Hi Are there any ideas how to block Tor exit nodes? Regards Göran ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
On 9/12/2013 10:05 AM, Göran Höglund wrote:> Hi > Are there any ideas how to block Tor exit nodes? >Well, first constraint is that you need to get a list of the TOR exit nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or getting a list of the exit node IP addresses. https://www.torproject.org/projects/tordnsel.html.en https://www.torproject.org/docs/faq-abuse.html.en#Bans After that, I''d imagine you''d muck with blrules: http://shorewall.net/manpages/shorewall-blrules.html Some notes based on past questions about blacklisting that I see from looking at the archives: "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep If you dig back to Dec 2011, you will find a message by bill@fahrenkrug.net in a thread called "Blacklist Countries". It demonstrates a way to build a blacklist file with a script, which might serve as a starting point for your own efforts. And I''m not sure whether it''s a good idea to put dozens or hundreds or thousands of lines into /etc/shorewall/blrules. Another quote by Tom Eastep (thread from May 2010 called "blacklist Max Size") says: "I personally consider anything over 50 to be insane. Remember that every connection entering your firewall on a ''blacklist'' interface has to traverse *every* blacklisting rule before it is accepted. Use ipsets." ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
You could get the ips from here: http://torstatus.blutmagie.de/ And then block them by ip On Sep 12, 2013 7:30 AM, "Göran Höglund" <goran.hoglund@telemar.se> wrote:> Hi > Are there any ideas how to block Tor exit nodes? > > Regards Göran > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
Once you''ve defined a ipset (say it''s called tor) you can edit /etc/shorewall/blacklist: ## /etc/shorewa/blacklist #ADDRESS/SUBNET PROTOCOL PORT +tor see: http://www.shorewall.net/ipsets.html look just a few lines down. On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund <goran.hoglund@telemar.se>wrote:> ** > Hi > This is as far as I''ve understood as well, I''ve seen a lot of links where > ipset and netfilter is used. > I do not understand though how to transmogrify a ipset filter as a black > list. > > The TOR exit nodes are available as written in another answer from sender > jbowen7@gmail.com > The list of several hundred of ip''s are available as a csv file. > > Getting and creating an ipset from that list is quite common told for > example: > ipset -N torblacklist iphash > wget -q https:// > torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O -|sed > ''/^#/d'' |while read IP > do > ipset -q -A torblacklist $IP > done > iptables -A INPUT -m set --match-set torblaclist src -j DROP > > But how do I tell shorewall to use this list as a blacklist? > Thats my major issue. > > /Göran > > Thomas Harold skrev 2013-09-12 19:31: > > On 9/12/2013 10:05 AM, Göran Höglund wrote: > > Hi > Are there any ideas how to block Tor exit nodes? > > > Well, first constraint is that you need to get a list of the TOR exit > nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or > getting a list of the exit node IP addresses. > > https://www.torproject.org/projects/tordnsel.html.en > https://www.torproject.org/docs/faq-abuse.html.en#Bans > > After that, I''d imagine you''d muck with blrules: > > http://shorewall.net/manpages/shorewall-blrules.html > > Some notes based on past questions about blacklisting that I see from > looking at the archives: > > "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep > > If you dig back to Dec 2011, you will find a message by > bill@fahrenkrug.net in a thread called "Blacklist Countries". It > demonstrates a way to build a blacklist file with a script, which might > serve as a starting point for your own efforts. > > And I''m not sure whether it''s a good idea to put dozens or hundreds or > thousands of lines into /etc/shorewall/blrules. Another quote by Tom > Eastep (thread from May 2010 called "blacklist Max Size") says: > > "I personally consider anything over 50 to be insane. Remember that every > connection entering your firewall on a ''blacklist'' interface has to > traverse *every* blacklisting rule before it is accepted. Use ipsets." > > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
