пятница, 29 октября 2010 г.

Блокирование Tor средствами IPFilter в Solaris 10

Недавно передо мной появилась задача блокировать выходные ноды сети Tor средствами Solaris. Беглый обзор Гугла показал, что подобных решений на Solaris никто не делал. Все имеющиеся средства либо коммерческие скрипты на PHP, либо решения, очень специфические для Linux-серверов. Ничего более.

Ах, да. Еще пара решений на основе mod_rewrite с огромным количеством правил на основе регулярных выражений. Создающими очень сильную нагрузку на сервер. И опять-таки только для web-серверов.

Давайте попробуем решить эту задачу на более низком уровне.

Итак, наиболее очевидным решением (уже, кстати говоря, использовавшимся) будет получение списка IP-адресов выходных нод сети Tor и блокирование их средствами файрвола.

Первая проблема, которая сразу же возникает - где брать этот самый список.

На наше счастье, сеть Tor поддерживает статусные сервера, имеющие возможность выгрузки списка выходных нод в текстовом формате. Осталось найти работающие статусные сервера сети с возможностью выгрузки. Небольшой поиск приводит нас к четырем серверам, имеющим такую возможность:


Замечательно. Остальное представляется делом техники. Итак, не будем чрезмерно оригинальными и напишем борновский скрипт для cron, который будет с заданной периодичностью скачивать список и на его основе формировать блокирующие правила для IPFilter:


#!/sbin/sh

#
# Tor exit nodes blocking script
#
# Written by Y.Voinov (C) 2010
#
# ident   "@(#)block_tor.sh     1.0     10/10/29 YV"
#

#############
# Variables #
#############

# Servers for downloading exit nodes
SERVER1="torstatus.blutmagie.de/ip_list_exit.php"
SERVER2="torstatus.all.de/ip_list_exit.php"
SERVER3="torstatus.asprion.org/ip_list_exit.php"
SERVER4="torstatus.rueckgr.at/ip_list_exit.php"

SERVER_LIST="$SERVER1 $SERVER2 $SERVER3 $SERVER4"
TEMP_DIR="/tmp"
EXIT_NODES_TEMP_FILE="$TEMP_DIR/tor_exit_nodes.lst"

# Connection timeout for downloading
TIMEOUT=30

# Blocking rule parts
BLOCK_RULE_1="block in quick from"
BLOCK_RULE_2="to any group 100"

# OS utilities
CUT=`which cut`
ECHO=`which echo`
ID=`which id`
IPF=`which ipf`
SVCADM=`which svcadm`
UNAME=`which uname`
WGET=`which wget`

OS_VER=`$UNAME -r|$CUT -f2 -d"."`
OS_NAME=`$UNAME -s|$CUT -f1 -d" "`

###############
# Subroutines #
###############

os_check ()
{
 if [ "$OS_NAME" != "SunOS" ]; then
  $ECHO "ERROR: Unsupported OS $OS_NAME. Exiting..."
  exit 1
 elif [ "$OS_VER" -lt "10" ]; then
  $ECHO "ERROR: Unsupported $OS_NAME version $OS_VER. Exiting..."
  exit 1
 fi
}

root_check ()
{
 if [ ! `$ID | $CUT -f1 -d" "` = "uid=0(root)" ]; then
  $ECHO "ERROR: You must be super-user to run this script."
  exit 1
 fi
}

download_nodes_list ()
{
 # Get exit nodes list from one server using server list
 for S in $SERVER_LIST; do
  $WGET -T $TIMEOUT -q -O $EXIT_NODES_TEMP_FILE $S
  retcode=`$ECHO $?`
  case "$retcode" in
   0)
    $ECHO "List downloaded successfully."
    break
   ;;
   4)
    $ECHO "Unable to resolve host address. Exiting..."
    exit 4
   ;;
   *)
    $ECHO "Error downloading list from `$ECHO $S|$CUT -f1 -d '/'`. Try another server..."
    continue
   ;;
  esac
 done

 if [ "$retcode" != "0" ]; then
  $ECHO "Error downloading list from all servers. Exiting..."
  exit 1
 fi
}

add_blocking_rules ()
{
 # Drop all old temporary rules with refresh original configuration
 # because of we can't dynamically replace specified rules
 $SVCADM refresh ipfilter

 while read ip_addr; do
  $ECHO "$BLOCK_RULE_1 $ip_addr $BLOCK_RULE_2" | $IPF -f ->/dev/null 2>&1
 done < $EXIT_NODES_TEMP_FILE
}

##############
# Main block #
##############

# OS check
os_check

# Root check
root_check

# Download nodes list
download_nodes_list

# Add blocking rules
add_blocking_rules

exit 0

Все хорошо? Нет. Недостаточно изящно. Во-первых, работает процедура добавления блокирующих правил недостаточно быстро. Поскольку предварительно мы сбрасываем набор правил IPFilter до первоначального, возникает пауза, в течение которой мы не блокируем сеть Tor. Во-вторых, основная блокирующая группа 100 становится чрезмерно большой, что замедляет обработку пакетов.

