Hi Are there any ideas how to block Tor exit nodes? Regards Göran ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
On 9/12/2013 10:05 AM, Göran Höglund wrote:> Hi > Are there any ideas how to block Tor exit nodes? >Well, first constraint is that you need to get a list of the TOR exit nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or getting a list of the exit node IP addresses. https://www.torproject.org/projects/tordnsel.html.en https://www.torproject.org/docs/faq-abuse.html.en#Bans After that, I''d imagine you''d muck with blrules: http://shorewall.net/manpages/shorewall-blrules.html Some notes based on past questions about blacklisting that I see from looking at the archives: "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep If you dig back to Dec 2011, you will find a message by bill@fahrenkrug.net in a thread called "Blacklist Countries". It demonstrates a way to build a blacklist file with a script, which might serve as a starting point for your own efforts. And I''m not sure whether it''s a good idea to put dozens or hundreds or thousands of lines into /etc/shorewall/blrules. Another quote by Tom Eastep (thread from May 2010 called "blacklist Max Size") says: "I personally consider anything over 50 to be insane. Remember that every connection entering your firewall on a ''blacklist'' interface has to traverse *every* blacklisting rule before it is accepted. Use ipsets." ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
You could get the ips from here: http://torstatus.blutmagie.de/ And then block them by ip On Sep 12, 2013 7:30 AM, "Göran Höglund" <goran.hoglund@telemar.se> wrote:> Hi > Are there any ideas how to block Tor exit nodes? > > Regards Göran > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
Once you''ve defined a ipset (say it''s called tor) you can edit /etc/shorewall/blacklist: ## /etc/shorewa/blacklist #ADDRESS/SUBNET PROTOCOL PORT +tor see: http://www.shorewall.net/ipsets.html look just a few lines down. On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund <goran.hoglund@telemar.se>wrote:> ** > Hi > This is as far as I''ve understood as well, I''ve seen a lot of links where > ipset and netfilter is used. > I do not understand though how to transmogrify a ipset filter as a black > list. > > The TOR exit nodes are available as written in another answer from sender > jbowen7@gmail.com > The list of several hundred of ip''s are available as a csv file. > > Getting and creating an ipset from that list is quite common told for > example: > ipset -N torblacklist iphash > wget -q https:// > torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O -|sed > ''/^#/d'' |while read IP > do > ipset -q -A torblacklist $IP > done > iptables -A INPUT -m set --match-set torblaclist src -j DROP > > But how do I tell shorewall to use this list as a blacklist? > Thats my major issue. > > /Göran > > Thomas Harold skrev 2013-09-12 19:31: > > On 9/12/2013 10:05 AM, Göran Höglund wrote: > > Hi > Are there any ideas how to block Tor exit nodes? > > > Well, first constraint is that you need to get a list of the TOR exit > nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or > getting a list of the exit node IP addresses. > > https://www.torproject.org/projects/tordnsel.html.en > https://www.torproject.org/docs/faq-abuse.html.en#Bans > > After that, I''d imagine you''d muck with blrules: > > http://shorewall.net/manpages/shorewall-blrules.html > > Some notes based on past questions about blacklisting that I see from > looking at the archives: > > "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep > > If you dig back to Dec 2011, you will find a message by > bill@fahrenkrug.net in a thread called "Blacklist Countries". It > demonstrates a way to build a blacklist file with a script, which might > serve as a starting point for your own efforts. > > And I''m not sure whether it''s a good idea to put dozens or hundreds or > thousands of lines into /etc/shorewall/blrules. Another quote by Tom > Eastep (thread from May 2010 called "blacklist Max Size") says: > > "I personally consider anything over 50 to be insane. Remember that every > connection entering your firewall on a ''blacklist'' interface has to > traverse *every* blacklisting rule before it is accepted. Use ipsets." > > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
