panwdbl icon indicating copy to clipboard operation
panwdbl copied to clipboard

Published 20 hours ago verified publisher icon jtschichold

List not differentiating between TOR RELAY and EXIT nodes

Open danhusan opened this issue 8 years ago • 2 comments

Would be great not having the TOR relay nodes on the list as they are not a threat.

danhusan avatar Nov 07 '16 14:11 danhusan

I think you misunderstand what a relay does. Someone using TOR will never send traffic OUT from a relays IP address. Hence no need for blocking it in the enterprise firewall. A relay only relays traffic between TOR nodes. What will happen is that if user X runs a TOR relay at home behind his router running NAT it will be blacklisted in all enterprises using your list. Then he will not be able to access those enterprises services when surfing normally (outside of TOR) and creating noise for the enterprises.

I completely agree that blocking TOR exits could be smart - but blocking people running relays is just unnecessary.

danhusan avatar Nov 07 '16 20:11 danhusan

Hi @danhusan, please take a look at MineMeld (https://github.com/PaloAltoNetworks/minemeld). With the blutmagie feeds you can now differentiate exit nodes from all the TOR nodes.

jtschichold avatar Jun 06 '17 09:06 jtschichold