Давайте попробуем найти более изящное решение.

Для создания блокирующего набора правил мы воспользуемся функциональностью адресных пулов IPFilter.

Перепишем наш скрипт:

#!/sbin/sh

#
# Tor exit nodes blocking script
#
# Written by Y.Voinov (C) 2010
#
# ident   "@(#)block_tor.sh     1.1     10/10/29 YV"
#

#############
# Variables #
#############

# Servers for downloading exit nodes
SERVER1="torstatus.blutmagie.de/ip_list_exit.php"
SERVER2="torstatus.all.de/ip_list_exit.php"
SERVER3="torstatus.asprion.org/ip_list_exit.php"
SERVER4="torstatus.rueckgr.at/ip_list_exit.php"

SERVER_LIST="$SERVER1 $SERVER2 $SERVER3 $SERVER4"
TEMP_DIR="/tmp"
EXIT_NODES_TEMP_FILE="$TEMP_DIR/tor_exit_nodes.lst"

# Connection timeout for downloading
TIMEOUT=30

# Blocking rule parts
# BLOCK_RULE_2 must not use rule groups
# when using IP pools!
POOL_NUMBER="100"
BLOCK_RULE_1="block in quick from"
BLOCK_RULE_2="to any"

# OS utilities
CAT=`which cat`
CUT=`which cut`
ECHO=`which echo`
ID=`which id`
IPF=`which ipf`
IPPOOL=`which ippool`
MKTEMP=`which mktemp`
RM=`which rm`
SED=`which sed`
UNAME=`which uname`
WGET=`which wget`

OS_VER=`$UNAME -r|$CUT -f2 -d"."`
OS_NAME=`$UNAME -s|$CUT -f1 -d" "`

###############
# Subroutines #
###############

os_check ()
{
 if [ "$OS_NAME" != "SunOS" ]; then
  $ECHO "ERROR: Unsupported OS $OS_NAME. Exiting..."
  exit 1
 elif [ "$OS_VER" -lt "10" ]; then
  $ECHO "ERROR: Unsupported $OS_NAME version $OS_VER. Exiting..."
  exit 1
 fi
}

root_check ()
{
 if [ ! `$ID | $CUT -f1 -d" "` = "uid=0(root)" ]; then
  $ECHO "ERROR: You must be super-user to run this script."
  exit 1
 fi
}

download_nodes_list ()
{
 # Get exit nodes list from one server using server list
 for S in $SERVER_LIST; do
  $WGET -T $TIMEOUT -q -O $EXIT_NODES_TEMP_FILE $S
  retcode=`$ECHO $?`
  case "$retcode" in
   0)
    $ECHO "List downloaded successfully."
    break
   ;;
   4)
    $ECHO "Unable to resolve host address. Exiting..."
    exit 4
   ;;
   *)
    $ECHO "Error downloading list from `$ECHO $S|$CUT -f1 -d '/'`. Try another server..."
    continue
   ;;
  esac
 done

 if [ "$retcode" != "0" ]; then
  $ECHO "Error downloading list from all servers. Exiting..."
  exit 1
 fi
}

add_blocking_rules ()
{
 tmp_file="`$MKTEMP`"

 # Get IP's from downloaded file
 while read ip_addr; do
  $ECHO "$ip_addr, \c">>$tmp_file
 done < $EXIT_NODES_TEMP_FILE

 # Get temp file contents into variable
 ip_pool_addr="`$CAT $tmp_file`"

 # Cut trailing comma
 # and create full IP pool specification
 ip_pool_addr="table role = ipf type = tree number = $POOL_NUMBER {`$ECHO $ip_pool_addr | $SED 's/.\{1\}$//'` };"

 # Flush IP pool
 $IPPOOL -F>/dev/null 2>&1

 # Load IP pool
 $ECHO $ip_pool_addr | $IPPOOL -f ->/dev/null 2>&1

 # Add pool block rule
 echo "$BLOCK_RULE_1 pool/$POOL_NUMBER $BLOCK_RULE_2" | $IPF -f ->/dev/null 2>&1

 # Remove temp file
 $RM $tmp_file
}                        

##############
# Main block #
##############

# OS check
os_check

# Root check
root_check

# Download nodes list
download_nodes_list

# Add blocking rules
add_blocking_rules

exit 0



Что ж, это гораздо лучше.

