Blocking Tor With Little Snitch

admin

Learning has never been so easy!

OpenSnitch is a Linux port of the Little Snitch firewall application for MacOS, currently considered beta software. Later edit the original OpenSnitch was abandoned. There's a fork with improvements and bug fixes that's currently in development, so I suggest using the fork instead of the unmaintained project. Jun 05, 2019  – As I understood, the built-in firewall can also block certain apps. What is the advantage of Little Snitch or Hands off? – Is the feature of restricting specific url’s special to them? Or is the built-in firewall also capable of this? It would be great if you could. Aug 25, 2019  It has options to grab the entire list or grab new entries past a certain date. Just grab the output and copy/paste into Little Snitch. The script is written to block access to any process, any port. You can also delete those lines and it will only block Mail.

This guide came about spending hours upon hours of “sniffing” (capturing) network traffic in search of any common factors in identifying TOR traffic in our network. After hundreds of custom Snort rules that either resulted in an unacceptable number of false positives or stopped working because the TOR client generated new unsigned security certificates that I was able to capture from the packet payload, I determined that the best way to block the TOR traffic and identify it was to block the traffic from reaching the TOR exit nodes.

  1. Nov 22, 2017  Re: Little snitch started blocking all traffic. When something is blocked, Network Monitor flashes the connection line in red. Drill down to a specific connection line by clicking disclosure triangles. Then right-click the line to get a context menu.
  2. Little Snitch is not available for Windows but there are plenty of alternatives that runs on Windows with similar functionality. The most popular Windows alternative is GlassWire, which is free.If that doesn't suit you, our users have ranked 25 alternatives to Little Snitch and 13 are available for Windows so hopefully you can find a suitable replacement.

12 Steps total

Step 1: BACKGROUND

Open the Little Snitch Configuration application from your Applications folder, open Preferences General and click the Stop button to turn off the Network Filter. Any network traffic will then be allowed, such as if Little Snitch wasn’t installed at all.

First for some background on our situation and the usage of TOR:

I am employed by a K-12 educational school district located in Texas and our Internet access (including transit charges) are subsidized via the E-Rate program.
With the “sugar” comes a bit of “vinegar”, our Internet usage must comply with CIPA (Child Internet Protection Act) and several other regulatory guidelines or we risk losing the federal subsidized funding for our Internet access and transit. We have in place AUP’s (Acceptable Use Policies) that outline what is acceptable, what is not and the consequences that may occur for violation of these policies.

In order to be in compliance with CIPA and other regulations we have Internet monitoring, traffic shaping and content filters in place.

This How-To is not about what is right and what is wrong about content filtering and censorship.

I am a network administrator and have been tasked with making sure that our network is in compliance with our school district’s AUP’s, CIPA, etc.

In a nutshell, from my packet captures with Wireshark , tcpdump , and other programs, initially connects via TCP port 9001, then tries TCP port 9090, then starts “port hopping” (jumping from TCP port to port) to make an initial connection with a TOR exit node. Once the initial connection is made, the traffic primarily uses TCP/443 (HTTPS/SSL/TLS) with the traffic payload being encrypted. The TOR client creates its own self-signed SSL certificate using a random common name (domain name) that changes after approximately every 30 minutes.

After going around and around with this scenario without success, I decided to try and block access to the TOR exit nodes from our network. There are several ways to attack this problem, either create and update router ACL’s (access control list) or our main firewall ACL’s.

For the sake of simplicity for our particular network environment, I chose to work with our main Internet router ACL’s. We are a Cisco shop but the same principles can be applied to Linux iptables, other router and firewall manufacturers.

