Btw, I never thought about blocking tor.. but I can think of a couple web
servers I might do it on now. Thanks
On Fri, Sep 13, 2013 at 1:25 AM, johnny bowen <jbow...@gmail.com> wrote:
> Once you've defined a ipset (say it's called tor) you can edit
> /etc/shorewall/blacklist:
>
> ## /etc/shorewa/blacklist
>
> #ADDRESS/SUBNET PROTOCOL PORT
>
> +tor
>
>
>
> see: http://www.shorewall.net/ipsets.html
>
> look just a few lines down.
>
>
> On Fri, Sep 13, 2013 at 1:09 AM, Göran Höglund
> <goran.hogl...@telemar.se>wrote:
>
>> **
>> Hi
>> This is as far as I've understood as well, I've seen a lot of links where
>> ipset and netfilter is used.
>> I do not understand though how to transmogrify a ipset filter as a black
>> list.
>>
>> The TOR exit nodes are available as written in another answer from sender
>> jbow...@gmail.com
>> The list of several hundred of ip's are available as a csv file.
>>
>> Getting and creating an ipset from that list is quite common told for
>> example:
>> ipset -N torblacklist iphash
>> wget -q https://
>> torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv -O -|sed
>> '/^#/d' |while read IP
>> do
>> ipset -q -A torblacklist $IP
>> done
>> iptables -A INPUT -m set --match-set torblaclist src -j DROP
>>
>> But how do I tell shorewall to use this list as a blacklist?
>> Thats my major issue.
>>
>> /Göran
>>
>> Thomas Harold skrev 2013-09-12 19:31:
>>
>> On 9/12/2013 10:05 AM, Göran Höglund wrote:
>>
>> Hi
>> Are there any ideas how to block Tor exit nodes?
>>
>>
>> Well, first constraint is that you need to get a list of the TOR exit
>> nodes. Such as finding a real-time black-hole list (a.k.a. RBL) tool. Or
>> getting a list of the exit node IP addresses.
>>
>> https://www.torproject.org/projects/tordnsel.html.en
>> https://www.torproject.org/docs/faq-abuse.html.en#Bans
>>
>> After that, I'd imagine you'd muck with blrules:
>>
>> http://shorewall.net/manpages/shorewall-blrules.html
>>
>> Some notes based on past questions about blacklisting that I see from
>> looking at the archives:
>>
>> "My advice is to not use Shorewall to filter by DNS name." -- Tom Eastep
>>
>> If you dig back to Dec 2011, you will find a message by
>> b...@fahrenkrug.net in a thread called "Blacklist Countries". It
>> demonstrates a way to build a blacklist file with a script, which might
>> serve as a starting point for your own efforts.
>>
>> And I'm not sure whether it's a good idea to put dozens or hundreds or
>> thousands of lines into /etc/shorewall/blrules. Another quote by Tom
>> Eastep (thread from May 2010 called "blacklist Max Size") says:
>>
>> "I personally consider anything over 50 to be insane. Remember that every
>> connection entering your firewall on a 'blacklist' interface has to
>> traverse *every* blacklisting rule before it is accepted. Use ipsets."
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> How ServiceNow helps IT people transform IT departments:
>> 1. Consolidate legacy IT systems to a single system of record for IT
>> 2. Standardize and globalize service processes across IT
>> 3. Implement zero-touch automation to replace manual, redundant tasks
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