Динамический пул после выполнения скрипта выглядит так:

root @ pegasus / # ippool -l
table role = ipf type = tree number = 100
        { 2.90.88.82/32; 2.120.33.249/32; 18.187.1.68/32; 18.246.2.88/32; 24.8.25.60/32; 24.28.37.157/32; 24.95.241.138/32; 24.99.52.17/32; 24.168.225.226/32; 24.179.25.51/32; 24.200.17.65/32; 24.205.227.216/32; 24.214.166.146/32; 24.234.146.81/32; 24.241.227.177/32; 24.252.122.202/32; 27.248.179.232/32; 41.56.51.25/32; 41.107.55.204/32; 41.202.90.95/32; 41.207.1.224/32; 41.252.15.99/32; 46.4.235.86/32; 46.28.78.145/32; 46.146.1.72/32; 58.96.94.61/32; 59.103.210.226/32; 59.105.89.252/32; 59.177.65.13/32; 60.50.67.78/32; 60.242.34.204/32; 62.2.182.82/32; 62.10.163.40/32; 62.34.165.216/32; 62.35.201.250/32; 62.47.254.173/32; 62.75.185.133/32; 62.106.20.106/32; 62.107.252.144/32; 62.141.42.186/32; 62.141.53.224/32; 62.141.58.13/32; 62.193.228.18/32; 62.197.40.155/32; 62.212.67.209/32; 64.34.218.21/32; 64.186.132.40/32; 65.31.42.18/32; 65.40.42.74/32; 65.41.197.71/32; 65.183.151.13/32; 66.8.211.107/32; 66.58.182.38/32; 66.90.75.96/32; 66.96.16.32/32; 66.135.38.164/32; 66.139.120.107/32; 66.146.193.29/32; 66.194.9.253/32; 66.215.42.157/32; 66.230.230.230/32; 66.249.9.183/32; 67.11.251.148/32; 67.55.28.54/32; 67.182.56.220/32; 68.7.152.27/32; 68.41.26.216/32; 68.47.135.111/32; 68.71.46.138/32; 68.146.128.155/32; 68.165.58.4/32; 68.170.181.33/32; 68.183.49.225/32; 68.186.6.171/32; 68.191.44.98/32; 68.225.67.170/32; 69.39.49.200/32; 69.67.175.146/32; 69.91.223.154/32; 69.137.84.117/32; 69.138.223.116/32; 69.140.60.76/32; 69.159.172.235/32; 69.163.34.69/32; 69.164.195.171/32; 69.181.129.174/32; 69.196.152.198/32; 69.197.181.194/32; 69.229.45.33/32; 69.251.24.169/32; 70.27.223.8/32; 70.36.150.94/32; 70.75.162.58/32; 70.88.10.212/32; 70.114.131.61/32; 70.116.15.163/32; 70.167.245.87/32; 70.176.188.56/32; 70.184.237.31/32; 71.62.75.222/32; 71.74.111.236/32; 71.80.220.255/32; 71.114.4.175/32; 71.147.51.149/32; 71.197.38.32/32; 71.198.44.22/32; 71.224.152.176/32; 72.14.177.164/32; 72.14.189.237/32; 72.25.97.8/32; 72.43.123.225/32; 72.47.252.215/32; 72.53.30.34/32; 72.55.174.112/32; 72.66.20.122/32; 72.209.154.54/32; 74.3.165.39/32; 74.37.68.232/32; 74.51.49.141/32; 74.59.64.29/32; 74.63.64.4/32; 74.69.21.41/32; 74.74.95.251/32; 74.77.246.198/32; 74.103.21.207/32; 74.207.248.241/32; 74.208.17.237/32; 74.208.213.82/32; 74.219.234.106/32; 75.30.97.142/32; 75.89.47.237/32; 75.101.62.112/32; 76.10.190.194/32; 76.79.78.26/32; 76.99.74.12/32; 76.186.77.161/32; 76.236.85.43/32; 77.8.46.66/32; 77.10.48.47/32; 77.10.197.42/32; 77.11.69.234/32; 77.23.119.83/32; 77.47.180.113/32; 77.58.94.45/32; 77.58.137.221/32; 77.91.200.27/32; 77.109.139.87/32; 77.166.225.3/32; 77.176.142.83/32; 77.180.190.230/32; 77.186.164.240/32; 77.194.109.162/32; 77.197.180.133/32; 77.199.2.97/32; 77.201.63.163/32; 77.202.113.254/32; 77.203.71.111/32; 77.203.127.215/32; 77.205.21.118/32; 77.205.80.74/32; 77.206.50.43/32; 77.206.136.52/32; 77.206.207.45/32; 77.220.41.47/32; 77.223.93.221/32; 77.235.169.231/32; 77.250.230.82/32; 78.20.145.232/32; 78.25.19.181/32; 78.31.67.155/32; 78.31.74.25/32; 