Step 2: My Network Administrator toolbox used on my workstation (Windows 7 64bit Enterprise)

You Linux users might/will be familiar with several of these programs that have been ported over to Windows. If you are more comfortable using this technique to block TOR traffic using a Linux box then go for it.
1. ActiveState Tcl Community Version – free download http://www.activestate.com/activetcl/downloads
a. If you are running a 64bit OS, download and install the 32bit version, the next step will only work with the 32bit version of ActiveState Tcl
b. After installation, run “teapot.ext install Expect” (case sensitive) to install the expect package. Expect will be used to automate the ACL update process discussed later in this whitepaper. Linux expect users take note: the ActiveState Expect package does not follow the exact same structure as the Linux distribution of Expect.
2. Notepad++ - http://notepad-plus-plus.org/ - used for batch file creation and tcl and txt file examination
3. Wget for Windows - http://gnuwin32.sourceforge.net/packages/wget.htm
4. Microsoft Visual Studio 2010 – this is what I use on my workstation. The process that I use could be ported over to VBScript or other scripting/programming languages. Just use the one you are familiar with.
5. TCLTelnet 2.0.1 - This will make your expect automation a lot simpler

Step 3: Time to get into the meat of the subject!

After searching the Internet, I found this web site: https://www.dan.me.uk, ok another web site. This website has page, https://www.dan.me.uk/torlist/, with just the TOR exit node IP addresses, 1 IP address per line. This page is updated every 30 minutes, but you can only access the page 1 time

Step 4: Getting Started

1. Install or verify installation of the pre-requisite programs listed above.
2. Note the installation path for the wget program, you may need to use the short filename path to execute this program (I had problems using the full path names on my 64bit system with wget, I had to use the short filename path C:Progra~2GnuWin32binwget.exe to execute the program).

Step 5: Create a Working Directory

Create a working directory on your computer to hold your files you will be working with (i.e. C:TOR-ACL, or C:Die-TOR

Step 6: Create a new batch file

Create a new batch file (.bat or .cmd) in your working directory (i.e. TOR-ACL-Creator.cmd)

Since the URL to the TOR exit list is https, you will need to use the --no-check-certificate so wget will not check for SSL certificates.

So the first few lines of your batch file will look similar to:

@echo off
C:
CD TOR-ACL (change to your working directory)
C:Progra~2GnuWin32binwget --no-check-certificate https://www.dan.me.uk/torlist/

This will download the TOR exit node list to a file called, get ready, index.html. This file is plain text and contains no html code with 1 TOR exit node IP address per line, similar to the following:
101.1.131.133
101.142.83.155
101.98.134.31
103.4.16.118
106.187.34.237
106.187.36.183
106.187.36.240
… so on and so on

Step 7: Using Visual Basic or VBScript

This is where the scripting or where I used Visual Basic to do my magic with.

Loop through the index.html file until the end of file is reached

As you are looping with a Do While not EOF statement

Read in each IP address into a variable (I used TorIP as my variable name)

You have 2 choices here, do you want to manually update your ACL or do you trust your programming to update your ACL for you. I cheated a little. Our router’s ACL that I use for the TOR traffic is a Cisco extended ACL #150.

For testing, I used an extended ACL that I numbered 151 but did not assign to an interface until I was happy with the results of the whole process, download of the TOR list, creation of the Tcl file, running the Tcl file through expect to remove the old ACL and update the new ACL our router. Then I just changed the source code back to ip access-list extended 150 from the ip access-list extended 151, added in the code to update the interface with the access list 150.

I check the ACL (access-list) every few days to be sure it is right, and then I write the config to the startup config. This way if the download is bad or the ACL update goes bad, at worst case scenario I can just reboot the router to reload the last known good config that was saved to the startup nvram.

If you do not want to automate the process, write your script or program to write the ACL or iptables to a text file that you can paste into your terminal emulator, then apply the ACL or restart the iptables.

Step 8: Write the contents of our ACL or iptables file that is static

Little Snitch For Pc

Write the contents of our ACL or iptables file that is static information first before writing the TOR IP list.

