Ip ranges, cs-firewall-bouncer and nftables

lleddewk · September 26, 2021, 4:14pm

When using cs-firewall-bouncer with nftables, it does not appear to be possible to ban ranges of ip addresses. For example, after adding a range using sudo cscli decisions add --range 1.2.3.0/24, inspecting the content of the crowdsec table using sudo nft list table ip crowdsec shows that only ip 1.2.3.0 is banned.

The reason seems to be that the blocklist set definition is missing the “interval” flag (see Sets - nftables wiki). I’m not a go coder but I think changes would be needed in file nftables.go around lines 60 and 128.

alteredCoder · September 28, 2021, 9:09am

Hello @lleddewk ,

Thanks for reporting the issue! We are working on fixing it

Jason · March 5, 2025, 9:27am

Hi I still have exactly the same problem and I am running:

cs-firewall-bouncer -V version: - BuildDate: GoVersion: 1.21.13 Platform: linux

on openwrt. Is there a solution to this already?

Thank you very much for your help and time.

Package:
crowdsec-firewall-bouncer
0.0.29-1

Openwrt: Powered by LuCI openwrt-23.05 branch (git-24.364.71483-75d2b84) / OpenWrt 23.05.3 (r23809-234f1a2efa)

iiAmLoz · March 6, 2025, 9:32am

You can find the pull request for range support: Support ranges in nftables by sbs2001 · Pull Request #85 · crowdsecurity/cs-firewall-bouncer · GitHub

Currently though we are unable to proceed with the implementation due to nftables seeing ranges overlapping as a hard error and we couldnt find a solution to this, so currently ranges are not support remediation type in nftables mode.

seemebreakthis · March 17, 2025, 2:34pm

Just bumped into the exact same issue over here. Using the bouncer that runs on Openwrt which uses nftables.

Hopefully there can be fix sometime in the future. In the meantime instead of doing something like this on the engine

cscli decisions add --range 216.218.206.0/24 --duration 2160h

What do you suggest I should do instead? 255 lines of cscli decisions add --ip ? Will Crowdsec see this as spamming their servers (given I see on their web dashboard everything I have banned)?

iiAmLoz · March 17, 2025, 3:09pm

Personally the best solution would to use a cidr generator like mapcidr

Then you can do something like this:

mapcidr --cidr 216.218.206.0/24 | cscli decisions import -i- --format values --duration 2160h

This will import all decisions as per IP and only shows as one alert in console.

Topic		Replies	Views
Ban IP range with nftables firewall bouncer crowdsec	0	27	April 18, 2025
Cs-firewall-bouncer and nftables crowdsec	9	3312	June 1, 2021
IP is not blocked after banning by hand crowdsec	3	1795	June 4, 2022
Ban an IPv6 range -> decision for /64 created, but not added to nft set crowdsec	8	1230	February 1, 2024
Install bouncer on OpenWrt 21.02.2 crowdsec	3	2928	April 1, 2022

Ip ranges, cs-firewall-bouncer and nftables

cs-firewall-bouncer -V version: - BuildDate: GoVersion: 1.21.13 Platform: linux

Related topics