78.34.108.201/32; 78.40.42.152/32; 78.42.211.224/32; 78.46.39.228/32; 78.48.44.224/32; 78.53.102.164/32; 78.54.222.169/32; 78.60.248.64/32; 78.105.113.59/32; 78.105.252.183/32; 78.107.237.16/32; 78.112.43.190/32; 78.113.30.184/32; 78.115.184.42/32; 78.122.8.112/32; 78.122.35.8/32; 78.130.140.131/32; 78.142.175.70/32; 78.224.56.170/32; 78.225.101.56/32; 78.227.166.195/32; 78.229.64.71/32; 78.229.212.4/32; 78.231.144.58/32; 78.231.220.170/32; 78.243.138.65/32; 78.249.170.116/32; 79.22.120.23/32; 79.30.77.91/32; 79.34.26.117/32; 79.42.17.161/32; 79.47.119.117/32; 79.81.7.225/32; 79.81.160.187/32; 79.84.149.163/32; 79.89.91.174/32; 79.89.199.144/32; 79.95.89.47/32; 79.99.236.2/32; 79.100.73.175/32; 79.105.146.81/32; 79.120.86.20/32; 79.136.30.122/32; 79.136.48.241/32; 79.136.50.205/32; 79.140.39.227/32; 79.142.243.2/32; 79.165.180.243/32; 79.194.28.113/32; 79.216.222.219/32; 79.236.247.25/32; 79.242.109.34/32; 79.242.152.110/32; 79.246.167.87/32; 79.251.92.170/32; 80.14.0.26/32; 80.28.68.220/32; 80.56.78.10/32; 80.62.217.18/32; 80.67.176.111/32; 80.79.113.178/32; 80.79.126.30/32; 80.94.238.7/32; 80.108.110.149/32; 80.119.16.18/32; 80.119.171.149/32; 80.135.23.135/32; 80.141.209.71/32; 80.177.3.76/32; 80.177.246.35/32; 80.184.35.213/32; 80.203.34.79/32; 80.216.72.97/32; 80.221.5.243/32; 80.249.182.182/32; 81.2.197.33/32; 81.48.163.37/32; 81.57.45.14/32; 81.90.234.64/32; 81.94.56.135/32; 81.169.155.246/32; 81.169.173.120/32; 81.174.44.244/32; 81.174.66.93/32; 81.200.6.96/32; 81.218.219.122/32; 81.220.20.23/32; 81.226.218.187/32; 81.248.52.198/32; 82.0.167.49/32; 82.21.61.112/32; 82.49.202.9/32; 82.55.73.49/32; 82.82.178.92/32; 82.95.152.30/32; 82.124.234.17/32; 82.143.158.39/32; 82.146.27.209/32; 82.146.52.107/32; 82.168.31.124/32; 82.170.175.141/32; 82.183.140.104/32; 82.194.86.135/32; 82.227.12.18/32; 82.227.76.76/32; 82.228.6.194/32; 82.228.252.20/32; 82.236.111.148/32; 82.237.54.30/32; 82.243.121.39/32; 82.245.41.171/32; 82.245.51.181/32; 82.245.131.230/32; 82.245.165.33/32; 82.245.217.238/32; 82.249.251.139/32; 82.255.250.230/32; 83.3.0.42/32; 83.11.48.143/32; 83.21.219.102/32; 83.31.8.6/32; 83.51.226.24/32; 83.69.242.162/32; 83.80.129.253/32; 83.87.66.24/32; 83.91.86.29/32; 83.92.176.231/32; 83.94.210.19/32; 83.99.168.49/32; 83.101.80.205/32; 83.134.160.247/32; 83.153.100.82/32; 83.153.140.162/32; 83.155.96.87/32; 83.167.106.3/32; 83.170.92.9/32; 83.171.145.8/32; 83.171.161.216/32; 83.193.154.55/32; 83.194.109.239/32; 83.200.52.168/32; 83.200.190.88/32; 83.212.134.234/32; 83.226.245.207/32; 83.233.38.94/32; 83.250.7.100/32; 84.22.122.5/32; 84.25.173.164/32; 84.46.36.116/32; 84.52.79.135/32; 84.74.170.75/32; 84.98.53.144/32; 84.100.218.135/32; 84.101.216.59/32; 84.115.37.37/32; 84.148.174.45/32; 84.191.19.236/32; 84.191.155.220/32; 85.12.247.253/32; 85.14.198.50/32; 85.17.146.148/32; 85.17.177.73/32; 85.24.64.10/32; 85.69.160.154/32; 85.85.57.240/32; 85.89.21.42/32; 85.93.143.167/32; 85.100.212.244/32; 85.106.175.157/32; 85.113.141.247/32; 85.125.222.141/32; 85.125.223.198/32; 85.126.48.6/32; 85.140.86.77/32; 85.142.54.138/32; 85.156.59.164/32; 85.157.154.243/32; 85.165.91.90/32; 