requires WAN to be restarted, P2Partisan will be stuck in the "Loading" state. To work around this, I'm using this code in my WAN Up script:

    Code:
    # Check P2Partisan
    P2P_IPTABLES=`iptables -L | grep P2PARTISAN-IN  2> /dev/null | wc -l`
    P2P_PID=`[ -f "/var/run/p2partisan.pid" ] && echo 1 || echo 0`
    
    if [[ $P2P_IPTABLES -eq "0" ]] && [[ $P2P_PID -eq "0" ]]; then
        P2P_STATUS="Inactive"
        /opt/apps/p2partisan/p2partisan.sh restart &> /dev/null &
    elif [[ $P2P_IPTABLES -eq "0" ]] && [[ $P2P_PID -eq "1" ]]; then
        P2P_STATUS="Unresponsive"
        /opt/apps/p2partisan/p2partisan.sh restart &> /dev/null &
    elif [[ $P2P_IPTABLES -gt "0" ]] && [[ $P2P_PID -eq "0" ]]; then
        P2P_STATUS="Requires Update"
        /opt/apps/p2partisan/p2partisan.sh update &> /dev/null &
    else
        P2P_STATUS="Running!"
    fi
    
    echo "   P2Partisan Status: $P2P_STATUS"
    
     
    Last edited: Sep 27, 2014
  65. rs232

    rs232 Network Guru Member


    Thanks for the feedback. I have noticed the Stuck on Loading happening too often to be fair. My feeling is that there are many processes affecting/restarting the firewall script. The next version which I'm currently testing and haven't published yet will have a so called "mentor" which is a cron task to spot the stuck on loading and reactively restart the process.
    I would prefer to find the root of the problem but until I get there having a control function doesn't hurt. Leave it with me I'll post the update soon.

    P.S. the new version will support online upgrade of the script too. Watch this space

    rs232
     
  66. rs232

    rs232 Network Guru Member

    P2Partisan 4.00 released:
    - new upgrade function (will work only above 4.00)
    - new tutor function
    - autoupdate now uses random hh:mm by default within [1am to 5am]
    - improved status page
    - the script reports how many seconds it needs to be up and running
    - few minor bugfixes
    - speed improvement

    There are many changes in this version, do yourself a favour: run a fresh installation this time only.
    Have a look at the tutor function and keep an eye on the status page to see how many time the tutor had to act, the lower the number the better of course

    Let me know how it goes
    rs232

    P.S. I have renamed the thread title removing the version number as apparently the titles becomes part of the thread URL. As I linked this to wikipedia changing version in the title would unlink external references
     
    Last edited: Sep 27, 2014
  67. WaLLy3K

    WaLLy3K Serious Server Member

    Seems to be looking good. We'll see how it goes!

    Code:
    ################### P2Partisan ##########################
    #       Release version: v4.00 (27/09/2014)
    ################# P2Partisan status #####################
    #       P2Partisan running:   Yes
    #       P2Partisan autorun:   Yes
    #       P2Partisan scheduled: Yes / 0 since boot
    #       P2Partisan tutor:     Yes / 0 since boot
    #########################################################
    #       Blacklists enabled:   9
    #       Startup time needed:  198 seconds
    #########################################################
    #       P2Partisan activity since: 15:51:07 - 28/09/14
    #       Dropped connections inbound: 0
    #       Rejected connections outbound: 15
    #       Whitelisted ports: 53,80,123,443,1194:1197,1723
    ################# Last log recorded #####################
    #       Remember your max logs per hour is set to: 1
    Sep 28 15:55:09 Ichor-Router kern.alert kernel: P2Partisan Rejected: IN=br0 OUT= MAC=01:00:5e:00:00:01:e0:3f:49:25:41:a0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
    #########################################################
    Also, curious: I've seen you mention before that port 80/443 should not be blocked. Why is that? (I suspect certain blocklists actually block legitimate websites?)
     
  68. rs232

    rs232 Network Guru Member

    If you remove 80,443 you'll notice that few Internet sites are not working properly any more.This is because provider based lists block blocks of IPs, so false positive otherwise could be an issue.
    And... of course you're not running your P2P activities on port 80 or 443 are you?

