On 9/12/2013 10:05 AM, Göran Höglund wrote: > Hi > Are there any ideas how to block Tor exit nodes? >
Well, first constraint is that you need to get a list of the TOR exit nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or getting a list of the exit node IP addresses. https://www.torproject.org/projects/tordnsel.html.en https://www.torproject.org/docs/faq-abuse.html.en#Bans After that, I'd imagine you'd muck with blrules: http://shorewall.net/manpages/shorewall-blrules.html Some notes based on past questions about blacklisting that I see from looking at the archives: "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep If you dig back to Dec 2011, you will find a message by b...@fahrenkrug.net in a thread called "Blacklist Countries". It demonstrates a way to build a blacklist file with a script, which might serve as a starting point for your own efforts. And I'm not sure whether it's a good idea to put dozens or hundreds or thousands of lines into /etc/shorewall/blrules. Another quote by Tom Eastep (thread from May 2010 called "blacklist Max Size") says: "I personally consider anything over 50 to be insane. Remember that every connection entering your firewall on a 'blacklist' interface has to traverse *every* blacklisting rule before it is accepted. Use ipsets." ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
