Have a question about how a server I connect to can tell I am running a guard/middle relay. All I can think of is that they check the published list of tor nodes against the IP. Or (maybe, but unlikely) portscan the IP and probe any open ports to determine the service. Are there any other methods that can be used.
Background: The corp my wife works for blocked our IP. The excuse they gave was that it was due to a change made by a vendor they use to identify malicious IP addresses. I have been running the relay for almost 5 years without any previous flagging. They also state that running a middle relay is not in violation of any policy, but the vendor mis-identified our relay as an exit, hence blocking it.
After changing the IP, the new IP was also blocked in less than 24 hours. My feeling is that the vendor is now just using the full list of tor nodes and indiscriminately blocking everything, despite what the corp security folks say.
I'm looking for some sort of validation I can use to counter their claims.
Hi Eddie
but the vendor mis-identified our relay as an exit, hence blocking it
The vendor or a service provider for its inbound protection might think: Hey, this relay claims to be a non-exit but why do we receive a connection from a non-exit? Bottom line they don't distinguish between an IP and the relay service. If they put both together the clonclusion makes sense in their wrong (?) perspective. It's a little paranoid I would say.
After changing the IP, the new IP was also blocked in less than 24 hours. My feeling is that the vendor is now just using the full list of tor nodes and indiscriminately blocking everything
Yup, agree
Do you have IPv6 available for your office traffic? While you use IP4 for the relay. If you route email and browser along IPv6 you could resolve the issue.
All the best!
Eddie, When experiencing similar issues, the recommended solution I received, from this list, and that seems to work best is a VPN for affected traffic. With dnsmasq, iptables or reverse proxy, and a dedicated split-tunnel vpn, I shunt affect traffic over the split-tunnel vpn without end-users on my local network even knowing. Seems to work fairly well. Best of luck.
Gary— This Message Originated by the Sun. iBigBlue 63W Solar Array (~12 Hour Charge) + 2 x Charmast 26800mAh Power Banks = iPhone XS Max 512GB (~2 Weeks Charged)
On Wednesday, June 15, 2022, 11:56:37 PM PDT, Eddie stunnel@attglobal.net wrote:
Have a question about how a server I connect to can tell I am running a guard/middle relay. All I can think of is that they check the published list of tor nodes against the IP. Or (maybe, but unlikely) portscan the IP and probe any open ports to determine the service. Are there any other methods that can be used.
Background: The corp my wife works for blocked our IP. The excuse they gave was that it was due to a change made by a vendor they use to identify malicious IP addresses. I have been running the relay for almost 5 years without any previous flagging. They also state that running a middle relay is not in violation of any policy, but the vendor mis-identified our relay as an exit, hence blocking it.
After changing the IP, the new IP was also blocked in less than 24 hours. My feeling is that the vendor is now just using the full list of tor nodes and indiscriminately blocking everything, despite what the corp security folks say.
I'm looking for some sort of validation I can use to counter their claims. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Unfortunately that option is very specifically disallowed as it's considered as trying to hide the source IP.
Cheers.
On 6/16/2022 1:33 AM, Gary C. New via tor-relays wrote:
Eddie,
When experiencing similar issues, the recommended solution I received, from this list, and that seems to work best is a VPN for affected traffic.
With dnsmasq, iptables or reverse proxy, and a dedicated split-tunnel vpn, I shunt affect traffic over the split-tunnel vpn without end-users on my local network even knowing.
Seems to work fairly well.
Best of luck.
Gary — This Message Originated by the Sun. iBigBlue 63W Solar Array (~12 Hour Charge)
- 2 x Charmast 26800mAh Power Banks
= iPhone XS Max 512GB (~2 Weeks Charged)
On Wednesday, June 15, 2022, 11:56:37 PM PDT, Eddie stunnel@attglobal.net wrote:
Have a question about how a server I connect to can tell I am running a guard/middle relay. All I can think of is that they check the published list of tor nodes against the IP. Or (maybe, but unlikely) portscan the IP and probe any open ports to determine the service. Are there any other methods that can be used.
Background: The corp my wife works for blocked our IP. The excuse they gave was that it was due to a change made by a vendor they use to identify malicious IP addresses. I have been running the relay for almost 5 years without any previous flagging. They also state that running a middle relay is not in violation of any policy, but the vendor mis-identified our relay as an exit, hence blocking it.
After changing the IP, the new IP was also blocked in less than 24 hours. My feeling is that the vendor is now just using the full list of tor nodes and indiscriminately blocking everything, despite what the corp security folks say.
I'm looking for some sort of validation I can use to counter their claims. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Wednesday, June 15, 2022 8:17:54 PM CEST Eddie wrote:
Have a question about how a server I connect to can tell I am running a guard/middle relay. All I can think of is that they check the published list of tor nodes against the IP.
Unfortunately, many people do this, often because they have no idea about the different Tor relays.
Background: The corp my wife works for blocked our IP. The excuse they gave was that it was due to a change made by a vendor they use to identify malicious IP addresses. I have been running the relay for almost 5 years without any previous flagging. They also state that running a middle relay is not in violation of any policy, but the vendor mis-identified our relay as an exit, hence blocking it.
After changing the IP, the new IP was also blocked in less than 24 hours. My feeling is that the vendor is now just using the full list of tor nodes and indiscriminately blocking everything, despite what the corp security folks say.
Workarounts: - In Germany, almost every ISP has (www & ftp) proxies for its customers. I use it generally, also for IRC, then the proxy IP is displayed. - In Germany we have '¹Freifunk' in almost every city. Firmware is OpenWrt with wireguard (VPN) and can be flashed on many WLAN-AP's/router. I have one at home too.
¹Anonymous citizens wifi mesh networks. No registration, no logs.
I'm looking for some sort of validation I can use to counter their claims.
On 6/15/22 20:17, Eddie wrote:
I have been running the relay for almost 5 years without any previous flagging.
There are block list providers which have Tor exit relays lists and sells those lists to their customers. Mayve they extend their algorithm to all Tor relays.
Anyway, "Do not run a relay at home." might be a solution.
tor-relays@lists.torproject.org
-
Eddie -
Felix -
Gary C. New -
lists@for-privacy.net -
Toralf Förster