    The whiteport parameter is crucial, do add in there ports from e.g. skype,teamviewer and any other application that actually is legitimate.

    rs232
     
  69. WaLLy3K

    WaLLy3K Serious Server Member

    No, however the IP blocklists that I add numerous malware/etc lists which could be potentially harmful to visit via HTTP :p

    I've also noticed this crop up a couple of times in the last version, as well as the latest (Read: "Activity Since" as well as a couple of stray 0's on the margin where # should be)
    Code:
    ################### P2Partisan ##########################
    #    Release version: v4.00 (27/09/2014)
    ################# P2Partisan status #####################
    #    P2Partisan running:   Yes
    #    P2Partisan autorun:   Yes
    #    P2Partisan scheduled: Yes / 0 since boot
    #    P2Partisan tutor:     Yes / 0 since boot
    #########################################################
    #    Blacklists enabled:   9
    #    Startup time needed:  193 seconds
    #########################################################
    #    P2Partisan activity since: tables -A P2PARTISAN-IN -m set --set bogon src -j P2PARTISAN-DROP-IN 2> /dev/null
    #    Dropped connections inbound: 0
    0 
    #    Rejected connections outbound: 1
    0
    #    Whitelisted ports: 53,80,123,443,1194:1197,1723
    ################# Last log recorded #####################
    #    Remember your max logs per hour is set to: 1
    Sep 28 14:54:05 Ichor-Router kern.alert kernel: P2Partisan Rejected: IN=br0 OUT= MAC=01:00:5e:00:00:01:e0:3f:49:25:41:a0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 
    #########################################################
    Doing a P2P restart fixes it, but fwiw!
     
  70. rs232

    rs232 Network Guru Member


    Interesting, never seen that before. Out of curiosity have you followed the upgrade procedure or run a full install this time?
    Please let me know if that happens again as it might be a little bug...

    Thanks!
     
  71. The Master

    The Master LI Guru Member

    THX for Version 4.0 Works no Problem so far.
     
  72. WaLLy3K

    WaLLy3K Serious Server Member

    First time with the previous version, I ran a fresh install (Since I needed to reinstall Optware) and with this version, I removed all the files except the config and GZ files, everything else ran new.

    *Edit: Has anyone else noticed that when P2Partisan is enabled, it causes the WiFi of any connected devices with a static DHCP address to drop UNLESS they have entered in the router details manually on the clients side? I've been trying to troubleshoot this issue for days and while I presumed it had to do with the adblocker I had installed since it modified dnsmasq, it seems the issue disappeared as soon as P2P was disabled.

    I need to look into it further though - it's possible that I may have too many lists enabled, even though it's only taking up 50Mb out of my available 250Mb RAM...
     
    Last edited: Sep 29, 2014
  73. rs232

    rs232 Network Guru Member


    I can't think of any reason that would link you problem to P2Partisan, but I can tell you that enable/disable P2Partisan would probably restart the firewall script, this would have various effect based on your installation.

    Anything in the log that might help you?

    rs232
     
  74. WaLLy3K

    WaLLy3K Serious Server Member

    Nothing relevant in the system log, but it doesn't appear to be a firewall issue from what I can tell - it just affects serverside DHCP allocation when it is enabled (and turns out it isn't just isolated to WiFi - it's affected my hardwired PC connection). I'll find a better time to test when people aren't actively using the net at home.