Btw, I never thought about blocking tor.. but I can think of a couple web servers I might do it on now. Thanks On Fri, Sep 13, 2013 at 1:25 AM, johnny bowen <jbowen7@gmail.com> wrote:> Once you''ve defined a ipset (say it''s called tor) you can edit > /etc/shorewall/blacklist: > > ## /etc/shorewa/blacklist > > #ADDRESS/SUBNET PROTOCOL PORT > > +tor > > > > see: http://www.shorewall.net/ipsets.html > > look just a few lines down. > > > On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund <goran.hoglund@telemar.se>wrote: > >> ** >> Hi >> This is as far as I''ve understood as well, I''ve seen a lot of links where >> ipset and netfilter is used. >> I do not understand though how to transmogrify a ipset filter as a black >> list. >> >> The TOR exit nodes are available as written in another answer from sender >> jbowen7@gmail.com >> The list of several hundred of ip''s are available as a csv file. >> >> Getting and creating an ipset from that list is quite common told for >> example: >> ipset -N torblacklist iphash >> wget -q https:// >> torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O -|sed >> ''/^#/d'' |while read IP >> do >> ipset -q -A torblacklist $IP >> done >> iptables -A INPUT -m set --match-set torblaclist src -j DROP >> >> But how do I tell shorewall to use this list as a blacklist? >> Thats my major issue. >> >> /Göran >> >> Thomas Harold skrev 2013-09-12 19:31: >> >> On 9/12/2013 10:05 AM, Göran Höglund wrote: >> >> Hi >> Are there any ideas how to block Tor exit nodes? >> >> >> Well, first constraint is that you need to get a list of the TOR exit >> nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or >> getting a list of the exit node IP addresses. >> >> https://www.torproject.org/projects/tordnsel.html.en >> https://www.torproject.org/docs/faq-abuse.html.en#Bans >> >> After that, I''d imagine you''d muck with blrules: >> >> http://shorewall.net/manpages/shorewall-blrules.html >> >> Some notes based on past questions about blacklisting that I see from >> looking at the archives: >> >> "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep >> >> If you dig back to Dec 2011, you will find a message by >> bill@fahrenkrug.net in a thread called "Blacklist Countries". It >> demonstrates a way to build a blacklist file with a script, which might >> serve as a starting point for your own efforts. >> >> And I''m not sure whether it''s a good idea to put dozens or hundreds or >> thousands of lines into /etc/shorewall/blrules. Another quote by Tom >> Eastep (thread from May 2010 called "blacklist Max Size") says: >> >> "I personally consider anything over 50 to be insane. Remember that every >> connection entering your firewall on a ''blacklist'' interface has to >> traverse *every* blacklisting rule before it is accepted. Use ipsets." >> >> >> >> >> ------------------------------------------------------------------------------ >> How ServiceNow helps IT people transform IT departments: >> 1. Consolidate legacy IT systems to a single system of record for IT >> 2. Standardize and globalize service processes across IT >> 3. Implement zero-touch automation to replace manual, redundant tasks >> >> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
I just tested this method on Shorewall Version 4.4.26.1 running on ubuntu
12.04
1) wget --no-check-certificate
https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
2) ipset n tor iphash
3) while read i; do ipset add tor $i ;done << Tor_ip_list_EXIT.csv
4) cp /usr/share/doc/shorewall/default-config/blacklist /etc/shorewall
5) echo "+tor" >> /etc/shorewall/blacklist
6) add blacklist option to zone ; for me:
net ipv4 blacklist
7) shorewall restart
I added an additional lan ip to the tor ipset to verify it could no longer
make connections
ipset add tor 10.10.10.155
This worked for me.
I
On Fri, Sep 13, 2013 at 1:33 AM, johnny bowen <jbowen7@gmail.com> wrote:
> Btw, I never thought about blocking tor.. but I can think of a couple web
> servers I might do it on now. Thanks
>
>
> On Fri, Sep 13, 2013 at 1:25 AM, johnny bowen <jbowen7@gmail.com>
wrote:
>
>> Once you''ve defined a ipset (say it''s called tor) you
can edit
>> /etc/shorewall/blacklist:
>>
>> ## /etc/shorewa/blacklist
>>
>> #ADDRESS/SUBNET PROTOCOL PORT
>>
>> +tor
>>
>>
>>
>> see: http://www.shorewall.net/ipsets.html
>>
>> look just a few lines down.
>>
>>
>> On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund
<goran.hoglund@telemar.se>wrote:
>>
>>> **
>>> Hi
>>> This is as far as I''ve understood as well, I''ve
seen a lot of links
>>> where ipset and netfilter is used.
>>> I do not understand though how to transmogrify a ipset filter as a
black
>>> list.
>>>
>>> The TOR exit nodes are available as written in another answer from
>>> sender jbowen7@gmail.com
>>> The list of several hundred of ip''s are available as a csv
file.