Little Snitch Crack

file.WriteLine('config t')
file.WriteLine('interface gig 0/1')
file.WriteLine('no ip access-group 150 in')
file.WriteLine('no ip access-group 150 out')
file.WriteLine('exit')
file.WriteLine('no ip access-list ext 150')
file.WriteLine('ip access-list ext 150')
file.WriteLine('remark -- Updated by _
TOR-AccessList Creator')
file.WriteLine('remark ---- Current Revision: ' _
+ Format(Now).ToString + ' -----')
file.WriteLine('deny tcp any any eq 9001')
file.WriteLine('deny tcp any any eq 9090')

With the TOR IP address in the variable (i.e TorIP in my case), write the output line as you would need it from the i. statement above such as:

File.writeline(“deny ip host “ + TorIP + “ any”)

Step 9: Writing static information at the bottom of the file

After the end of file is reached, add the static information you need at the bottom of your ACL or iptables file
file.WriteLine('permit ip any any')
file.WriteLine('exit')
file.WriteLine('interface gig 0/1')
file.WriteLine('ip access-group 150 in')
file.WriteLine('ip access-group 150 out')
file.WriteLine('exit')
file.WriteLine('exit')
file.WriteLine(')

Step 10: Sample of the TCL-Expect Code:

For clarity, variables dimensioned (Dim’ed)
Dim DblQuote = Chr(34)
Dim crlf = Chr(10) + Chr(13)

file1.WriteLine('#!/tcl/bin/tclsh')
file1.WriteLine('# ')
file1.WriteLine('exec tclsh ' + DblQuote + '$0 ${1+ ' + DblQuote + '$@' + DblQuote + '}')
file1.WriteLine('package require Expect')
file1.WriteLine(crlf)
file1.WriteLine('log_user 1')
file1.WriteLine(crlf)
file1.WriteLine('exp_spawn tclsh.exe telnet_test.tcl 216.xx.xxx.xx 23')
file1.WriteLine(crlf)
file1.WriteLine('expect ' + DblQuote + 'Username' + DblQuote + ' {')
file1.WriteLine('exp_send ' + DblQuote + 'usernamer' + DblQuote)
file1.WriteLine('}')
file1.WriteLine(crlf)
file1.WriteLine('expect ' + DblQuote + 'Password:' + DblQuote + ' {')
file1.WriteLine('exp_send ' + DblQuote _ + 'myrouterpasswordr' + DblQuote)
file1.WriteLine('}')
file1.WriteLine(crlf)
file1.WriteLine(RtrPrompt)
file1.WriteLine('exp_send ' + DblQuote + 'config tr' + DblQuote)
file1.WriteLine(crlf)
file1.WriteLine(ConfigPrompt)
file1.WriteLine('exp_send ' + DblQuote + 'interface gig 0/1r' + DblQuote)
'file1.WriteLine(crlf)
file1.WriteLine(InterfacePrompt)
file1.WriteLine('exp_send ' + DblQuote + 'no ip access-group 150 inr' + DblQuote)
'file1.WriteLine(crlf)
file1.WriteLine(InterfacePrompt)
file1.WriteLine('exp_send ' + DblQuote + 'no ip access-group 150 outr' + DblQuote)
'file1.WriteLine(crlf)
file1.WriteLine(InterfacePrompt)
file1.WriteLine('exp_send ' + DblQuote + 'exitr' + DblQuote)
file1.WriteLine(crlf)
file1.WriteLine(ConfigPrompt)
file1.WriteLine('exp_send ' + DblQuote + 'no ip access-list ext 150r' + DblQuote)
'file1.WriteLine(crlf)
file1.WriteLine(ConfigPrompt)
file1.WriteLine('exp_send ' + DblQuote + 'ip access-list ext 150r' + DblQuote)
'file1.WriteLine(crlf)
file1.WriteLine(ACLPrompt)
'file1.WriteLine('exp_send ' + DblQuote + 'remark -- Updated by TOR-AccessList Creatorr' + DblQuote)
file1.WriteLine(crlf)
file1.WriteLine('exp_send ' + DblQuote + 'remark ---- Current Revision: ' + CurrentDate + ' ' + CurrentTime + ' -----r' + DblQuote)
'file1.WriteLine(crlf)
file1.WriteLine(ACLPrompt)
file1.WriteLine('exp_send ' + DblQuote + 'remark ---------------------------------------r' + DblQuote)
'file1.WriteLine(crlf)
file1.WriteLine(ACLPrompt)
file1.WriteLine('exp_send ' + DblQuote + 'remark --- TOR Ports ---r' + DblQuote)
'file1.WriteLine(crlf)
file1.WriteLine(ACLPrompt)
file1.WriteLine('exp_send ' + DblQuote + 'deny tcp any any
eq 9001r' + DblQuote)
'file1.WriteLine(crlf)
file1.WriteLine(ACLPrompt)
'file1.WriteLine(crlf)
file1.WriteLine(ACLPrompt)
file1.WriteLine(ACLPrompt)
file1.WriteLine('exp_send ' + DblQuote + 'remark -- TOR Exit Nodes --r' + DblQuote)
'file1.WriteLine(crlf)