    *Edit: Update:
    Code:
    === P2P Unloaded ===
    Oct  1 12:01:24 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPREQUEST(br0) 192.168.1.11 58:b0:35:XX:XX:XX
    Oct  1 12:01:24 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPACK(br0) 192.168.1.11 58:b0:35:XX:XX:XX Tacitus
    Oct  1 12:02:06 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPREQUEST(br0) 192.168.1.11 58:b0:35:XX:XX:XX
    Oct  1 12:02:06 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPACK(br0) 192.168.1.11 58:b0:35:XX:XX:XX Tacitus
    Oct  1 12:02:49 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPREQUEST(br0) 192.168.1.11 58:b0:35:XX:XX:XX
    Oct  1 12:02:49 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPACK(br0) 192.168.1.11 58:b0:35:XX:XX:XX Tacitus
    === P2P Loaded ===
    Oct  1 12:03:59 Ichor kern.warn kernel: ip_set version 4 loaded
    Oct  1 12:07:15 Ichor user.notice P2PARTISAN: ... P2Partisan started.
    Oct  1 12:07:15 Ichor user.notice P2PARTISAN: log-async found under dnsmasq -> OK
    === P2P Unloaded ===
    Oct  1 12:08:30 Ichor user.notice P2PARTISAN: Unloading ipset modules
    Oct  1 12:08:31 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPDISCOVER(br0) 58:b0:35:XX:XX:XX
    Oct  1 12:08:31 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPOFFER(br0) 192.168.1.11 58:b0:35:XX:XX:XX
    Oct  1 12:08:32 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPREQUEST(br0) 192.168.1.11 58:b0:35:XX:XX:XX
    Oct  1 12:08:32 Ichor daemon.info dnsmasq-dhcp[6994]: DHCPACK(br0) 192.168.1.11 58:b0:35:XX:XX:XX Tacitus
    Oct  1 12:08:36 Ichor user.notice P2PARTISAN: Stopping P2Partisan
    Looks like the Bogon list was the one causing issues! Seems to be all good now.
     
    Last edited: Oct 1, 2014
  75. rs232

    rs232 Network Guru Member

    Good news
     
  76. rs232

    rs232 Network Guru Member

    new version released:

    p2partisan v4.10
    - new pause function (allow for quick restart) only iptables operation no ipset
    - improvement to the status page
    - now reporting on script uptime and not absolute date
    - a bunch of other minor changes

    If you're at least on v4.00 try to call the upgrade function:

    Code:
    ./p2partisan.sh upgrade
    As this is the first time this function is officially used, please let me know the outcome :)

    Thanks!
    rs232
     
  77. AndreDVJ

    AndreDVJ Addicted to LI Member

    The upgrade went fine:

    Code:
    root@WNR3500L:/tmp/home/root# cd /mnt/storage/p2partisan/
    root@WNR3500L:/tmp/mnt/storage/p2partisan# ./p2partisan.sh upgrade
    There's a new P2Partisan update available. Do you want to upgrade?
      current = p2partisan v4.00 (27/09/2014)
      to
      latest = p2partisan v4.10 (01/10/2014)
    y/n
    y
    Upgrading, please wait:
    1/6) Downloading the script
    2/6) Migrating the configuration
    3/6) Copying p2partisan.sh into p2partisan.sh.old
    4/6) Installing new script into p2partisan.sh
    5/6) Setting up permissions
    6/6) all done, I'm now running the script for you.
    NOTE: autorun, autoupdate and tutor settings are left as they were found
    P2PARTISAN-IN  all  --  anywhere  anywhere  state NEW
    P2PARTISAN-OUT  all  --  anywhere  anywhere  state NEW
    P2PARTISAN-IN  all  --  anywhere  anywhere  state NEW
    P2PARTISAN-OUT  all  --  anywhere  anywhere  state NEW
    P2PARTISAN-OUT  all  --  anywhere  anywhere  state NEW
    P2PARTISAN: Unloading ipset modules
    P2PARTISAN: Stopping P2Partisan
    ### PREPARATION ###
    Loading the ipset modules
    ### CUSTOM BLACKLIST ###
    blacklist-custom file -> 1 entries found
    loading blacklist #0 --> ***Custom IP blacklist***
    ### WHITELIST ###
    loading whitelisted ports 21,25,53,80,123,443,993,1194:1196 exemption
    loading whitelisted ports 1500,3005,3101,3478:4380,27000:27050,28960 exemption
    preparing the IP whitelist for the iptables
    loading the IP whitelist
    ### BLACKLISTs ###
    loading blacklist #1 --> ***level1***
    P2PARTISAN: ... P2Partisan started.
    P2PARTISAN: log-async found under dnsmasq -> OK
    However "status" function has some problem calculating uptime, "arithmetic syntax error":
    Code:
    root@WNR3500L:/tmp/mnt/storage/p2partisan# ./p2partisan.sh status
    ./p2partisan.sh: line 743: malformed ?: operator
    date: extra operand '01/10/14'
    Try 'date --help' for more information.
    ./p2partisan.sh: line 743: arithmetic syntax error
    ./p2partisan.sh: line 743: arithmetic syntax error
    ./p2partisan.sh: line 743: arithmetic syntax error
    ################### P2Partisan ##########################
    #  Release version: v4.10 (01/10/2014)
    ################# P2Partisan status #####################
    # Running:  Yes
    # Autorun:  Yes
    # Scheduled:  Yes / 0 since boot
    # Tutor:  Yes / 1 since boot
    #########################################################
    # Uptime:  00:00:00
    # Dropped in:  0
    # Rejected out: 0
    #########################################################
    # Blacklists:  1
    # Startup time: 36 seconds
    # White ports:  21,25,53,80,123,443,993,1194:1196
    # White ports:  1500,3005,3101,3478:4380,27000:27050,28960
    ################# Last log recorded #####################
    # Remember your max logs per hour is set to: 1
    #########################################################
    root@WNR3500L:/tmp/mnt/storage/p2partisan#
    
