Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to whitelist IPv4 ranges to allowed.list in sphinx-socks #415

Closed
gyrusdentatus opened this issue Nov 4, 2020 · 2 comments · Fixed by #502
Closed

Add option to whitelist IPv4 ranges to allowed.list in sphinx-socks #415

gyrusdentatus opened this issue Nov 4, 2020 · 2 comments · Fixed by #502
Labels
enhancement New feature or request

Comments

@gyrusdentatus
Copy link

Right now, the allowed.list file for sphinx-socks supports only domain names and single ip addresses such as 1.1.1.1 or nymtech.net

  • would be great to add a whole range, such as 149.154.160.0/22
  • the above IP range is one of the many(about 9 of them I think) Telegram ASNs
  • without this, whitelisting Telegram would need about 9000 lines if I am counting correctly.
@jstuczyn jstuczyn added this to the 0.9.1 milestone Nov 4, 2020
@jstuczyn jstuczyn added the enhancement New feature or request label Nov 4, 2020
@futurechimp
Copy link
Contributor

We can't easily allow IPs in the allowed.list, because there's no guarantee that they won't change quite rapidly as service re-provision. It's also basically impossible to tell whether IP x.x.x.x is a good service, a bad service, or what, whereas domain names are at least somewhat self-descriptive.

But since I suspect you're talking about browser-related stuff, I think there's an easy way to achieve what you are trying to do.

If you look at the proxy settings in Firefox, for instance, you'll notice a tickbox in the proxy settings, saying "proxy dns over SOCKS5":

image

Ticking that box forces DNS resolution at the other end of the proxy. The reason you're seeing any IP addresses when using the Telegram web interface is because your browser already resolved domain to IP address sometime in the past 24 hours, and rather than re-resolve them it's just using the IP addresses straight up. Ticking the box uses domain rather than IP, getting around the problem entirely.

As a side note, I'm actually very surprised if any IP addresses work. Can you verify with an example that I can try?

@gyrusdentatus
Copy link
Author

No, this is browser unrelated - I would want this feature for Telegram apps and desktop client, where there is an option to set up a SOCKS5 proxy.
See here: https://ipinfo.io/AS62041

I can confirm my Telegram client indeed connects to these IP ranges, here is a printscreen from my Little Snitch MacOS program which monitors all in/out traffic from the whole OS.

image

Also, I have monitored the traffic of Telegram

  • pcap dump, no DNS protocol, pure TCP traffic from these IP ranges listed in the link above.

Does it make more sense now?

@jstuczyn jstuczyn mentioned this issue Jan 20, 2021
Merged
@snyk-bot snyk-bot mentioned this issue Jan 6, 2022
Open
@mmsinclair mmsinclair moved this to Done in Core systems May 26, 2023
@2g4y1 2g4y1 mentioned this issue Dec 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
No open projects
Core systems
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature/ip filtering nymtech/nym
3 participants
@futurechimp @jstuczyn @gyrusdentatus