Is IP Shield block reported correctly?

Bug
1

Hi,

I see a large amount of block in the dashboard, but can not see this in the realtime monitor
I’m not sure, but it looks i appeared after the latest update this week

image
image302×209 6.02 KB

image
image1193×374 15.3 KB

2

I can’t reproduce. Here the same count is shown in real time monitor.

To get a report about which blocklists were affected:

/etc/init.d/banip report

Maybe you can find more info in the logs about devices/blocklists, in the UI you could search for “banIP” or on CLI:

grep banIP /var/log/messages
3

Hi grep banIP /var/log/messages

This looks normal

/etc/init.d/banip report
:::
::: banIP Set Statistics
:::
Timestamp: 2026-02-15 10:02:53
------------------------------
blocked syn-flood packets : 2564
blocked udp-flood packets : 2
blocked icmp-flood packets : 120
blocked invalid ct packets : 2442
blocked invalid tcp packets: 0

auto-added IPs to allowlist: 0
auto-added IPs to blocklist: 0

Set                  | Elements     | WAN-Input (packets)   | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
allowlistv4MAC       | 0            | -                     | -                     | ON: 0                 | -
allowlistv6MAC       | 0            | -                     | -                     | ON: 0                 | -
allowlistv4          | 1            | ON: 0                 | ON: 0                 | ON: 0                 | -
allowlistv6          | 0            | ON: 0                 | ON: 0                 | ON: 0                 | -
bruteforceblockv4    | 434          | ON: 1                 | ON: 0                 | ON: 0                 | -
deblv4               | 16175        | ON: 47                | ON: 0                 | ON: 0                 | -
dshieldv4            | 19           | ON: 135               | ON: 1                 | ON: 0                 | -
deblv6               | 35           | ON: 0                 | ON: 0                 | ON: 0                 | -
greensnowv4          | 1566         | ON: 5                 | ON: 0                 | ON: 0                 | -
firehol1v4           | 3799         | ON: 37                | ON: 0                 | ON: 3                 | -
threatviewv4         | 3102         | ON: 1                 | ON: 0                 | ON: 0                 | -
ipsumv4              | 6505         | ON: 160               | ON: 0                 | ON: 0                 | -
urlvirv4             | 169          | ON: 0                 | ON: 0                 | ON: 0                 | -
uceprotect1v4        | 42772        | ON: 24                | ON: 4                 | ON: 0                 | -
webclientv4          | 210          | ON: 0                 | ON: 0                 | ON: 0                 | -
threatv4             | 75           | ON: 1                 | ON: 0                 | ON: 0                 | -
etcompromisedv4      | 44           | ON: 0                 | ON: 0                 | ON: 0                 | -
dropv6               | 86           | ON: 0                 | ON: 0                 | ON: 0                 | -
bogonv4              | 10           | ON: 0                 | ON: 0                 | ON: 0                 | -
bogonv6              | 36583        | ON: 0                 | ON: 0                 | ON: 0                 | -
torv4                | 889          | ON: 0                 | ON: 0                 | ON: 0                 | -
binarydefensev4      | 1271         | ON: 2                 | ON: 0                 | ON: 0                 | -
torv6                | 508          | ON: 0                 | ON: 0                 | ON: 0                 | -
blocklistv4MAC       | 0            | -                     | -                     | ON: 0                 | -
blocklistv6MAC       | 0            | -                     | -                     | ON: 0                 | -
blocklistv4          | 0            | ON: 0                 | ON: 0                 | ON: 0                 | -
blocklistv6          | 0            | ON: 0                 | ON: 0                 | ON: 0                 | -
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
27                   | 114253       | 23 (413)              | 23 (5)                | 27 (3)