    And uptime gets stuck at 00:00:00
     
    Last edited: Oct 1, 2014
  78. rs232

    rs232 Network Guru Member

    4.10 changed the date handling from standard format to seconds only. This info is stored at the top (first line) of the iptables-add. Can you please check what you have in there please?

    It should look like this:
    # 1412198448

    if you see a human readable date instead try running ./p2partisan.sh update

    and re-check the first line of iptables-add to see what it looks like

    rs232
     
  79. AndreDVJ

    AndreDVJ Addicted to LI Member

    You were correct, the header was a human-readable date. Now it's working fine after running the update function.

    Code:
    root@WNR3500L:/tmp/mnt/storage/p2partisan# ./p2partisan.sh status
    ################### P2Partisan ##########################
    #  Release version: v4.10 (01/10/2014)
    ################# P2Partisan status #####################
    # Running:  Yes
    # Autorun:  Yes
    # Scheduled:  Yes / 0 since boot
    # Tutor:  Yes / 1 since boot
    #########################################################
    # Uptime:  00:00:50
    # Dropped in:  0
    # Rejected out: 0
    #########################################################
    # Blacklists:  1
    # Startup time: 36 seconds
    # White ports:  21,25,53,80,123,443,993,1194:1196
    # White ports:  1500,3005,3101,3478:4380,27000:27050,28960
    ################# Last log recorded #####################
    # Remember your max logs per hour is set to: 1
    #########################################################
    [EMAIL]root@WNR3500L:/tmp/mnt/storage/p2partisan#[/EMAIL]
    Thanks! Good job and keep up the good work!
     
  80. rs232

    rs232 Network Guru Member

    Thank you for spotting the problem. I couldn't come up with a smart solution to this but I've at least added a note in the upgrade procedure.
    Thanks again
    rs232
     
  81. Goggy

    Goggy Network Guru Member

    This is still not working with firmwares from Victek, or?
    Thx!
     
  82. rs232

    rs232 Network Guru Member

    It was developed on Shibby which included ipset in his built. I don't think Vicktek did that or is planning to do so on his release... but you can ask!

    rs232
     
  83. rs232

    rs232 Network Guru Member

    4.11 is out, just a minor release with:
    -modification to the status page (display uptime in days/hours/minute/seconds + log file reporting for in and out separately)
    -removal of a couple of redundant lines of code
    -better description used in the help page

    rs232
     
    The Master and WaLLy3K like this.
  84. The Master

    The Master LI Guru Member

    Ah Sorry... in ENGLISH :D

    Thank you for your new Version. looks nice. Thank you... Thank you...