85.171.236.85/32; 85.177.174.114/32; 85.201.198.206/32; 85.214.73.63/32; 85.217.65.155/32; 85.228.242.162/32; 85.248.124.60/32; 86.10.220.212/32; 86.16.21.99/32; 86.59.21.163/32; 86.61.72.185/32; 86.66.237.50/32; 86.67.187.158/32; 86.68.32.243/32; 86.70.74.179/32; 86.71.45.123/32; 86.72.25.76/32; 86.73.128.17/32; 86.74.95.99/32; 86.76.0.11/32; 86.76.191.63/32; 86.158.116.78/32; 86.160.101.221/32; 86.160.223.228/32; 86.186.82.101/32; 86.193.246.71/32; 86.193.247.222/32; 86.194.51.128/32; 86.199.135.59/32; 86.208.65.193/32; 86.210.10.137/32; 86.214.0.192/32; 86.218.68.62/32; 86.219.5.130/32; 87.11.38.102/32; 87.79.239.139/32; 87.90.4.204/32; 87.90.76.31/32; 87.103.243.46/32; 87.105.53.88/32; 87.106.82.46/32; 87.118.92.174/32; 87.118.93.143/32; 87.118.101.175/32; 87.118.103.142/32; 87.118.104.203/32; 87.123.128.71/32; 87.160.164.56/32; 87.171.67.32/32; 87.187.168.65/32; 87.194.125.162/32; 87.220.58.89/32; 87.227.83.103/32; 87.231.107.31/32; 87.236.194.97/32; 87.236.199.73/32; 87.241.92.191/32; 88.66.153.179/32; 88.80.25.223/32; 88.81.34.77/32; 88.86.122.153/32; 88.107.85.1/32; 88.117.127.66/32; 88.130.21.55/32; 88.134.42.14/32; 88.139.158.16/32; 88.149.157.46/32; 88.149.158.6/32; 88.149.159.74/32; 88.149.194.90/32; 88.149.194.162/32; 88.149.194.190/32; 88.161.177.191/32; 88.163.57.231/32; 88.163.179.165/32; 88.165.197.31/32; 88.166.161.41/32; 88.167.153.145/32; 88.169.75.55/32; 88.169.166.11/32; 88.174.50.73/32; 88.174.196.244/32; 88.177.202.125/32; 88.181.87.154/32; 88.182.124.157/32; 88.184.166.167/32; 88.186.245.132/32; 88.187.88.39/32; 88.188.23.102/32; 88.198.6.155/32; 88.198.57.247/32; 88.198.81.46/32; 88.198.176.155/32; 89.13.183.46/32; 89.16.175.194/32; 89.73.9.37/32; 89.80.201.144/32; 89.110.156.159/32; 89.145.121.180/32; 89.150.70.78/32; 89.163.107.134/32; 89.173.79.73/32; 89.178.163.212/32; 89.204.104.102/32; 89.208.194.158/32; 89.231.110.112/32; 89.253.105.39/32; 90.6.180.223/32; 90.11.66.250/32; 90.14.174.223/32; 90.18.170.249/32; 90.19.133.176/32; 90.20.14.195/32; 90.21.164.200/32; 90.22.65.181/32; 90.31.233.136/32; 90.41.50.67/32; 90.48.102.114/32; 90.54.212.95/32; 90.61.240.228/32; 90.156.108.6/32; 90.177.96.151/32; 90.178.67.68/32; 90.231.132.220/32; 91.5.153.157/32; 91.22.63.68/32; 91.42.219.124/32; 91.46.123.165/32; 91.66.54.254/32; 91.66.80.146/32; 91.89.83.110/32; 91.89.209.134/32; 91.99.147.233/32; 91.105.218.217/32; 91.118.65.198/32; 91.121.24.126/32; 91.138.68.66/32; 91.187.29.44/32; 91.192.191.74/32; 91.198.227.49/32; 91.203.170.121/32; 91.210.108.14/32; 91.213.50.235/32; 91.216.107.93/32; 91.216.191.11/32; 91.217.223.30/32; 92.63.213.58/32; 92.81.180.166/32; 92.97.135.230/32; 92.98.238.16/32; 92.101.195.104/32; 92.104.198.190/32; 92.112.136.245/32; 92.113.184.162/32; 92.114.192.243/32; 92.135.17.138/32; 92.142.152.250/32; 92.148.217.163/32; 92.155.47.175/32; 92.155.244.139/32; 92.157.54.8/32; 92.227.117.250/32; 92.228.60.204/32; 92.231.44.81/32; 92.237.228.142/32; 92.238.180.15/32; 92.241.168.146/32; 92.241.190.35/32; 92.243.9.166/32; 92.244.71.29/32; 93.1.27.42/32; 93.1.135.148/32; 93.2.186.25/32; 93.14.1.197/32; 93.21.48.221/32; 93.21.55.216/32; 