We lock Tor on the corporate firewall
Due to the fact that many users saw the advantages of the “portable Tor Browser”, which does not require admin rights, it was decided to suppress the possibility of using Tor in all possible ways.
Immediately, I’ll make a reservation that we’ll talk about FreeBSD + pf.
The initialization scheme of the Tor service is simple to ugliness.
There are several root servers on which clients are registered. The same clients download a list of the same clients as them from the same servers, and according to this list they receive information through which client you can or cannot walk, as well as other proprietary information.
The usual URL for the client list request to the root server looks like this:
')
The contents of the file issued by the server are approximately as follows:
The initial part of the page contains service information about the server and the time the list was generated. Below are the lines identifying customers, as well as their characteristics.
We will be interested in lines starting with the letter “r”, and of course the client’s IP address. Everything else is not particularly important.
Take wget + awk + grep + sort + uniq and get the list of ip addresses we need.
it remains to add a few lines to pf.conf
Immediately, I’ll make a reservation that we’ll talk about FreeBSD + pf.
The initialization scheme of the Tor service is simple to ugliness.
There are several root servers on which clients are registered. The same clients download a list of the same clients as them from the same servers, and according to this list they receive information through which client you can or cannot walk, as well as other proprietary information.
The usual URL for the client list request to the root server looks like this:
http://128.31.0.34:9031/tor/status/all
')
The contents of the file issued by the server are approximately as follows:
network-status-version 2
dir-source 128.31.0.34 128.31.0.34 9031
fingerprint FFCB46DB1339DA84674C70D7CB586434C4370441
contact 1024D/28988BF5 arma mit edu
published 2009-09-07 18:24:08
dir-options Names BadExits Versions
client-versions 0.2.0.34,0.2.0.35,0.2.1.19,0.2.2.1-alpha
server-versions 0.2.0.34,0.2.0.35,0.2.1.19,0.2.2.1-alpha
dir-signing-key
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAMHa0ZC/jo2Q2DrwKYF/6ZbmZ27PFYG91u4gUzzmZ/VXLpZ8wNzEV3oW
nt+I61048fBiC1frT1/DZ351n2bLSk9zJbB6jyGZJn0380FPRX3+cXyXS0Gq8Ril
xkhMQf5XuNFUb8UmYPSOH4WErjvYjKvU+gfjbK/82Jo9SuHpYz+BAgMBAAE=
-----END RSA PUBLIC KEY-----
r Unnamed AFFku1nT3UiV4dsIC0ze+1KD738 YSYH74y8ohTu5Uhvk3Yl0WU8DqI 2009-09-07 11:44:12 94.50.173.6 443 9030
s Exit V2Dir Valid
opt v Tor 0.2.0.35
r tbreg AHKeOQzTsS4dKu6jY5dGrCtY3aE h+oWM86K3Z6yb2z4ZpPd++i7yZo 2009-09-07 02:10:50 202.109.188.97 9001 0
s Exit Valid
opt v Tor 0.2.1.2-alpha (r15383)
r abcdefg ALW6RdYFJ9/JA7MuCkcEUbE+L1I xkVjcAgH+zVB/dcg7NYBDXGWA1g 2009-09-07 17:19:54 84.179.91.68 443 0
s Exit Named Valid
opt v Tor 0.2.0.35
The initial part of the page contains service information about the server and the time the list was generated. Below are the lines identifying customers, as well as their characteristics.
We will be interested in lines starting with the letter “r”, and of course the client’s IP address. Everything else is not particularly important.
Take wget + awk + grep + sort + uniq and get the list of ip addresses we need.
wget 128.31.0.34:9031/tor/status/all -q -O - | grep -E '^r' | awk '{print $7}' | sort | uniq > /etc/pf/tor.list
it remains to add a few lines to pf.conf
int_if="em0"
ext_if="em1"
table persist file "/etc/pf/tor.list"
block in log quick on { $int_if $ext_if } from any to <tor> label TOR_IN
block out log quick on { $int_if $ext_if } from <tor> to any label TOR_OUT
And feed the modified config pf.
now, using tcpdump on the pflog interface, you can calculate the person who tried to use Tor and say “ah yay yay”. The script for updating the list of Tor clients can be run as often as you like (depending on the traffic prepaid by your company). The usual client file size is about 1.5 megabytes. Therefore, how often to update it is up to you and only you. I pull the file every 10 minutes (unlimited traffic).
For lovers of perl solutions there is a module
search.cpan.org/~ajdixon/Net-Tor-Servers-0.02/lib/Net/Tor/Servers.pm
which, in conjunction with the pftable perl client, will allow you to change the pf table on the fly without invoking the synchronization script and rereading the clients' Tor tables.
Those interested can bind the Tor client table to other firewalls.(C) Aborche 2009
Source: https://habr.com/ru/post/68971/
All Articles