Cisco firewall filtering Tor?

Ringo Kamens 2600denver at gmail.com
Fri Jun 15 01:40:26 UTC 2007


You also might have some luck routing tor through an external SOCKS
server that listens on port 80/443.
Comrade Ringo Kamens

On 6/14/07, Mike Perry <mikeperry at fscked.org> wrote:
> Hey Jay!
>
> Thus spake Jay Goodman Tamboli (jay at tamboli.cx):
>
> > I'm stuck behind a FascistFirewall part of the day, and I've been
> > trying to get Tor to work as a client. I've added a line to my torrc:
> >
> > ReachableAddresses *:443
> >
> > Oddly, I can see that Skype is using TCP connections on port 443. I
> > can't tell if they're working, but Skype is keeping them up (and Skype
> > as a whole seems to be working).
> >
> > Tor, on the other hand, is not working. netstat shows established
> > connections on port 443, but Tor doesn't seem to be accepting them as
> > usable. I have debug logging on, but I'm not sure what to look for,
> > since it seems to be trying to create circuits in parallel. Is there a
> > message printed when a OR connection fails, giving a reason?
>
> If you are running Tor 0.1.2.x or later, you can add "ControlPort
> 9051" to your .torrc, and telnet localhost 9051. You can then do
>
> AUTHENTICATE
> SETEVENTS EXTENDED CIRC ORCONN
>
> to get some info that is sometimes not reported in logs, in a
> well-formed format. You can also try jacking up your log to debug
> level. It then should dump a bunch of info about TLS connections
> there, but that is harder to sift through.
>
> Might also be a good idea to kill tor, fire up wireshark
> (www.wireshark.org), start a network capture, start tor, and let it
> try to make some circuits for a bit. Then save the capture, and post
> it and the control port info and possibly logs somewhere so we can
> look at the results.
>
> > Is it possible the firewall is looking at the :443 connections and
> > somehow telling that it's Tor rather than HTTPS?
>
> I believe at some point, tor changed its TLS certificate format to be
> less-torlike.. But maybe this is only in SVN and not widely deployed
> at the tor nodes. Roger or Nick will need to answer this question most
> likely.
>
> If they are doing content-based filtering like this, it is likely they
> are also blocking directory connections too..
>
>
> --
> Mike Perry
> Mad Computer Scientist
> fscked.org evil labs
>
>



More information about the tor-talk mailing list