Hello there,


I have used to block some webpages, but now users have found a way how to pass the firewall with "TOR browser"..



Can someone help me to block it?

Find a list of known TOR edge IP addresses, then create an IP address list with those addresses.
Then make rule #1 in the forward chain = drop packets dst-address-list=TOR_ROUTERS

Find a list of known TOR edge IP addresses, then create an IP address list with those addresses.
Then make rule #1 in the forward chain = drop packets dst-address-list=TOR_ROUTERS

Then Update the list frequently because it changes.

Find a list of known TOR edge IP addresses, then create an IP address list with those addresses.
Then make rule #1 in the forward chain = drop packets dst-address-list=TOR_ROUTERS

Then Update the list frequently because it changes.

Bro, how to find EDGE ip'addresses? and.. i used to read a post in mikrotik and i followed their steps


http://wiki.mikrotik.com/wiki/How_to_De ... er_traffic


but no effect, seems they are old ips or ?




Thanks

Bro, how to find EDGE ip'addresses? and.. i used to read a post in mikrotik and i followed their steps
http://wiki.mikrotik.com/wiki/How_to_De ... er_traffic

but no effect, seems they are old ips or ?
Thanks

Yes, that article has some useful information, and is exactly the solution you want, except that the address list must be very out of date indeed - the author states that they are using ROS version 3.x

Here's a site that claims to have a constantly-updated list of tor nodes.
https://www.dan.me.uk/tornodes

You'll have to parse that somehow - the easiest way to do it pseudo-manually is to copy/paste into excell, using | character as field delimiter, and then having a collumn which = concatenate("add list=tornodes address=",a1) and then copy/paste the values into terminal window after typing /ip firewall address[enter]

Yuck - if you know anything about scripting, (I don't think Mikrotik scripting is going to be useful for this) with php, perl, etc, you could probably automate this a little more.

Hello there,


I have used to block some webpages, but now users have found a way how to pass the firewall with "TOR browser"..



Can someone help me to block it?

THanks for your post bro!



I see there are million ip's in the list, are they all TOR BROWSER ips? if i put all of them in address list mikrotik will block tor's traffic for sure?

is there any way to create commands for all these ips and put in mikrotik ?

or should i create manually /ip firewall / add blla blla and put the ip manually ?




Thanks

Like I said, copy/paste the IP list into excell, then make sure excell splits the data into columns using the | character.
Then create a new column which uses concatenate() function to combine the standard "add address-list=tor address=" with the contents of the leftmost column. Slide that formula down the column (click the little black square at the bottom-r of the cell when you have it selected) and then drag the selection to the end of the list. This will apply the formula for all rows.

Then copy the cells which now show the ROS commands....
Go into Mikrotik, delete the TOR list and then manually type /ip firewall address [enter]
Then paste the results from excell.

Again - you might find a better source for this data or else write a perl/php/python/etc script to automate this task.

Yes, that article has some useful information, and is exactly the solution you want, except that the address list must be very out of date indeed - the author states that they are using ROS version 3.x

Here's a site that claims to have a constantly-updated list of tor nodes.
https://www.dan.me.uk/tornodes

You'll have to parse that somehow - the easiest way to do it pseudo-manually is to copy/paste into excell, using | character as field delimiter, and then having a collumn which = concatenate("add list=tornodes address=",a1) and then copy/paste the values into terminal window after typing /ip firewall address[enter]

Yuck - if you know anything about scripting, (I don't think Mikrotik scripting is going to be useful for this) with php, perl, etc, you could probably automate this a little more.

Your posted site actually contains a link to IP only list

You can also fetch https://www.dan.me.uk/torlist/ for a list of ips only, one per line - updated every 30 minutes. Ideal for constructing your own tor banlists.

Append that with something like this - http://wiki.mikrotik.com/wiki/Using_Fet ... ress_Lists (not sure if working on current versions). Add to scheduler and you are done!

Cool. There's the answer.

(I didn't actually study the TOR site list too carefully myself because I'm not actually interested in blocking TOR myself - heck, I'm likely to be someone who USES it.)

@Zerobyte

Did you remember about evil software?? TOR is one of them.

@Zerobyte

Did you remember about evil software?? TOR is one of them.

It's only evil if you use it to hide criminal activities....
Keeping the boss's middlebox from snooping on web browsing habits - or keeping the NSA out of your web browsing, that's the kind of use for me - not to go get access to illegal things on the "deep web"


(unrelated- I had my router's IPv6 firewall connections screen open, and just saw a udp packet sent to google on port 443.
Weird)

@Zerobyte

Did you remember about evil software?? TOR is one of them.

It's only evil if you use it to hide criminal activities....
Keeping the boss's middlebox from snooping on web browsing habits - or keeping the NSA out of your web browsing, that's the kind of use for me - not to go get access to illegal things on the "deep web"


(unrelated- I had my router's IPv6 firewall connections screen open, and just saw a udp packet sent to google on port 443.
Weird)

Yes me don't wanted to change the topic but just noting that:
If you try Hotspot Shield you would notice that you have high SENT and RECEIVING but you are not using internet.
It's wired too.

Hi guys


Thanks for your posts!



i'm trying to make a php script to create me firewall commands automatically just to upload the list of ips
but if i block all these ip's are u sure that "TOR browser will die totally" ?


also.. i think users are using Free VPN connections to bypass our firewall that we created.. is there a possible way to block any port or something that will "DROP" all vpn connections?




Thanks.

If you wanna have script to add TOR's IP's you should see "emils" Post in above.

about other VPN and software like free gate.... I'm not sure you'll be able to make it...

