[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Cisco firewall filtering Tor?



You also might have some luck routing tor through an external SOCKS
server that listens on port 80/443.
Comrade Ringo Kamens

On 6/14/07, Mike Perry <mikeperry@xxxxxxxxxx> wrote:
Hey Jay!

Thus spake Jay Goodman Tamboli (jay@xxxxxxxxxx):

> I'm stuck behind a FascistFirewall part of the day, and I've been
> trying to get Tor to work as a client. I've added a line to my torrc:
>
> ReachableAddresses *:443
>
> Oddly, I can see that Skype is using TCP connections on port 443. I
> can't tell if they're working, but Skype is keeping them up (and Skype
> as a whole seems to be working).
>
> Tor, on the other hand, is not working. netstat shows established
> connections on port 443, but Tor doesn't seem to be accepting them as
> usable. I have debug logging on, but I'm not sure what to look for,
> since it seems to be trying to create circuits in parallel. Is there a
> message printed when a OR connection fails, giving a reason?

If you are running Tor 0.1.2.x or later, you can add "ControlPort
9051" to your .torrc, and telnet localhost 9051. You can then do

AUTHENTICATE
SETEVENTS EXTENDED CIRC ORCONN

to get some info that is sometimes not reported in logs, in a
well-formed format. You can also try jacking up your log to debug
level. It then should dump a bunch of info about TLS connections
there, but that is harder to sift through.

Might also be a good idea to kill tor, fire up wireshark
(www.wireshark.org), start a network capture, start tor, and let it
try to make some circuits for a bit. Then save the capture, and post
it and the control port info and possibly logs somewhere so we can
look at the results.

> Is it possible the firewall is looking at the :443 connections and
> somehow telling that it's Tor rather than HTTPS?

I believe at some point, tor changed its TLS certificate format to be
less-torlike.. But maybe this is only in SVN and not widely deployed
at the tor nodes. Roger or Nick will need to answer this question most
likely.

If they are doing content-based filtering like this, it is likely they
are also blocking directory connections too..


--
Mike Perry
Mad Computer Scientist
fscked.org evil labs