Opened 10 years ago

Closed 10 years ago

Last modified 8 years ago

#2583 closed defect (not a bug)

Fascist firewall blocks Tor by handshake

Reported by: dontask Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords: tor-client
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Summary: When the TOR Vidalia bundle is installed on fully updated MAC OSX 10.6.6 system, TOR does not recognize bridge routers that are manually entered in the "Settings" dialog box.

Builds tested: 0.2.1.29-0.2.10-i386-1.dmg, 0.2.2.22-alpha-0.2.10-i386.dmg

How we tested it:

1) Set up apache on my system. Friend in [country] can connect to apache and view a web page on port 80, and via https on port 443. This confirms my IP address is not blocked from the friend's network.

2) Shut down apache. Set up a TOR bridge server at same IP address. Logs show dozens of users connecting to it from all over the world. This means the system is working on my end.

3) Sent bridge server IP/port/hash to friend. When friend entered this information in TOR (see attached screen cap), their system was unable to connect to my bridge server.

4) Turned off firewall on friend's computer. Turned off IPV6. Rebooted. Problem persisted.

5) Shut down TOR on my end. Restarted Apache. Friend was able to connect to my web server on ports 80 and 443.

6) Shut down Apache. Restarted bridge router. Logs show multiple users able to connect to my bridge router.

7) We repeated this for both MAC TOR builds (stable and alpha), rebooting the system each time.

Attached:

-Screen capture
-Vidalia log file from friend's computer.

Child Tickets

Attachments (2)

VidaliaLog-02.19.2011.txt (14.2 KB) - added by dontask 10 years ago.
Vidalia Log
screencap.jpg (154.7 KB) - added by dontask 10 years ago.
Screen Capture

Download all attachments as: .zip

Change History (16)

Changed 10 years ago by dontask

Attachment: VidaliaLog-02.19.2011.txt added

Vidalia Log

Changed 10 years ago by dontask

Attachment: screencap.jpg added

Screen Capture

comment:1 Changed 10 years ago by rransom

What version of Tor is the bridge running?

comment:2 Changed 10 years ago by arma

If [country] is .ir, you will need the bridge to be running Tor 0.2.2.22-alpha (or git master).

comment:3 Changed 10 years ago by dontask

Bridge is v0.2.1.29 running on Win7 64 bit. Firewall set wide open. The "recent connections" button indicates inbound bridge connections from users in .ir and .cn but I do not know enough about how the software works to tell if these connections are passing traffic properly. Also, friend is not located in either of these countries.

comment:4 Changed 10 years ago by rransom

Try Tor 0.2.2.22-alpha; if that doesn't work, see [TheOnionRouter/BlockingDiagnostics].

comment:5 Changed 10 years ago by dontask

Thank you for your assistance. I have switched to 0.2.2.22 alpha and am waiting for my friend to try and contact me again. I will keep you updated.

comment:6 Changed 10 years ago by arma

Other things to narrow down include

a) is there some sort of firewall on the client side, including software labelled "anti-virus" that mysteriously firewalls applications from opening network sockets

b) can the client reach the main Tor network? if not, and he's not in .ir or .cn, then either he's behind a restrictive corporate firewall, or see (a) above.

comment:7 Changed 10 years ago by dontask

Update: my friend tried to connect to me again and we are still getting the "no known bridges" error.

Yes, my friend is behind a very restrictive firewall at a very conservative educational institution ...but it's the only place they have internet access. Something like 95% of websites are blocked there, including facebook, youtube, gmail, and torproject.org. My friend does have access to e-mail through [educational institution] ...but of course, they can read all of his/her email.

They must be doing some sort of protocol analysis, because ping times-out even to non-blocked sites, and tracert hits 64 hops without returning any info.

The reason we're trying to set this up is because my friend is a member of an open source project. We are trying to use TOR to to get through the filtering so they can connect to our project's Google Code SVN.

comment:8 in reply to:  7 Changed 10 years ago by rransom

Replying to dontask:

Update: my friend tried to connect to me again and we are still getting the "no known bridges" error.

Please come to IRC so we can discuss your options further. The Tor Project's main IRC channel is #tor on irc.oftc.net; you can use both Tor and SSL when connecting to OFTC's IRC network.

They must be doing some sort of protocol analysis, because ping times-out even to non-blocked sites, and tracert hits 64 hops without returning any info.

That's just blocking of all ICMP packets, not any fancy protocol analysis.

Yes, my friend is behind a very restrictive firewall at a very conservative educational institution ...but it's the only place they have internet access. Something like 95% of websites are blocked there, including facebook, youtube, gmail, and torproject.org. My friend does have access to e-mail through [educational institution] ...but of course, they can read all of his/her email.

The reason we're trying to set this up is because my friend is a member of an open source project. We are trying to use TOR to to get through the filtering so they can connect to our project's Google Code SVN.

As a stopgap measure, you could export the Subversion repository to Git using git-svn, and then mail Git bundles back and forth. (And hope the censors believe that the bundles don't contain any secret messages.)

comment:9 Changed 10 years ago by rransom

Keywords: OSX 10.6.6 Relay no running bridges known Cannot Connect No Directory Servers removed
Summary: Bridge Routers Broken on MAC OSX 10.6.6Fascist firewall blocks Tor by handshake
Version: Tor: unspecified

comment:10 Changed 10 years ago by ioerror

Packet captures would be really useful - even if only on the bridge side - though likely both bridge and client pcaps would allow us to see where in the setup things fall apart...

comment:11 Changed 10 years ago by cypherpunks

5) Shut down TOR on my end. Restarted Apache. Friend was able to connect to my web server on ports 80 and 443.

Any specific browser configuration from edu's admins like proxy? some autoproxy.pac stuff etc.

comment:12 Changed 10 years ago by arma

Resolution: not a bug
Status: newclosed

No word for 2 months. It's not clear we can do anything here without packet traces, and even then it would be tricky. I'm going to close this trac entry, since this isn't a Tor-the-program bug, and the modular transport proxy system (e.g. #2760) is already underway to solve situations like this one.

Please do visit us on IRC, or send us an email, with any details you have.

Thanks!

comment:13 Changed 8 years ago by nickm

Keywords: tor-client added

comment:14 Changed 8 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.