    I would like to see a Logfile *tesaing*

    :D :D


    Code:
    ################### P2Partisan ##########################
    #       Release version: v4.11 (05/10/2014)
    ################# P2Partisan status #####################
    # Running:      Yes
    # Autorun:      Yes
    # Scheduled:    Yes / 0 since boot
    # Tutor:        Yes / 0 since boot
    #########################################################
    # Uptime:       1 - 03:18:03
    # Dropped in:   464
    # Rejected out: 11095
    #########################################################
    # Blacklists:   7
    # Startup time: 61 seconds
    # White ports:  21,25,23,53,80,123,443,1194:1196
    ################# Last log recorded #####################
    # Remember your max logs per hour is set to: 1
    
    
    #########################################################
     
    Last edited by a moderator: Oct 7, 2014
  85. rs232

    rs232 Network Guru Member

    That's odd, if you run a:

    tail -200 /var/log/message

    do you see P2Partisan logs in the output?
     
  86. dkirk

    dkirk Network Guru Member

    Anybody else experiencing issues with DHCP not working (issuing IPs) when P2Partisan is active? Once I "stop" P2Partisan I can renew/issue IPs but not when running. Version 4.11, essentially stock configurations. The logs show nothing about port 67/68 being blocked or anything amiss.
     
    Last edited: Oct 8, 2014
  87. WaLLy3K

    WaLLy3K Serious Server Member

    It seems like you're experiencing the same issue I mentioned here, so try disabling the BOGON list and re-update P2P.
     
  88. dkirk

    dkirk Network Guru Member

    Awesome catch, thanks. I actually read that post but missed the DHCP angle to it. I have long been a fan of the bogon list, too bad it interferes. LOVE this P2Partisan!
     
  89. WaLLy3K

    WaLLy3K Serious Server Member

    If I have a bit more patience and the proper time, I might go through that list and see what's causing it to happen. Unfortunately, there's too many people on my network at home to which this would cause a disturbance :(
     
  90. rs232

    rs232 Network Guru Member

    I see if I can hard code the exclusion of rfc1918 addresses from the blacklist parsing.
    If so it'll be available in the next release

    Thanks for reporting this

    rs232
     
  91. rs232

    rs232 Network Guru Member

    Run a:
    Code:
    ./p2partisan upgrade
    I've updated to v4.12 which includes a procedure to skip rfc1918 IP addresses from: whitelist, blacklists and blacklist-custom

    After that try to re-enable bogon, ./p2partisan update and let me know how it goes please

    Thanks!
    rs232
     
  92. dkirk

    dkirk Network Guru Member

    Enabled BOGON list, Upgraded to 4.12, rebooted router (met with family angst ala' Wally3k) and DHCP remained broken. Removed BOGON and DHCP functionality returns. Sorry for the bad news.
     
  93. WaLLy3K

    WaLLy3K Serious Server Member

    Haaaaaah
     
  94. dkirk

    dkirk Network Guru Member

    Since upgrading to 4.12 and resuming my original 5 block lists, this crash has started to appear upon starting P2Partisan, anyone else? Memory is hovering around 53% free right now so its not out of RAM.

    Oct 8 22:59:02 router user.warn kernel: ip_set version 4 loaded
    Oct 8 22:59:40 router user.warn kernel: ipset: page allocation failure. order:0, mode:0x20
    Oct 8 22:59:40 router user.warn kernel: Call Trace:[<c01546c0>][<c0134734>][<c0134638>][<c01546c0>][<c0155bf4>][<c0155bdc>][<80003204>][<80001640>]
    Oct 8 22:59:40 router user.warn kernel: Mem-info:
    Oct 8 22:59:40 router user.warn kernel: Normal per-cpu:
    Oct 8 22:59:40 router user.warn kernel: CPU 0: Hot: hi: 18, btch: 3 usd: 2 Cold: hi: 6, btch: 1 usd: 5
    Oct 8 22:59:40 router user.warn kernel: Active:4749 inactive:3769 dirty:0 writeback:0 unstable:0
    Oct 8 22:59:40 router user.warn kernel: free:768 slab:4176 mapped:575 pagetables:76 bounce:0
    Oct 8 22:59:40 router user.warn kernel: Normal free:3072kB min:8192kB low:10240kB high:12288kB active:18996kB inactive:15076kB present:65536kB pages_scanned:0 all_unreclaimable? no
    Oct 8 22:59:40 router user.warn kernel: lowmem_reserve[]: 0 0
    Oct 8 22:59:40 router user.warn kernel: Normal: 0*4kB 0*8kB 0*16kB 0*32kB 0*64kB 0*128kB 0*256kB 0*512kB 1*1024kB 1*2048kB 0*4096kB = 3072kB
    Oct 8 22:59:40 router user.warn kernel: Swap cache: add 0, delete 0, find 0/0, race 0+0
    Oct 8 22:59:40 router user.warn kernel: Free swap = 0kB
    Oct 8 22:59:40 router user.warn kernel: Total swap = 0kB
    Oct 8 22:59:40 router user.warn kernel: Free swap: 0kB
    Oct 8 22:59:40 router user.warn kernel: 16384 pages of RAM
    Oct 8 22:59:40 router user.warn kernel: 0 pages of HIGHMEM
    Oct 8 22:59:40 router user.warn kernel: 1026 reserved pages
    Oct 8 22:59:40 router user.warn kernel: 2762 pages shared
    Oct 8 22:59:40 router user.warn kernel: 0 pages swap cached
    O
     