Whay is see in the log is a lot of messege for ip 172.234.162.56

Feb 14 22:10:43 NethSecurity kernel: [598666.365244] banIP/pre-syn/drop: IN=eth1 OUT= MAC=5c:ed:8c:a4:63:69:00:01:5c:72:24:46:08:00 SRC=172.234.162.56 DST=24.132.194.112 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=23918 DF PROTO=TCP SPT=37516 DPT=4002 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 14 22:10:43 NethSecurity kernel: [598666.365923] banIP/pre-syn/drop: IN=eth1 OUT= MAC=5c:ed:8c:a4:63:69:00:01:5c:72:24:46:08:00 SRC=172.234.162.56 DST=24.132.194.112 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=32683 DF PROTO=TCP SPT=48032 DPT=2382 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 14 22:10:43 NethSecurity kernel: [598666.400440] banIP/pre-syn/drop: IN=eth1 OUT= MAC=5c:ed:8c:a4:63:69:00:01:5c:72:24:46:08:00 SRC=172.234.162.56 DST=24.132.194.112 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20404 DF PROTO=TCP SPT=41750 DPT=6512 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 14 22:10:43 NethSecurity kernel: [598666.401421] banIP/pre-syn/drop: IN=eth1 OUT= MAC=5c:ed:8c:a4:63:69:00:01:5c:72:24:46:08:00 SRC=172.234.162.56 DST=24.132.194.112 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=53890 DF PROTO=TCP SPT=57516 DPT=56019 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 14 22:10:43 NethSecurity kernel: [598666.402215] banIP/pre-syn/drop: IN=eth1 OUT= MAC=5c:ed:8c:a4:63:69:00:01:5c:72:24:46:08:00 SRC=172.234.162.56 DST=24.132.194.112 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=58923 DF PROTO=TCP SPT=60716 DPT=3388 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 14 22:10:43 NethSecurity kernel: [598666.494573] banIP/pre-syn/drop: IN=eth1 OUT= MAC=5c:ed:8c:a4:63:69:00:01:5c:72:24:46:08:00 SRC=172.234.162.56 DST=24.132.194.112 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=34423 DF PROTO=TCP SPT=48878 DPT=38001 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 14 22:10:43 NethSecurity kernel: [598666.529280] banIP/pre-syn/drop: IN=eth1 OUT= MAC=5c:ed:8c:a4:63:69:00:01:5c:72:24:46:08:00 SRC=172.234.162.56 DST=24.132.194.112 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=26571 DF PROTO=TCP SPT=44760 DPT=9217 WINDOW=64240 RES=0x00 SYN URGP=0

image
image324×184 6.23 KB

4

Did you maybe enable logging of all kind of packets in the settings?

grafik
grafik2274×1459 262 KB

The following is the command to get the blocked IPs in the dashboard.
All bans, drops and rejects from the last hour are counted.

grep -e "$(date -d '-1 hour' +'%b %e %H:%M')" -e "$(date  +'%b %e %H:')" /var/log/messages | grep -E 'banIP.+add IP|banIP.+drop|banIP.+reject' | wc -l
5

Yes.

image
image783×329 20.2 KB

But the number should then still be the same ?
What is in the realtime monitor should be the same as the dashboard

grep -e “$(date -d ‘-1 hour’ +‘%b %e %H:%M’)” -e “$(date +‘%b %e %H:’)” /var/log/messages | grep -E ‘banIP.+add IP|banIP.+drop|banIP.+reject’ | wc -l
date: invalid date ‘-1 hour’
85039

6

From the code I think the real time monitor just counts added banned IPs whereas the dashboard also counts logged drops and rejects.

2 Likes
7

Still strange. I never had these high number in the dashboard
I changed the setting of logging in IP shield

In the relatime monitor i’m now having less logs, but the dashboard remains high

image
image290×179 5.52 KB

image
image997×289 10.6 KB

I’m pretty sure this happend after an update last week

8

Good morning everyone, I too have noticed a significant increase in blocked IPs on threat shield ip, yesterday I restarted the firewall to try to understand, now it has been active for about 20 hours, and I see that hour by hour the count continues to rise, usually I saw an hourly average between 1000/1500 blocked IPs now we are above 11500 blocked IPs, I have the impression that in the dashboard they are not counted correctly.

ip-blocklist
ip-blocklist348×150 3.04 KB

monitor_reale
monitor_reale1650×536 8.48 KB

1 Like
9

Good morning, for an update, these are the values ​​from this morning. As I mentioned in the previous post, the firewall has now been on for 1 day and 15 hours. The value on the dashboard continues to increase.

blocklist_domenica
blocklist_domenica348×150 3.09 KB

monitor_domenica
monitor_domenica1467×481 16.7 KB

1 Like
10

Issue reported on Git

1 Like
11

We haven’t touched BanIP during latest updates, I’ll take a look if these values can be merged together nicely (probably not)

This might not be fixed in the immediate times, but since I’m working on monitoring and such, this can be one of the first things I can put hands on to unify.

2 Likes
12

Heads up on this, seems that the package that handled date was incorrectly removed, the issue is just visual, the blocking works fine. I’ve updated the issue that @MadPatrick gently provided.

3 Likes
13

Thanks for confirming the bug and solving it
I’ve updated with the following updates

Bug and security fixes to update

netifyd 2025.10.01-5.1.25-r3 to 2025.10.01-5.1.25-r4
ns-api 3.5.0-r1 to 3.5.1-r2
ns-dpi 0.3.0-r1 to 0.3.1-r1
ns-phonehome 0.0.7-r1 to 0.0.8-r1
ns-plug 1.0.1-r1 to 1.0.2-r1
ns-ui 2.13.1-r1 to 2.14.0-r1
python3-nethsec 1.4.8-r1 to 1.5.1-r1
rsyslog 8.2110.0-r1 to 8.2506.0-r2

Is this update with the fix included ?