I just tested this method on Shorewall Version 4.4.26.1 running on ubuntu
12.04
1) wget --no-check-certificate
https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
2) ipset n tor iphash
3) while read i; do ipset add tor $i ;done << Tor_ip_list_EXIT.csv
4) cp /usr/share/doc/shorewall/default-config/blacklist /etc/shorewall
5) echo "+tor" >> /etc/shorewall/blacklist
6) add blacklist option to zone ; for me:
net ipv4 blacklist
7) shorewall restart
I added an additional lan ip to the tor ipset to verify it could no longer
make connections
ipset add tor 10.10.10.155
This worked for me.
I
On Fri, Sep 13, 2013 at 1:33 AM, johnny bowen <[email protected]> wrote:
> Btw, I never thought about blocking tor.. but I can think of a couple web
> servers I might do it on now. Thanks
>
>
> On Fri, Sep 13, 2013 at 1:25 AM, johnny bowen <[email protected]> wrote:
>
>> Once you've defined a ipset (say it's called tor) you can edit
>> /etc/shorewall/blacklist:
>>
>> ## /etc/shorewa/blacklist
>>
>> #ADDRESS/SUBNET PROTOCOL PORT
>>
>> +tor
>>
>>
>>
>> see: http://www.shorewall.net/ipsets.html
>>
>> look just a few lines down.
>>
>>
>> On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund
>> <[email protected]>wrote:
>>
>>> **
>>> Hi
>>> This is as far as I've understood as well, I've seen a lot of links
>>> where ipset and netfilter is used.
>>> I do not understand though how to transmogrify a ipset filter as a black
>>> list.
>>>
>>> The TOR exit nodes are available as written in another answer from
>>> sender [email protected]
>>> The list of several hundred of ip's are available as a csv file.
>>>
>>> Getting and creating an ipset from that list is quite common told for
>>> example:
>>> ipset -N torblacklist iphash
>>> wget -q https://
>>> torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O -|sed
>>> '/^#/d' |while read IP
>>> do
>>> ipset -q -A torblacklist $IP
>>> done
>>> iptables -A INPUT -m set --match-set torblaclist src -j DROP
>>>
>>> But how do I tell shorewall to use this list as a blacklist?
>>> Thats my major issue.
>>>
>>> /Göran
>>>
>>> Thomas Harold skrev 2013-09-12 19:31:
>>>
>>> On 9/12/2013 10:05 AM, Göran Höglund wrote:
>>>
>>> Hi
>>> Are there any ideas how to block Tor exit nodes?
>>>
>>>
>>> Well, first constraint is that you need to get a list of the TOR exit
>>> nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or
>>> getting a list of the exit node IP addresses.
>>>
>>> https://www.torproject.org/projects/tordnsel.html.en
>>> https://www.torproject.org/docs/faq-abuse.html.en#Bans
>>>
>>> After that, I'd imagine you'd muck with blrules:
>>>
>>> http://shorewall.net/manpages/shorewall-blrules.html
>>>
>>> Some notes based on past questions about blacklisting that I see from
>>> looking at the archives:
>>>
>>> "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep
>>>
>>> If you dig back to Dec 2011, you will find a message by
>>> [email protected] in a thread called "Blacklist Countries". It
>>> demonstrates a way to build a blacklist file with a script, which might
>>> serve as a starting point for your own efforts.
>>>
>>> And I'm not sure whether it's a good idea to put dozens or hundreds or
>>> thousands of lines into /etc/shorewall/blrules. Another quote by Tom
>>> Eastep (thread from May 2010 called "blacklist Max Size") says:
>>>
>>> "I personally consider anything over 50 to be insane. Remember that
>>> every connection entering your firewall on a 'blacklist' interface has to
>>> traverse *every* blacklisting rule before it is accepted. Use ipsets."
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> How ServiceNow helps IT people transform IT departments:
>>> 1. Consolidate legacy IT systems to a single system of record for IT
>>> 2. Standardize and globalize service processes across IT
>>> 3. Implement zero-touch automation to replace manual, redundant tasks
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Shorewall-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
>>>
>>
>
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
