Once you've defined a ipset (say it's called tor) you can edit
/etc/shorewall/blacklist:
## /etc/shorewa/blacklist
#ADDRESS/SUBNET PROTOCOL PORT
+tor
see: http://www.shorewall.net/ipsets.html
look just a few lines down.
On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund <[email protected]>wrote:
> **
> Hi
> This is as far as I've understood as well, I've seen a lot of links where
> ipset and netfilter is used.
> I do not understand though how to transmogrify a ipset filter as a black
> list.
>
> The TOR exit nodes are available as written in another answer from sender
> [email protected]
> The list of several hundred of ip's are available as a csv file.
>
> Getting and creating an ipset from that list is quite common told for
> example:
> ipset -N torblacklist iphash
> wget -q https://
> torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O -|sed
> '/^#/d' |while read IP
> do
> ipset -q -A torblacklist $IP
> done
> iptables -A INPUT -m set --match-set torblaclist src -j DROP
>
> But how do I tell shorewall to use this list as a blacklist?
> Thats my major issue.
>
> /Göran
>
> Thomas Harold skrev 2013-09-12 19:31:
>
> On 9/12/2013 10:05 AM, Göran Höglund wrote:
>
> Hi
> Are there any ideas how to block Tor exit nodes?
>
>
> Well, first constraint is that you need to get a list of the TOR exit
> nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or
> getting a list of the exit node IP addresses.
>
> https://www.torproject.org/projects/tordnsel.html.en
> https://www.torproject.org/docs/faq-abuse.html.en#Bans
>
> After that, I'd imagine you'd muck with blrules:
>
> http://shorewall.net/manpages/shorewall-blrules.html
>
> Some notes based on past questions about blacklisting that I see from
> looking at the archives:
>
> "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep
>
> If you dig back to Dec 2011, you will find a message by
> [email protected] in a thread called "Blacklist Countries". It
> demonstrates a way to build a blacklist file with a script, which might
> serve as a starting point for your own efforts.
>
> And I'm not sure whether it's a good idea to put dozens or hundreds or
> thousands of lines into /etc/shorewall/blrules. Another quote by Tom
> Eastep (thread from May 2010 called "blacklist Max Size") says:
>
> "I personally consider anything over 50 to be insane. Remember that every
> connection entering your firewall on a 'blacklist' interface has to
> traverse *every* blacklisting rule before it is accepted. Use ipsets."
>
>
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