>>>
>>> Getting and creating an ipset from that list is quite common told
for
>>> example:
>>> ipset -N torblacklist iphash
>>> wget -q https://
>>> torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O
-|sed
>>> ''/^#/d'' |while read IP
>>> do
>>> ipset -q -A torblacklist $IP
>>> done
>>> iptables -A INPUT -m set --match-set torblaclist src -j DROP
>>>
>>> But how do I tell shorewall to use this list as a blacklist?
>>> Thats my major issue.
>>>
>>> /Göran
>>>
>>> Thomas Harold skrev 2013-09-12 19:31:
>>>
>>> On 9/12/2013 10:05 AM, Göran Höglund wrote:
>>>
>>> Hi
>>> Are there any ideas how to block Tor exit nodes?
>>>
>>>
>>> Well, first constraint is that you need to get a list of the TOR
exit
>>> nodes. Such as finding a real-time black-hole list (a.k.a. RBL)
tool. Or
>>> getting a list of the exit node IP addresses.
>>>
>>> https://www.torproject.org/projects/tordnsel.html.en
>>> https://www.torproject.org/docs/faq-abuse.html.en#Bans
>>>
>>> After that, I''d imagine you''d muck with blrules:
>>>
>>> http://shorewall.net/manpages/shorewall-blrules.html
>>>
>>> Some notes based on past questions about blacklisting that I see
from
>>> looking at the archives:
>>>
>>> "My advice is to not use Shorewall to filter by DNS
name." -- Tom Eastep
>>>
>>> If you dig back to Dec 2011, you will find a message by
>>> bill@fahrenkrug.net in a thread called "Blacklist
Countries". It
>>> demonstrates a way to build a blacklist file with a script, which
might
>>> serve as a starting point for your own efforts.
>>>
>>> And I''m not sure whether it''s a good idea to put
dozens or hundreds or
>>> thousands of lines into /etc/shorewall/blrules. Another quote by
Tom
>>> Eastep (thread from May 2010 called "blacklist Max Size")
says:
>>>
>>> "I personally consider anything over 50 to be insane. Remember
that
>>> every connection entering your firewall on a
''blacklist'' interface has to
>>> traverse *every* blacklisting rule before it is accepted. Use
ipsets."
>>>
>>>
>>>
>>>
>>>
------------------------------------------------------------------------------
>>> How ServiceNow helps IT people transform IT departments:
>>> 1. Consolidate legacy IT systems to a single system of record for
IT
>>> 2. Standardize and globalize service processes across IT
>>> 3. Implement zero-touch automation to replace manual, redundant
tasks
>>>
>>>
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Shorewall-users mailing list
>>> Shorewall-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
>>>
>>
>
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
hello i make a small script,
i would want know if there is an other way dirrectly in shorewall to do the same
thing:
i have 4 provider:
eth0
tun0
wlan0
eth4
tun0 pass through wlan0
my script make this:
priority on tun0
then when the bandwith of tun0 is full ----> priority on eth0
then when the bandwith of tun0+eth0 is full ----> priority oneth4
thanks
#!/bin/bash
threshold_rate=80;
i=1
while true; do
# Débit actuel sur eth0
rate0=$(/sbin/ifconfig eth0 | awk -F''[ :]''
''/Octets reçus/ {print $13}'' && sleep 4 &&
/sbin/ifconfig eth0 | awk -F''[ :]'' ''/Octets reçus/
{print $13}'');
array0=( $rate0 );
(( actual_rate0 = (array0[1] - array0[0])/4000 ));
# Débit actuel sur tun0
ratetun=$(/sbin/ifconfig tun0 | awk -F''[ :]''
''/Octets reçus/ {print $13}'' && sleep 4 &&
/sbin/ifconfig tun0 | awk -F''[ :]'' ''/Octets reçus/
{print $13}'');
arraytun=( $ratetun );
(( actual_ratetun = (arraytun[1] - arraytun[0])/4000 ));
# Débit actuel sur eth4
rate4=$(/sbin/ifconfig eth4 | awk -F''[ :]''
''/Octets reçus/ {print $13}'' && sleep 4 &&
/sbin/ifconfig eth4 | awk -F''[ :]'' ''/Octets reçus/
{print $13}'');
array4=( $rate4 );
(( actual_rate4 = (array4[1] - array4[0])/4000 ));
#echo $i
echo "-------------------------"
echo "eth0 (${actual_rate0}ko/s)";
echo "tun0 (${actual_ratetun}ko/s)";
echo "eth4 (${actual_rate4}ko/s)";
if (( actual_rate0 >= threshold_rate )) || (( actual_ratetun >=
threshold_rate )) || (( actual_rate4 >= threshold_rate )); then
echo "ça bouge !!"
