blocklist-ipsets icon indicating copy to clipboard operation
blocklist-ipsets copied to clipboard

Published 20 hours ago verified publisher icon firehol

Stop blocking Tor Relay Server IPs! This is bullshit!

Open DotNetFritz opened this issue 7 years ago • 4 comments

Why you do this? You can differ between Relay and Exit. Block only Exit and its good to go! You block too much!

DotNetFritz avatar Feb 13 '18 10:02 DotNetFritz

Hi, what do you mean "block"? We don't block anything...

This repo and its site is about aggregating, analyzing and comparing IP feeds maintained by third parties.

You probably have in mind a specific list. Which one?

ktsaou avatar Feb 13 '18 10:02 ktsaou

Hi @ktsaou,

I think the issue here is that the et_tor.ipset is a list of all tor nodes both relay and exit. Exit nodes are the only ones that tor traffic comes out of. Relay nodes are internal to tor only. So any website traffic coming from a tor relay node ip is normal traffic that is not associated with the tor network. Those are only exit nodes.

As your list is used by system admins to try to block tor, they end up using what is an incorrect list. The list is not just tor it is many additional ip addresses of people who are not associated with outgoing tor traffic.

All three tor files that you have:

I have included the TOR network in these lists (bm_tor, dm_tor, et_tor). The TOR network is not necessarily bad and you should not block it if you want to allow your users be anonymous. I have included it because for certain cases, allowing an anonymity network might be a risky thing (such as eCommerce).

All these three include relay nodes as well as exit nodes.

To correct this for dm_tor you need to use https://www.dan.me.uk/torlist/?exit as the source instead of just https://www.dan.me.uk/torlist/ (See https://www.dan.me.uk/tornodes for information about it)

To correct this for bm_tor you need to use https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv as the source

The rules on et_tor specifically include the message "ET TOR Known Tor Relay/Router (Not Exit)" to identify non-exit relays, so it would not need to be changed.

Could you perhaps change the source on dm_tor and bm_tor to correctly only identify tor traffic?

Thanks!

wilwade avatar Feb 02 '19 16:02 wilwade

Hi @ktsaou, any updates on this issue? "I think the issue here is that the et_tor.ipset is a list of all tor nodes both relay and exit."

The list should be only exit nodes and not all Tor nodes.

gusgustavo avatar Sep 10 '20 16:09 gusgustavo

PR for the script pulling the IPs here: https://github.com/firehol/firehol/pull/461

dev-zero avatar Jun 28 '21 07:06 dev-zero