93.25.206.57/32; 93.26.14.101/32; 93.28.95.151/32; 93.30.227.117/32; 93.74.124.162/32; 93.90.251.53/32; 93.91.237.239/32; 93.102.41.164/32; 93.104.133.26/32; 93.115.241.2/32; 93.121.212.14/32; 93.147.251.169/32; 93.167.245.178/32; 93.181.2.5/32; 93.182.181.46/32; 93.182.181.52/32; 93.182.185.9/32; 93.185.109.191/32; 93.219.152.37/32; 93.232.14.124/32; 94.20.67.141/32; 94.30.48.79/32; 94.41.249.127/32; 94.50.32.76/32; 94.51.21.141/32; 94.55.191.214/32; 94.66.7.86/32; 94.75.253.73/32; 94.77.9.192/32; 94.78.190.105/32; 94.126.17.223/32; 94.168.242.67/32; 94.178.146.188/32; 94.183.237.202/32; 94.194.32.159/32; 94.216.71.253/32; 94.228.216.223/32; 94.244.157.74/32; 94.251.75.55/32; 95.24.137.186/32; 95.26.170.137/32; 95.27.150.138/32; 95.27.184.55/32; 95.37.109.92/32; 95.42.8.120/32; 95.59.1.154/32; 95.59.204.68/32; 95.68.240.116/32; 95.71.40.25/32; 95.88.57.133/32; 95.111.12.13/32; 95.116.163.219/32; 95.119.216.162/32; 95.128.241.80/32; 95.132.77.29/32; 95.138.113.134/32; 95.143.193.145/32; 95.166.40.123/32; 95.170.245.53/32; 95.222.192.133/32; 95.223.7.176/32; 95.226.43.131/32; 95.249.60.143/32; 96.44.148.150/32; 96.228.226.67/32; 96.240.121.207/32; 96.254.123.123/32; 97.93.87.127/32; 97.107.142.93/32; 98.116.20.5/32; 98.117.134.138/32; 98.126.1.234/32; 98.142.9.218/32; 98.157.178.36/32; 98.191.188.71/32; 98.255.38.117/32; 99.4.78.59/32; 99.10.235.203/32; 99.52.176.41/32; 99.106.178.161/32; 99.141.175.123/32; 99.144.195.59/32; 99.146.97.238/32; 99.155.207.100/32; 99.168.109.197/32; 99.189.217.170/32; 109.74.196.114/32; 109.74.200.171/32; 109.87.88.224/32; 109.90.68.223/32; 109.91.187.162/32; 109.104.37.206/32; 109.130.41.153/32; 109.155.2.187/32; 109.156.136.215/32; 109.169.29.56/32; 109.170.46.74/32; 109.173.3.224/32; 109.191.8.168/32; 109.192.228.62/32; 109.193.198.154/32; 109.193.227.56/32; 109.201.72.11/32; 109.212.145.90/32; 109.212.243.161/32; 113.212.97.156/32; 113.253.231.212/32; 114.47.251.100/32; 114.142.154.166/32; 115.84.182.227/32; 115.184.53.118/32; 117.18.75.235/32; 118.157.238.114/32; 118.160.20.114/32; 118.210.235.26/32; 119.202.129.174/32; 120.50.40.184/32; 121.7.101.154/32; 121.135.98.35/32; 121.186.38.136/32; 122.155.3.145/32; 123.108.108.147/32; 123.204.122.125/32; 123.220.2.181/32; 124.121.212.175/32; 124.188.216.81/32; 124.217.238.26/32; 124.217.248.251/32; 124.217.253.204/32; 125.227.128.36/32; 128.6.224.107/32; 132.248.30.3/32; 134.102.219.193/32; 137.30.164.148/32; 137.56.163.46/32; 137.56.163.64/32; 140.121.130.67/32; 145.94.58.41/32; 150.101.112.134/32; 150.140.188.242/32; 151.21.85.53/32; 151.33.139.122/32; 151.33.153.55/32; 151.57.25.26/32; 151.81.53.169/32; 166.70.54.100/32; 168.144.48.133/32; 173.0.0.127/32; 173.31.167.209/32; 173.45.226.116/32; 173.45.245.140/32; 173.65.178.38/32; 173.76.33.115/32; 173.180.170.145/32; 173.186.21.70/32; 173.193.219.190/32; 173.212.200.141/32; 173.230.152.102/32; 173.255.213.207/32; 174.21.177.31/32; 174.36.199.200/32; 174.36.199.201/32; 174.36.199.202/32; 174.36.199.203/32; 174.44.163.80/32; 174.52.211.133/32; 174.56.103.88/32; 174.97.219.174/32; 174.100.254.168/32; 174.116.61.40/32; 174.123.110.50/32; 