if (( actual_rate0 >= threshold_rate )) && (( actual_ratetun >=
threshold_rate )) && (( actual_rate4 >= threshold_rate )); then
echo "toutes a fond!!"
continue
fi
if (( actual_rate0 >= threshold_rate )) && (( actual_ratetun >=
threshold_rate )) ; then
echo "eth0 + tun0 a fond"
grep "4 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules
retval=$?
if [ "$retval" = 0 ]
then
echo "priorité sur eth4 : deja fait"
continue
else
echo "make priorité sur eth4"
sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/4/"
/etc/shorewall/tcrules
sed -i "/^2 \$FW 0\.0\.0\.0\/0 tcp 80/ s/2/4/"
/etc/shorewall/tcrules
shorewall restart
continue
fi
fi
if (( actual_rate4 >= threshold_rate )) && (( actual_ratetun >=
threshold_rate )) ; then
echo "eth4 + tun0 a fond"
grep "3 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules
retval=$?
if [ "$retval" = 0 ]
then
echo "priorité sur eth0 : deja fait"
continue
else²
echo "make priorité sur eth0"
sed -i "/^2 \$FW 0\.0\.0\.0\/0 tcp 80/ s/2/3/"
/etc/shorewall/tcrules
sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/"
/etc/shorewall/tcrules
shorewall restart
continue
fi
fi
if (( actual_rate4 >= threshold_rate )) && (( actual_rate0 >=
threshold_rate )) ; then
echo "eth4 + eth0 a fond"
grep "2 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules
retval=$?
if [ "$retval" = 0 ]
then
echo "priorité sur tun0 : deja fait"
continue
else
echo "make priorité sur tun0"
sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/2/"
/etc/shorewall/tcrules
sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/"
/etc/shorewall/tcrules
shorewall restart
continue
fi
fi
if (( actual_ratetun >= threshold_rate )) ; then
echo "tun0 a fond"
grep "4 \$FW 0\.0\.0\.0\/0 tcp 80\|3 \$FW 0\.0\.0\.0\/0 tcp
80" /etc/shorewall/tcrules
retval=$?
if [ "$retval" = 0 ]
then
echo "priorité sur eth0 ou eth4 :deja fait"
continue
else
echo "make priorité sur eth0"
sed -i "/^2 \$FW 0\.0\.0\.0\/0 tcp 80/ s/2/3/"
/etc/shorewall/tcrules
shorewall restart
continue
fi
fi
if (( actual_rate0 >= threshold_rate )) ; then
echo "eth0 a fond"
grep "2 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules
retval=$?
if [ "$retval" = 0 ]
then
echo "priorité sur tun0 : deja fait"
continue
else
echo "make priorité sur tun0"
sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/2/"
/etc/shorewall/tcrules
sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/"
/etc/shorewall/tcrules
shorewall restart
continue
fi
fi
if (( actual_rate4 >= threshold_rate )) ; then
echo "eth4 a fond"
grep "2 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules
retval=$?
if [ "$retval" = 0 ]
then
echo "priorité sur tun0 :deja fait"
continue
else
echo "make priorité sur tun0"
sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/"
/etc/shorewall/tcrules
sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/2/"
/etc/shorewall/tcrules
shorewall restart
continue
fi
fi
else
echo "pas d''activité"
grep "2 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules
retval=$?
if [ "$retval" = 0 ]
then
echo "priorité sur tun0:deja fait"
else
echo "make priorité sur tun0"
sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/"
/etc/shorewall/tcrules
sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/2/"
/etc/shorewall/tcrules
shorewall restart
fi
fi
let $[ i+=1 ]
done
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
On 9/16/2013 2:40 AM, nicolas du wrote:> hello i make a small script, > i would want know if there is an other way dirrectly in shorewall to do the same thing: > > i have 4 provider: > eth0 > tun0 > wlan0 > eth4 > > tun0 pass through wlan0 > > my script make this: > priority on tun0 > then when the bandwith of tun0 is full ----> priority on eth0 > then when the bandwith of tun0+eth0 is full ----> priority oneth4 >There is currently no way to do that directly with Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk