Hi
This is as far as I've understood as well, I've seen a lot of links
where ipset and netfilter is used.
I do not understand though how to transmogrify a ipset filter as a black
list.
The TOR exit nodes are available as written in another answer from
sender [email protected]
The list of several hundred of ip's are available as a csv file.
Getting and creating an ipset from that list is quite common told for
example:
|ipset -N torblacklist iphash|
|wget -q
https:||||//torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv||||||-O
-|||sed| |'/^#/d'| ||||while| |read| |IP|
|do|
|||||ipset -q -A torblacklist $IP|
|done|
|iptables -A INPUT -m ||set| |--match-||set| |torblaclist src -j DROP|
But how do I tell shorewall to use this list as a blacklist?
Thats my major issue.
/Göran
Thomas Harold skrev 2013-09-12 19:31:
On 9/12/2013 10:05 AM, Göran Höglund wrote:
Hi
Are there any ideas how to block Tor exit nodes?
Well, first constraint is that you need to get a list of the TOR exit
nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool.
Or getting a list of the exit node IP addresses.
https://www.torproject.org/projects/tordnsel.html.en
https://www.torproject.org/docs/faq-abuse.html.en#Bans
After that, I'd imagine you'd muck with blrules:
http://shorewall.net/manpages/shorewall-blrules.html
Some notes based on past questions about blacklisting that I see from
looking at the archives:
"My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep
If you dig back to Dec 2011, you will find a message by
[email protected] in a thread called "Blacklist Countries". It
demonstrates a way to build a blacklist file with a script, which
might serve as a starting point for your own efforts.
And I'm not sure whether it's a good idea to put dozens or hundreds or
thousands of lines into /etc/shorewall/blrules. Another quote by Tom
Eastep (thread from May 2010 called "blacklist Max Size") says:
"I personally consider anything over 50 to be insane. Remember that
every connection entering your firewall on a 'blacklist' interface has
to traverse *every* blacklisting rule before it is accepted. Use ipsets."
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