174.138.169.222/32; 174.139.74.140/32; 174.142.75.26/32; 174.142.248.162/32; 174.143.243.243/32; 175.45.22.169/32; 175.116.237.90/32; 178.32.95.38/32; 178.32.116.102/32; 178.33.29.165/32; 178.36.190.121/32; 178.63.198.71/32; 178.66.7.21/32; 178.73.209.71/32; 178.73.211.7/32; 178.79.133.103/32; 178.88.56.117/32; 178.93.77.57/32; 178.120.70.142/32; 178.187.47.162/32; 178.239.49.141/32; 180.149.96.69/32; 180.224.139.251/32; 184.60.8.69/32; 184.98.197.8/32; 184.107.21.163/32; 187.89.173.23/32; 187.114.80.231/32; 187.116.182.62/32; 187.193.129.146/32; 188.17.10.57/32; 188.18.129.89/32; 188.25.166.203/32; 188.25.171.241/32; 188.40.20.202/32; 188.40.77.107/32; 188.40.98.54/32; 188.72.105.48/32; 188.72.225.95/32; 188.92.9.214/32; 188.97.235.157/32; 188.101.214.83/32; 188.122.138.213/32; 188.124.19.114/32; 188.134.4.177/32; 188.134.20.232/32; 188.138.32.144/32; 188.141.50.6/32; 188.160.185.232/32; 188.162.27.21/32; 188.165.45.229/32; 188.165.47.11/32; 188.187.130.186/32; 188.192.74.100/32; 188.231.138.130/32; 190.17.97.148/32; 190.183.221.175/32; 190.188.80.49/32; 190.254.195.114/32; 192.251.226.205/32; 192.251.226.206/32; 193.34.144.124/32; 193.37.152.204/32; 193.138.216.157/32; 193.227.249.185/32; 194.0.229.54/32; 194.14.56.70/32; 194.110.192.161/32; 194.145.200.128/32; 194.187.148.121/32; 194.190.16.51/32; 195.10.205.34/32; 195.16.252.196/32; 195.43.157.85/32; 195.64.140.190/32; 195.67.213.149/32; 195.134.67.52/32; 195.234.10.45/32; 198.202.25.251/32; 200.58.118.143/32; 200.122.160.25/32; 201.21.51.21/32; 201.24.238.122/32; 201.68.219.92/32; 202.71.111.240/32; 202.75.35.227/32; 203.51.17.7/32; 203.59.97.227/32; 203.86.232.6/32; 203.174.87.18/32; 203.186.237.108/32; 203.217.173.146/32; 204.8.156.142/32; 204.152.222.140/32; 204.152.222.243/32; 205.168.84.133/32; 206.214.254.242/32; 206.217.137.183/32; 206.221.217.246/32; 206.248.138.177/32; 207.197.40.250/32; 207.197.40.251/32; 207.239.100.158/32; 208.53.142.37/32; 208.53.142.38/32; 208.53.142.39/32; 208.53.142.40/32; 208.53.142.41/32; 208.53.142.42/32; 208.53.142.43/32; 208.53.142.44/32; 208.68.92.154/32; 208.75.57.100/32; 208.75.88.34/32; 208.105.236.251/32; 209.20.69.83/32; 209.20.84.99/32; 209.40.182.231/32; 209.44.114.178/32; 209.151.236.27/32; 209.162.33.44/32; 209.221.206.114/32; 210.64.169.12/32; 211.74.105.147/32; 211.135.247.188/32; 211.234.126.12/32; 212.42.236.140/32; 212.74.233.43/32; 212.126.214.192/32; 212.198.147.44/32; 212.227.101.236/32; 213.9.93.174/32; 213.65.5.251/32; 213.98.16.46/32; 213.112.66.171/32; 213.112.111.205/32; 213.114.151.8/32; 213.173.66.246/32; 213.185.6.223/32; 213.191.105.54/32; 213.206.85.28/32; 213.211.217.214/32; 213.220.233.230/32; 216.8.192.98/32; 216.51.187.190/32; 216.86.61.205/32; 217.10.40.98/32; 217.20.114.254/32; 217.25.229.222/32; 217.68.189.189/32; 217.70.189.145/32; 217.81.175.214/32; 217.92.57.83/32; 217.114.156.169/32; 217.114.211.20/32; 217.115.137.221/32; 217.116.195.24/32; 217.148.84.180/32; 217.160.215.244/32; 217.160.221.7/32; 217.190.220.153/32; 217.209.225.72/32; 218.40.127.163/32; 218.133.232.30/32; 219.173.248.26/32; 220.136.78.9/32; 220.253.29.207/32; 222.107.34.53/32; };


После выполнения нашего скрипта мы видим добавленное правило в список правил нашего работающего фильтра:

root @ pegasus / # ipfstat -io
pass out quick on lo0 all
pass out quick proto tcp/udp from any to any with keep state keep frags
pass out quick proto icmp from any to any keep state
block in all head 100
pass in on e1000g0 all head 200
pass in quick on lo0 all
block in quick all
block in quick from pool/100 to any
block in quick from any to any with frag group 100
block in quick proto tcp from any to any with short group 100
block in quick from any to any with ipopts group 100
block in log first quick proto tcp from any to any flags FS/FS group 100
block in log first quick proto tcp from any to any flags FSPU/FSPU group 100
block in log first quick proto tcp from any to any flags FPU/FPU group 100
block in log first quick proto tcp from any to any flags FP/FP group 100
block in log first quick proto tcp from any to any flags F/F group 100
block in log first quick proto tcp from any to any flags U/U group 100
block in log first quick proto tcp from any to any flags P/P group 100
block in quick from 172.16.0.0/12 to any group 100
block in quick from 10.0.0.0/8 to any group 100
block in quick from 127.0.0.0/8 to any group 100
block in quick from 0.0.0.0/8 to any group 100
block in quick from 169.254.0.0/16 to any group 100
block in quick from 192.0.2.0/24 to any group 100
block in quick from 204.152.64.0/23 to any group 100
block in quick from 224.0.0.0/3 to any group 100
block in quick from pool/100 to any group 100
pass in quick on e1000g0 proto tcp from any to 192.168.192.2/32 port = 80 flags S/FSRPAU keep state group 200
pass in quick on e1000g0 proto tcp from any to 192.168.192.2/32 port = 443 flags S/FSRPAU keep state group 200
pass in quick on e1000g0 proto tcp from any to 192.168.192.2/32 port = 2222 flags S/FSRPAU keep state group 200
pass in quick on e1000g0 proto tcp from 192.168.192.1/32 to 192.168.192.2/32 port = 1158 flags S/FSRPAU keep state group 200

Причем работает скрипт значительно быстрее, чем первоначальный вариант. Что нам, собственно, от него и хотелось.

Остальное дело техники. Скрипт вызывается из cron так часто, как вам этого хочется. По имеющейся информации, список выходных нод обновляется каждые 5 минут. Соответственно, мы и будем настраивать периодичность задания cron.

PS. Одна тонкость. Обратит внимание, что мы не сохраняем конфигурацию блокирующего пула в /etc/ipf/ippool.conf, следовательно, при перезапуске сервера динамически загружаемая конфигурация будет потеряна до очередного запуска скрипта из cron. Следовательно, чтобы обеспечить блокирование Tor после перезапуска машины, можно выполнить скрипт вручную после перехода системы в multi-user. 

PPS. Как будет использоваться данный инструмент - дело ваше. С одной стороны, лично я ничего против Tor не имею. С другой стороны, показана теоретическая возможность проведения DDoS атаки через сеть Tor. Так что, при желании или необходимости, можете блокировать Tor на пакетном уровне. Единственное НО - рекомендуется следить за доступностью статусных серверов Tor и, при необходимости, обновлять список серверов для загрузки списка выходных нод.