Hi
Works for me as well, many thanks for all help!
/Göran
johnny bowen skrev 2013-09-13 11:25:
I just tested this method on Shorewall Version 4.4.26.1 running on
ubuntu 12.04
1) wget --no-check-certificate
https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
2) ipset n tor iphash
3) while read i; do ipset add tor $i ;done << Tor_ip_list_EXIT.csv
4) cp /usr/share/doc/shorewall/default-config/blacklist /etc/shorewall
5) echo "+tor" >> /etc/shorewall/blacklist
6) add blacklist option to zone ; for me:
net ipv4 blacklist
7) shorewall restart
I added an additional lan ip to the tor ipset to verify it could no
longer make connections
ipset add tor 10.10.10.155
This worked for me.
I
On Fri, Sep 13, 2013 at 1:33 AM, johnny bowen <[email protected]
<mailto:[email protected]>> wrote:
Btw, I never thought about blocking tor.. but I can think of a
couple web servers I might do it on now. Thanks
On Fri, Sep 13, 2013 at 1:25 AM, johnny bowen <[email protected]
<mailto:[email protected]>> wrote:
Once you've defined a ipset (say it's called tor) you can edit
/etc/shorewall/blacklist:
## /etc/shorewa/blacklist
#ADDRESS/SUBNET PROTOCOL PORT
+tor
see: http://www.shorewall.net/ipsets.html
look just a few lines down.
On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund
<[email protected] <mailto:[email protected]>>
wrote:
Hi
This is as far as I've understood as well, I've seen a lot
of links where ipset and netfilter is used.
I do not understand though how to transmogrify a ipset
filter as a black list.
The TOR exit nodes are available as written in another
answer from sender [email protected]
<mailto:[email protected]>
The list of several hundred of ip's are available as a csv
file.
Getting and creating an ipset from that list is quite
common told for example:
|ipset -N torblacklist iphash|
|wget -q
https:||||//torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
<http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv>||||||-O
-|||sed| |'/^#/d'| ||||while| |read| |IP|
|do|
|||||ipset -q -A torblacklist $IP|
|done|
|iptables -A INPUT -m ||set| |--match-||set| |torblaclist
src -j DROP|
But how do I tell shorewall to use this list as a blacklist?
Thats my major issue.
/Göran
Thomas Harold skrev 2013-09-12 19:31:
On 9/12/2013 10:05 AM, Göran Höglund wrote:
Hi
Are there any ideas how to block Tor exit nodes?
Well, first constraint is that you need to get a list of
the TOR exit nodes. Such as finding a real-time
black-hole list (a.k.a. RBL) tool. Or getting a list of
the exit node IP addresses.
https://www.torproject.org/projects/tordnsel.html.en
https://www.torproject.org/docs/faq-abuse.html.en#Bans
After that, I'd imagine you'd muck with blrules:
http://shorewall.net/manpages/shorewall-blrules.html
Some notes based on past questions about blacklisting
that I see from looking at the archives:
"My advice is to not use Shorewall to filter by DNS
name." -- Tom Eastep
If you dig back to Dec 2011, you will find a message by
[email protected] <mailto:[email protected]> in a
thread called "Blacklist Countries". It demonstrates a
way to build a blacklist file with a script, which might
serve as a starting point for your own efforts.
And I'm not sure whether it's a good idea to put dozens
or hundreds or thousands of lines into
/etc/shorewall/blrules. Another quote by Tom Eastep
(thread from May 2010 called "blacklist Max Size") says:
"I personally consider anything over 50 to be insane.
Remember that every connection entering your firewall on
a 'blacklist' interface has to traverse *every*
blacklisting rule before it is accepted. Use ipsets."
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of
record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual,
redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
<http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk>
_______________________________________________
Shorewall-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