Btw, I never thought about blocking tor.. but I can think of a couple web servers I might do it on now. Thanks On Fri, Sep 13, 2013 at 1:25 AM, johnny bowen <jbowen7@gmail.com> wrote:> Once you''ve defined a ipset (say it''s called tor) you can edit > /etc/shorewall/blacklist: > > ## /etc/shorewa/blacklist > > #ADDRESS/SUBNET PROTOCOL PORT > > +tor > > > > see: http://www.shorewall.net/ipsets.html > > look just a few lines down. > > > On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund <goran.hoglund@telemar.se>wrote: > >> ** >> Hi >> This is as far as I''ve understood as well, I''ve seen a lot of links where >> ipset and netfilter is used. >> I do not understand though how to transmogrify a ipset filter as a black >> list. >> >> The TOR exit nodes are available as written in another answer from sender >> jbowen7@gmail.com >> The list of several hundred of ip''s are available as a csv file. >> >> Getting and creating an ipset from that list is quite common told for >> example: >> ipset -N torblacklist iphash >> wget -q https:// >> torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O -|sed >> ''/^#/d'' |while read IP >> do >> ipset -q -A torblacklist $IP >> done >> iptables -A INPUT -m set --match-set torblaclist src -j DROP >> >> But how do I tell shorewall to use this list as a blacklist? >> Thats my major issue. >> >> /Göran >> >> Thomas Harold skrev 2013-09-12 19:31: >> >> On 9/12/2013 10:05 AM, Göran Höglund wrote: >> >> Hi >> Are there any ideas how to block Tor exit nodes? >> >> >> Well, first constraint is that you need to get a list of the TOR exit >> nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or >> getting a list of the exit node IP addresses. >> >> https://www.torproject.org/projects/tordnsel.html.en >> https://www.torproject.org/docs/faq-abuse.html.en#Bans >> >> After that, I''d imagine you''d muck with blrules: >> >> http://shorewall.net/manpages/shorewall-blrules.html >> >> Some notes based on past questions about blacklisting that I see from >> looking at the archives: >> >> "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep >> >> If you dig back to Dec 2011, you will find a message by >> bill@fahrenkrug.net in a thread called "Blacklist Countries". It >> demonstrates a way to build a blacklist file with a script, which might >> serve as a starting point for your own efforts. >> >> And I''m not sure whether it''s a good idea to put dozens or hundreds or >> thousands of lines into /etc/shorewall/blrules. Another quote by Tom >> Eastep (thread from May 2010 called "blacklist Max Size") says: >> >> "I personally consider anything over 50 to be insane. Remember that every >> connection entering your firewall on a ''blacklist'' interface has to >> traverse *every* blacklisting rule before it is accepted. Use ipsets." >> >> >> >> >> ------------------------------------------------------------------------------ >> How ServiceNow helps IT people transform IT departments: >> 1. Consolidate legacy IT systems to a single system of record for IT >> 2. Standardize and globalize service processes across IT >> 3. Implement zero-touch automation to replace manual, redundant tasks >> >> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
I just tested this method on Shorewall Version 4.4.26.1 running on ubuntu 12.04 1) wget --no-check-certificate https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv 2) ipset n tor iphash 3) while read i; do ipset add tor $i ;done << Tor_ip_list_EXIT.csv 4) cp /usr/share/doc/shorewall/default-config/blacklist /etc/shorewall 5) echo "+tor" >> /etc/shorewall/blacklist 6) add blacklist option to zone ; for me: net ipv4 blacklist 7) shorewall restart I added an additional lan ip to the tor ipset to verify it could no longer make connections ipset add tor 10.10.10.155 This worked for me. I On Fri, Sep 13, 2013 at 1:33 AM, johnny bowen <jbowen7@gmail.com> wrote:> Btw, I never thought about blocking tor.. but I can think of a couple web > servers I might do it on now. Thanks > > > On Fri, Sep 13, 2013 at 1:25 AM, johnny bowen <jbowen7@gmail.com> wrote: > >> Once you''ve defined a ipset (say it''s called tor) you can edit >> /etc/shorewall/blacklist: >> >> ## /etc/shorewa/blacklist >> >> #ADDRESS/SUBNET PROTOCOL PORT >> >> +tor >> >> >> >> see: http://www.shorewall.net/ipsets.html >> >> look just a few lines down. >> >> >> On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund <goran.hoglund@telemar.se>wrote: >> >>> ** >>> Hi >>> This is as far as I''ve understood as well, I''ve seen a lot of links >>> where ipset and netfilter is used. >>> I do not understand though how to transmogrify a ipset filter as a black >>> list. >>> >>> The TOR exit nodes are available as written in another answer from >>> sender jbowen7@gmail.com >>> The list of several hundred of ip''s are available as a csv file. >>> >>> Getting and creating an ipset from that list is quite common told for >>> example: >>> ipset -N torblacklist iphash >>> wget -q https:// >>> torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O -|sed >>> ''/^#/d'' |while read IP >>> do >>> ipset -q -A torblacklist $IP >>> done >>> iptables -A INPUT -m set --match-set torblaclist src -j DROP >>> >>> But how do I tell shorewall to use this list as a blacklist? >>> Thats my major issue. >>> >>> /Göran >>> >>> Thomas Harold skrev 2013-09-12 19:31: >>> >>> On 9/12/2013 10:05 AM, Göran Höglund wrote: >>> >>> Hi >>> Are there any ideas how to block Tor exit nodes? >>> >>> >>> Well, first constraint is that you need to get a list of the TOR exit >>> nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or >>> getting a list of the exit node IP addresses. >>> >>> https://www.torproject.org/projects/tordnsel.html.en >>> https://www.torproject.org/docs/faq-abuse.html.en#Bans >>> >>> After that, I''d imagine you''d muck with blrules: >>> >>> http://shorewall.net/manpages/shorewall-blrules.html >>> >>> Some notes based on past questions about blacklisting that I see from >>> looking at the archives: >>> >>> "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep >>> >>> If you dig back to Dec 2011, you will find a message by >>> bill@fahrenkrug.net in a thread called "Blacklist Countries". It >>> demonstrates a way to build a blacklist file with a script, which might >>> serve as a starting point for your own efforts. >>> >>> And I''m not sure whether it''s a good idea to put dozens or hundreds or >>> thousands of lines into /etc/shorewall/blrules. Another quote by Tom >>> Eastep (thread from May 2010 called "blacklist Max Size") says: >>> >>> "I personally consider anything over 50 to be insane. Remember that >>> every connection entering your firewall on a ''blacklist'' interface has to >>> traverse *every* blacklisting rule before it is accepted. Use ipsets." >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> How ServiceNow helps IT people transform IT departments: >>> 1. Consolidate legacy IT systems to a single system of record for IT >>> 2. Standardize and globalize service processes across IT >>> 3. Implement zero-touch automation to replace manual, redundant tasks >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >> >------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
hello i make a small script, i would want know if there is an other way dirrectly in shorewall to do the same thing: i have 4 provider: eth0 tun0 wlan0 eth4 tun0 pass through wlan0 my script make this: priority on tun0 then when the bandwith of tun0 is full ----> priority on eth0 then when the bandwith of tun0+eth0 is full ----> priority oneth4 thanks #!/bin/bash threshold_rate=80; i=1 while true; do # Débit actuel sur eth0 rate0=$(/sbin/ifconfig eth0 | awk -F''[ :]'' ''/Octets reçus/ {print $13}'' && sleep 4 && /sbin/ifconfig eth0 | awk -F''[ :]'' ''/Octets reçus/ {print $13}''); array0=( $rate0 ); (( actual_rate0 = (array0[1] - array0[0])/4000 )); # Débit actuel sur tun0 ratetun=$(/sbin/ifconfig tun0 | awk -F''[ :]'' ''/Octets reçus/ {print $13}'' && sleep 4 && /sbin/ifconfig tun0 | awk -F''[ :]'' ''/Octets reçus/ {print $13}''); arraytun=( $ratetun ); (( actual_ratetun = (arraytun[1] - arraytun[0])/4000 )); # Débit actuel sur eth4 rate4=$(/sbin/ifconfig eth4 | awk -F''[ :]'' ''/Octets reçus/ {print $13}'' && sleep 4 && /sbin/ifconfig eth4 | awk -F''[ :]'' ''/Octets reçus/ {print $13}''); array4=( $rate4 ); (( actual_rate4 = (array4[1] - array4[0])/4000 )); #echo $i echo "-------------------------" echo "eth0 (${actual_rate0}ko/s)"; echo "tun0 (${actual_ratetun}ko/s)"; echo "eth4 (${actual_rate4}ko/s)"; if (( actual_rate0 >= threshold_rate )) || (( actual_ratetun >= threshold_rate )) || (( actual_rate4 >= threshold_rate )); then echo "ça bouge !!" if (( actual_rate0 >= threshold_rate )) && (( actual_ratetun >= threshold_rate )) && (( actual_rate4 >= threshold_rate )); then echo "toutes a fond!!" continue fi if (( actual_rate0 >= threshold_rate )) && (( actual_ratetun >= threshold_rate )) ; then echo "eth0 + tun0 a fond" grep "4 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules retval=$? if [ "$retval" = 0 ] then echo "priorité sur eth4 : deja fait" continue else echo "make priorité sur eth4" sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/4/" /etc/shorewall/tcrules sed -i "/^2 \$FW 0\.0\.0\.0\/0 tcp 80/ s/2/4/" /etc/shorewall/tcrules shorewall restart continue fi fi if (( actual_rate4 >= threshold_rate )) && (( actual_ratetun >= threshold_rate )) ; then echo "eth4 + tun0 a fond" grep "3 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules retval=$? if [ "$retval" = 0 ] then echo "priorité sur eth0 : deja fait" continue else² echo "make priorité sur eth0" sed -i "/^2 \$FW 0\.0\.0\.0\/0 tcp 80/ s/2/3/" /etc/shorewall/tcrules sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/" /etc/shorewall/tcrules shorewall restart continue fi fi if (( actual_rate4 >= threshold_rate )) && (( actual_rate0 >= threshold_rate )) ; then echo "eth4 + eth0 a fond" grep "2 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules retval=$? if [ "$retval" = 0 ] then echo "priorité sur tun0 : deja fait" continue else echo "make priorité sur tun0" sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/2/" /etc/shorewall/tcrules sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/" /etc/shorewall/tcrules shorewall restart continue fi fi if (( actual_ratetun >= threshold_rate )) ; then echo "tun0 a fond" grep "4 \$FW 0\.0\.0\.0\/0 tcp 80\|3 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules retval=$? if [ "$retval" = 0 ] then echo "priorité sur eth0 ou eth4 :deja fait" continue else echo "make priorité sur eth0" sed -i "/^2 \$FW 0\.0\.0\.0\/0 tcp 80/ s/2/3/" /etc/shorewall/tcrules shorewall restart continue fi fi if (( actual_rate0 >= threshold_rate )) ; then echo "eth0 a fond" grep "2 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules retval=$? if [ "$retval" = 0 ] then echo "priorité sur tun0 : deja fait" continue else echo "make priorité sur tun0" sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/2/" /etc/shorewall/tcrules sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/" /etc/shorewall/tcrules shorewall restart continue fi fi if (( actual_rate4 >= threshold_rate )) ; then echo "eth4 a fond" grep "2 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules retval=$? if [ "$retval" = 0 ] then echo "priorité sur tun0 :deja fait" continue else echo "make priorité sur tun0" sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/" /etc/shorewall/tcrules sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/2/" /etc/shorewall/tcrules shorewall restart continue fi fi else echo "pas d''activité" grep "2 \$FW 0\.0\.0\.0\/0 tcp 80" /etc/shorewall/tcrules retval=$? if [ "$retval" = 0 ] then echo "priorité sur tun0:deja fait" else echo "make priorité sur tun0" sed -i "/^4 \$FW 0\.0\.0\.0\/0 tcp 80/ s/4/2/" /etc/shorewall/tcrules sed -i "/^3 \$FW 0\.0\.0\.0\/0 tcp 80/ s/3/2/" /etc/shorewall/tcrules shorewall restart fi fi let $[ i+=1 ] done ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
On 9/16/2013 2:40 AM, nicolas du wrote:> hello i make a small script, > i would want know if there is an other way dirrectly in shorewall to do the same thing: > > i have 4 provider: > eth0 > tun0 > wlan0 > eth4 > > tun0 pass through wlan0 > > my script make this: > priority on tun0 > then when the bandwith of tun0 is full ----> priority on eth0 > then when the bandwith of tun0+eth0 is full ----> priority oneth4 >There is currently no way to do that directly with Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk