[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How to ban many IPs?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: How to ban many IPs?
From: "F. Fox" <kitsune.or@xxxxxxxxx>
Date: Thu, 30 Oct 2008 09:11:53 -0700
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Thu, 30 Oct 2008 12:12:09 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=iHyauMmLAWvKkEWEHagWFNnu/k5J0JkWAvCKV0FaOAM=; b=J7LWVp5j/rjRs9lJshBCUI6/u94+1UEa4+I1EKWOAYAcMvoD/6uP5fLyp6/mMNAsis bHMFPFRqY24fXBLP/6WdF0QGV4NWMDruTMU0zAL8q0IBwrYXoH6ve+5dV8PWTRgmHD2o T/Tbs9UKrqiW9SEuwCXPD9UwpUr31N9tDfQOw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=ggx73YLh2HAZqn/Lps/tZ2janxwiNZP/Tg48eQO/rE2ThnQcqp7nglaIpG2xT+SG+S CrmCc5Xcr6Vex+ED8DK7OIMK2nvIwP5I4fxyIUskSfYJuGcdUZto04y2iFYMlw+OxjXH nJf0Nl+z7GFHCifUM93Jikx7qK+bh8ApHRsvk=
In-reply-to: <1da45f2a0810291432xb6c74a1o1aad44c965b43326@xxxxxxxxxxxxxx>
References: <bd9056300810291352k8a0b9begfc49414f06fffb7e@xxxxxxxxxxxxxx> <cbb8f04c0810291357w2d2ad4eap8028a78b78ad5572@xxxxxxxxxxxxxx> <bd9056300810291418j49257be5ib1195e376bc48678@xxxxxxxxxxxxxx> <1da45f2a0810291432xb6c74a1o1aad44c965b43326@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mozilla-Thunderbird 2.0.0.16 (X11/20080724)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jonathan Addington wrote:
(snip)
> The easiest way to implement it is probably to use Squid in
> *non-caching* mode. It's ACL's are powerful enough that other people
> have built web blocking software around it. Not the best of solutions,
> but you could return an error page for any sites that don't match the
> white list explaining that your node can't accept such requests.
> 
> (To the dozen responses I am going to get back on why this is such a
> bad idea: I know. I don't know of a better one if a white/black list
> has to be used and HTTP traffic is allowed.)
> 
(snip)

IMHO, the problem isn't that filtering would be in place - this should
be the option of each node operator, and there are other exits - but
that there's no way for the Tor client software to avoid such a node
entirely when accessing a blacklisted site.

Basically, if you used the ACLs in Squid in this way, clients that want
blacklisted site "X," might still pick your exit (in a semi-random
fashion), since you're neither listing Site X as a Reject line, nor
blocking port 80 exits entirely.

So, Squid would send back an error of some kind, and that client would
be stopped cold until they either restarted Tor, or sent a NEWNYM/SIGHUP.

That would not only be annoying as all get out in manual use, but would
cause no end of problems with any automated use (e.g., spidering
programs, download managers, wget, etc.).

- --
F. Fox
Owner of Tor node "kitsune"
http://fenrisfox.livejournal.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBCAAGBQJJCdzBAAoJECxKjnsrYHNHsLEP/R0o1Oq+hIsROV3Fgn0CuJ+U
KneLAnqiepGvEKPBlN9el8/Bfh57UY79C3VWA49qSiYQg0xZHfthukzviowcChQB
J5Bnz4CccaWVSnv7O7FSrZEbrU+aOh7wrPy2RUhm01/WUFF9EG5Uw0ycfDLfKZe9
+p0FKAm9G/LJEY+X+J+rHhdiTsfSsdk0qqqjbNIpU8C1QgR8A99GEpuN+8Ja2gwz
LaQ81QfciB2LjTuof2mVPsBXzbl1wt3ULeotOkH0zH2MMyDyadgvkGwa7goZ9xX3
x0aZdZSci3eAXQPYBKke/ormxzqMAzElQo9COTgCmMij0cf5KYHp8L6YyWMCBsgj
KZLqGFl7gl1bN3ffWyBbzolRguneydEeC1Rek9n7y5Y+nKOL7bl8WF6ZUQ6iECcP
2ywLGomzsd52lOyKfu999HfF0D/pJgY7vZn8njgggVsbUK0Y43QEScaXOTr7gPzl
6ChCHBxvqwzGrshi8HrSsad4jssmzjdVh2DBRAmtPsTPmhqThGsjP39HH83h3XI1
jhYrE8u8eKwtYOSCoW2htiKzoyvLWW+3c5Y1pH/Vkmq9azDZCSpTxx1HBrVBglsk
CUb8fkVmOrRwOexny2UCIdgFauXa3at+zVDSVtcFiBSCANr9pAyP4b1hj0SAXoNo
J97u6rB2/T1JmTWaQviw
=mq6a
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: How to ban many IPs?
  - From: Jonathan Addington

References:
- How to ban many IPs?
  - From: slush
- Re: How to ban many IPs?
  - From: Matt LaPlante
- Re: How to ban many IPs?
  - From: slush
- Re: How to ban many IPs?
  - From: Jonathan Addington

Prev by Author: Re: How to ban many IPs?
Next by Author: Re: "Waiting for circuit"-problem (newbie)
Previous by thread: Re: How to ban many IPs?
Next by thread: Re: How to ban many IPs?
Index(es):
- Author
- Thread