  95. rs232

    rs232 Network Guru Member

    Ok, can I ask you to test one thing for me please?
    When bogon is enabled testing from a host that does already have an IP (taking DHCP out of the equation), are you able to communicate with other hosts within the same vlan?

    I would be surprised if bogon creates problem with DHCP only as lists are affecting full IP communication.
    So in a nutshell can you test bogon enabled LAN to LAN communication using a protocol/port that is not whitelisted?

    thanks!

    P.S. I did see before the other error you posted but P2Partisan apear to be up and running anyways... I'll put it in my to do list
     
  96. WaLLy3K

    WaLLy3K Serious Server Member

    I haven't tested with the latest update, but everything did indeed work if the device already had an IP assigned (EG: Manually set instead of relying on DHCP to provide the details)
     
  97. rs232

    rs232 Network Guru Member

    The next piece of info we need is: Does adding ports 67 & 68 to the whitelist resolve the issue?
    I'm not suggesting we should have them whitelisted by default, but a test would clarify things as this still makes no sense to me yet
     
  98. rs232

    rs232 Network Guru Member

    p2partisan v4.15 released:
    - improved tutor efficiency
    - resolved iptables-del command missing minor bug
    - resolved autorun procedure bug
    - upgrade function will not try to start p2partisan twice from now on

    rs232
     
    Goggy likes this.
  99. rs232

    rs232 Network Guru Member

    P2Partisan v4.16 resolves a bug in the tutor routine

    rs232
     
    Goggy and The Master like this.
  100. noparking247

    noparking247 Serious Server Member

    Good afternoon,
    Looks like I'm running into an issue when installing -- looking for /bin/nice. AFAIK, I don't have the "nice" binary installed, nor do I see it in optware.

    root@Gateway:/tmp/mnt/shared/p2partisan# ./p2partisan.sh
    ### PREPARATION ###
    Loading the ipset modules
    ### CUSTOM BLACKLIST ###
    blacklist-custom file -> 1 entries found
    loading blacklist #0 --> ***Custom IP blacklist***
    ./p2partisan.sh: line 747: /bin/nice: not found
    ./p2partisan.sh: line 747: /bin/nice: not found
    ### WHITELIST ###
    ./p2partisan.sh: line 747: /bin/nice: not found
    ./p2partisan.sh: line 747: /bin/nice: not found
    loading whitelisted ports 53,80,123,443,1194:1197,1723 exemption
    preparing the IP whitelist for the iptables
    loading the IP whitelist
    ### BLACKLISTs ###
    loading blacklist #1 --> ***level1***
    loading blacklist #2 --> ***china***
    loading blacklist #3 --> ***russia***
    P2PARTISAN: ... P2Partisan started.
    P2PARTISAN:
    It appears like you don't have a log-async parameter
    in your dnsmasq config. This is strongly suggested
    due to the amount of logs involved. please consider
    adding the following command under Advanced/DHCP/DNS
    /Dnsmasq Custom configuration

    log-async=10

    Thoughts? Tomato v1.28.0000 MIPSR2-117 K26 USB BT-VPN on E3000.

    Thanks!!
     

Share This Page