[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How to ban many IPs?

On Wed, Oct 29, 2008 at 4:18 PM, slush <slush@xxxxxxxxxx> wrote:
> Thanks for post.
> I know it is solution, but I prefer exit node, because I think it is more
> universal (it can be used as middleman and also as exit).
> There is no question about law (I think there is no problem in my country,
> expecially when it is university server). It is only about people on
> university, which are against porn and other non-legal activities. When we
> will run non-exit router, it is only hiding eyes to problem.
> I have one idea, but it is not so clear and systematic. In ExitPolicy
> mechanism, router have to export all unwanted IPs. But here can be mechanism
> like ExitPolicy, with one difference. List of banned IPs will not be
> exported to directory servers, but with attemp to access any resource, exit
> node will match it with blacklist (can be very, very long). Exit node then
> return error code to tor client, which will change path (and use different
> exit node).
> I know, I know, it is nasty and Im ashamed for this solution. But it can
> solve my problem :) with support inside Tor.
> Marek

> 2008/10/29 Matt LaPlante <cyberdog3k@xxxxxxxxx>
>> Personally, I run my tor node as transport only (non-exit).  I can't
>> risk opening myself up to illegal activities by running an exit node,
>> but I figure the least I can do is provide decent transport as the
>> middle-man, and let the people running exit nodes concern themselves
>> with the legality of the activity.

I had an interesting conversation on this list a few months back
facing the same problem (wanting to use a blacklist for certain
sites). Trying to do it in the torrc file is simply a bad idea. Using
blacklists in general doesn't work out well. If I were you, I might
consider using a white list instead. It is going to severely limit the
sites people can reach but that still might be ok. Even a relatively
short white list could relieve a lot of congestion on the tor network
if the sites are high bandwidth.

The easiest way to implement it is probably to use Squid in
*non-caching* mode. It's ACL's are powerful enough that other people
have built web blocking software around it. Not the best of solutions,
but you could return an error page for any sites that don't match the
white list explaining that your node can't accept such requests.

(To the dozen responses I am going to get back on why this is such a
bad idea: I know. I don't know of a better one if a white/black list
has to be used and HTTP traffic is allowed.)

That's my two cents.