If you wanna have script to add TOR's IP's you should see "emils" Post in above.

about other VPN and software like free gate.... I'm not sure you'll be able to make it...

Bro, you didn't understand me,



i asked you how to block "VPN tunnel traffic"?


for example users find free VPN in google and go to "my network place" 2."Create new connection" and there are two options like PPPoE and VPN .. so they chose vpn and use free vpns to connect and pass our firewall..


my question is : how to block VPN tunnel traffic in mikrotik ???


THanks

whatever port number and protocol the VPN uses - make a firewall rule that blocks it.

If the user is motivated enough, and skillful enough, then you're fighting a losing battle. They can always switch to different ports and use protocols like SSL because you cannot simply "block all SSL"

It's better to have a policy and if the user violates policy, block them from your network.

then you're fighting a losing battle.

I think no one cares as me in this situation. I tried to block them. no luck. sometimes it's good to block it in internet cafe but because of loosing customers ( ) I didn't go further. I think you can block them in your domain via some group policy or your computers firewall. but it's really easy to bypass that.

then you're fighting a losing battle.

I think no one cares as me in this situation. I tried to block them. no luck. sometimes it's good to block it in internet cafe but because of loosing customers ( ) I didn't go further. I think you can block them in your domain via some group policy or your computers firewall. but it's really easy to bypass that.

Probably the most reliable way is to intercept DNS, use a server that has policies, and won't give the IP address of domains that you want. DNS is unencrypted, so you could still do packet inspection to match (and drop) DNS on unstandard ports. You can map all dns to your "policy-based" server, or ONLY allow dns to that server....

then you're fighting a losing battle.

I think no one cares as me in this situation. I tried to block them. no luck. sometimes it's good to block it in internet cafe but because of loosing customers ( ) I didn't go further. I think you can block them in your domain via some group policy or your computers firewall. but it's really easy to bypass that.

Probably the most reliable way is to intercept DNS, use a server that has policies, and won't give the IP address of domains that you want. DNS is unencrypted, so you could still do packet inspection to match (and drop) DNS on unstandard ports. You can map all dns to your "policy-based" server, or ONLY allow dns to that server....

yup, I heard of it. but didn't try it. But e.g If i block facebook this way I think users can open it via it's IP of website, ha?

yup, I heard of it. but didn't try it. But e.g If i block facebook this way I think users can open it via it's IP of website, ha?

I just put https://173.252.88.66/ into my browser. It gave me a certificate warning, and then forced me to the host by name anyway, so I'm betting facebook won't work if you took away the DNS.... Turn off DNS in your computer and type in that IP address and see if it works... (now I'm curious)

Any user smart enough to use the hosts file / direct IP address is going to be smart enough to get around anything you do, and will most likely consider it to be a challenge and will go out of their way to defy your filters on purpose - just like climbing a mountain.

Ban this one user, or accept the fact that they're surfing facebook against the rules. Let the filtering capture 99.9% of your users, and live an easier life.

haha. I'm not gonna filter facebook (that's why I use "e.g."). I'm just curious of it's knowledge.
And as I said, In my country facebook is blocked ( ) so people use VPN and proxies and...

Can you give me the config so i can test it?
(I've got plenty of IPs and sample config but it's not available)

Can you give me the config so i can test it?
(I've got plenty of IPs and sample config but it's not available)

There's no config - just turn off DNS in your computer and surf to that IP - that's facebook's IP.

Only do this if you're really bored, though... it's not important. I just wanted to see what facebook would do if I tried to reach them using the IP address as the URL. (as expected, it changed me over to the hostname)

facebook is blocked in country
but I redirect bing to google. that was fun
but when I tried some HTTPS, no luck. just open that page with delay.

Yes, that article has some useful information, and is exactly the solution you want, except that the address list must be very out of date indeed - the author states that they are using ROS version 3.x

Here's a site that claims to have a constantly-updated list of tor nodes.
https://www.dan.me.uk/tornodes

You'll have to parse that somehow - the easiest way to do it pseudo-manually is to copy/paste into excell, using | character as field delimiter, and then having a collumn which = concatenate("add list=tornodes address=",a1) and then copy/paste the values into terminal window after typing /ip firewall address[enter]

Yuck - if you know anything about scripting, (I don't think Mikrotik scripting is going to be useful for this) with php, perl, etc, you could probably automate this a little more.

Your posted site actually contains a link to IP only list

You can also fetch https://www.dan.me.uk/torlist/ for a list of ips only, one per line - updated every 30 minutes. Ideal for constructing your own tor banlists.

Append that with something like this - http://wiki.mikrotik.com/wiki/Using_Fet ... ress_Lists (not sure if working on current versions). Add to scheduler and you are done!

Hi Emils, I'm trying to fetch this file as you said. At first step I tried to download the file in this way:

/tool fetch src-path=text.txt mode=https url="https://www.dan.me.uk/torlist/"

And it says: failure: cannot open file

What i'm doing wrong? Thanks!

Sorry, it works... changing src-path for dst-path. Thanks!

Did you ever have success making this work? I've been playing around with it and the example and it appears as though the parse command can't be used on a file larger than 4096 bytes.

Hi
If, in the 951G-2HnD enter the address-list on 7000 IP - he will die? (
https://www.dan.me.uk/tornodes
anyone tried?

list of TOR IP addresses (~7000 IP) on RB911G-5HPnD - works good
CPU - load low.

Hello , Everyone. Please send the new link banTOR-29.02.2016-14.07.08.rsc , this links was expired.
Thanks in advance