As you can see the TCL/Expect script/program output is in a different format, when the program runs and completes you will end up with a TCL file looking like the following:
#!/tcl/bin/tclsh
#
exec tclsh '$0 ${1+ '$@'}
package require Expect
log_user 1
exp_spawn tclsh.exe telnet_test.tcl 216.xx.xxx.xx 23
expect 'Username' {
exp_send 'myusernamer'
}
expect 'Password:' {
exp_send 'myrouterpasswordr'
}
expect 'GISD-ATT-RTR#'
exp_send 'config tr'
expect 'GISD-ATT-RTR(config)#'
exp_send 'interface gig 0/1r'
expect 'GISD-ATT-RTR(config-if)#'
exp_send 'no ip access-group 150 inr'
expect 'GISD-ATT-RTR(config-if)#'
exp_send 'no ip access-group 150 outr'
expect 'GISD-ATT-RTR(config-if)#'
exp_send 'exitr'
expect 'GISD-ATT-RTR(config)#'
exp_send 'no ip access-list ext 150r'
expect 'GISD-ATT-RTR(config)#'
exp_send 'ip access-list ext 150r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'remark ---- Current Revision: Thursday, May 17, 2012 12:30:02 PM -----r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'remark ---------------------------------------r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'remark --- TOR Ports ---r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny tcp any any eq 1390r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny udp any any eq 1390r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny tcp any any eq 9001r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny udp any any eq 9001r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny tcp any any eq 9090r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny udp any any eq 9090r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'remark -- TOR Exit Nodes --r'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny ip host 101.1.131.133 anyr'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny ip host 101.142.83.155 anyr'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny ip host 101.98.134.31 anyr'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny ip host 101.98.162.41 anyr'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny ip host 103.4.16.118 anyr'
expect 'GISD-ATT-RTR(config-ext-nacl)#'
exp_send 'deny ip host 106.187.34.237 anyr'
snipped

Step 11: Complete your batch (.bat/.cmd) file

@echo off
C:
CD TOR-ACL (change to your working directory)
C:Progra~2GnuWin32binwget --no-check-certificate https://www.dan.me.uk/torlist/
C:TOR-ACLTOR-AccessList-Creator.exe (Whatever you named your program)
Or
C:windowssystem32cscript TOR-AccessList.vbs (Your VBScript script name here)
del c:Tclbinlog.txt
c:
cd tclbinc:tclbintclsh.exe c:tclbinTor-Access-List.tcl > c:Tclbinlog.txt

As you can see in the last line, I piped the output to a text file.

Step 12: Create your scheduled tasks

Snitch

I created 2 scheduled tasks with Windows Scheduler.

The 1st task runs the batch file above once every hour.
This pulls down the new TOR exit node information, manipulates the data and outputs the files I need to update our router ACL, then it updates our router ACL using tclsh and expect for Windows.

The second task, emails me the log file and is set to run 3 minutes after the 1st task starts.

This way I get a log file record of the access-list updates that were applied.

This is my first SpiceWorks HowTo, so be gentle on me.
I hope that this helps someone down the road and that someone can gain some useful information from my hours of frustration of going through packet traces.

Please comment on this if you find it helpful or just another waste of your time!
If you see something I missed documenting, please let me know.

Little Snitch Windows

Published: May 18, 2012 · Last Updated: Jan 17, 2018

Little Snitch Reviews

References

  • ActiveState Tcl Community Edition
  • CIPA - FCC website
  • CIPA - Wikipedia
  • E-Rate
  • Notepad++
  • Snort
  • tcltelnet 2.0.1
  • tcpdump
  • TOR Exit Node list - IP addresses, 1 per line
  • TOR Project
  • wget for Windows
  • Wireshark

9 Comments

  • Datil
    EngineerIT Jul 20, 2012 at 06:03am

    Very clever! didnt think this was possible

  • Pimiento
    Nyr Nov 25, 2012 at 01:59pm

    This isn't a clever way to block Tor traffic. You aren't blocking Tor traffic, only public Tor nodes.

    How to bypass this blocking? Just ask for private bridges here:
    https://bridges.torproject.org/

    Also, the website you link isn't listing Tor exit nodes only, public bridges are listed too and it's a different thing. For example, someone who wants to block abuse from the Tor network would only want to filter exit nodes and not bridges.

    A bulk list of Tor exit nodes can be obtained directly from the Tor Project website:
    https://check.torproject.org/cgi-bin/TorBulkExitList.py

  • Serrano
    Iron Man Mar 5, 2013 at 09:42pm

    @Nyr. Could not have said it better. This is not really blocking Tor. :) The Tor does not like to be blocked. :)

  • Chipotle
    MJReno Apr 13, 2013 at 07:52pm

    This is a good guide to stop kids/staff circumventing filters. Agreed on using bridge IPs.

    As a sidenote, although people misuse Tor, it also does a lot of good, so I only recommend blocking it is abused.

    Thnkx for sharing.

  • Anaheim
    john galbraith Dec 18, 2013 at 09:53pm

    @MJReno I see your point there but, if you read his original backstory before getting into the nitty gritty of how he was blocking traffic, he was stating that he was trying to be in compliance with CIPA. Allowing any access to TOR would be a very thin grey line given the sheer amount of negative influences, services, and the overabundance of child pornography found within the TOR network. I would say that this guy is doing the right thing here.

  • Pimiento
    gregory.thomson.906 May 23, 2014 at 08:26am

    Just getting started at understanding TOR. So, it's the exit node that does the final connect to the destination web site, and then returns the response to the TOR browser, so blocking those exit node IP's from getting back through the firewall into your network effectively keeps the page from rendering in the TOR browser? The traffic doesn't go back through the same sequence of nodes it went through to send the request? I work in K-12 too, not looking to censor, just block bad stuff for the K-12 age range.

  • Pimiento
    michaelmoore4 Jan 18, 2015 at 06:10am

    I am experiencing the problem where my roommate is blocking Tor. I have tried changing my IP address, useing The bridges from TOR & spoofing my MAC address none have been a success any suggestions????

  • Pimiento
    seanobriainbcommcisa Jun 12, 2015 at 08:46am

    Talk to your roommate. (non tech solution to non tech problem)

  • Pimiento
    smookie Jan 31, 2019 at 09:03am

    The problem is that this won't work, because of these things called Tor plugable transports and these other things called Tor bridge nodes. (both of which come packaged with Tor.) Tor Plugable transports (such as meek) disguise the Tor protocol by using ports commonly used by other services (such as port 80 or port 443) to communicate with a Tor bridge node. What's more, is that you will not find the addresses of Tor bridges published anywhere on some list- as Tor keeps these a well guarded secret. Effectively this means that the user can establish a Tor circuit by effectively disguising their Tor traffic to look like regular HTTP or HTTPS traffic using the plugable transport , and then connect to a 'secret' guard node known as a bridge node. (packet sniffing and DPI won't work with meek servers either- as meek was designed to circumvent packet sniffing and Deep Packet Inspection.) This cocnnection technique is highly effective because entire countries (such as China as a primary example) cannot effectively manage to block amazon-meek without blocking normal web traffic to basically every HTTPS service hosted on an amazon cloud server. This post only demonstrates that the OP has an extremely poor working knowledge and understanding of how Tor Works. I do have to give brownie points for the attempt though.