Firewall reporting Tor/Proxy access to 1e100.net for Firefox users running 41.0.1
This morning my Sonicwall firewall logs were filled with blocked outbound attempts to 1e100.net using protocol "PROXY-ACCESS Tor". Effectively Google is blocked for all FF users. The issue is limited to users running 41.0.1 - older version seem to work. Anyone else experiencing this?
所有回覆 (8)
Are you using the TOR Firefox version?
In that case you would have to contact TOR for support.
You can check the connection settings.
- Tools > Options > Advanced > Network : Connection > Settings
- https://support.mozilla.org/kb/Options+window+-+Advanced+panel
If you do not need to use a proxy to connect to internet then try to select "No Proxy" if "Use the system proxy settings" or one of the others do not work properly.
See "Firefox connection settings":
On SonicWALL, does "protocol" indicate a port number or is it something other than DNS, TCP/UCP, etc.?
Based on whois and dig checks, 1e100.net does appear to be a legitimate Google domain, but I didn't find any A or AAAA records, so I don't know what it's for.
If you open a Firefox with the problem, open about:config and filter for 1e100 does anything come up?
由 jscher2000 - Support Volunteer 於 修改
Thanks for responding! 1. there are no entries in about:config for 1e100. The Sonicwall logs report the destination IP and port as:
dst=74.125.227.177:443:X1:dfw06s32-in-f17.1e100.net proto=tcp/https src=172.25.35.70:30758 (our corporate network)
Note the there are multiple IP's listed in the log but they all point t0 1e100.net
We are not using the Tor version of FF.
I've been running FF version 41.0.1 for a few days but this just started happening this morning.
Any feedback would be appreciated.
Okay, that's helpful. I don't know what connection it could have to TOR, since it looks like an ordinary SSL connection on port 443. The blocking rule might be glitchy.
According to an old thread on another site, Google uses 1e100.net for SafeBrowsing checks: http://superuser.com/questions/75841/what-is-1e100-net-and-why-do-i-have-tcp-ports-open-to-it
But Google isn't specific about what it can be used for: https://support.google.com/faqs/answer/174717
Unless the IP is blocked, I don't know why Firefox wouldn't be able to access https://www.google.com/ (i.e., not using dfw06s32-in-f17.1e100.net).
Thanks for your help. I believe the issue is with Sonicwall; they probably pushed a bad signature update. I will let you know what resolves the issue.
Update from Sonicwall:
"Firefox with updates is using TOR which is a signature blocked in App Control -Firefox and Team viewer are overlapping with the TOR App Control signature ([Firefox] SID 11169, AP ID 467) You may want to look into your App control to see if it is blocking any TOR App control Signatures. Which you could then disable if you continue to have issues with firefox across your firewall"
My question to team Mozilla: are they correct when they say "Firefox with updates is using TOR"? We are using Sonicwall's App Control to block Tor and I wouldn't risk turning it off; cryptowall and it's variants use Tor to send keys.
"I don't know what connection it could have to TOR, since it looks like an ordinary SSL connection on port 443. The blocking rule might be glitchy."
Taken from the Tor Project website:
Which outbound ports must be open when using Tor as a client?
"Tor may attempt to connect to any port that is advertised in the directory as an ORPort (for making Tor connections) or a DirPort (for fetching updates to the directory). There are a variety of these ports: many of them are running on 80, 443, 9001, and 9030, but many use other ports too. "
So Tor does use port 80 and 443..
The TOR browser is a modified version of Firefox. For a while now, the TOR project has been submitting proposed changes to Mozilla to include in Firefox to reduce the amount of modifications they have to make after each new Firefox release. Perhaps SonicWALL has detected one of those patches in Firefox 41.0.1 with its TOR app control signature?
I don't know what exactly was included in the update, but what's listed in the release notes doesn't really sound TOR-ish: https://www.mozilla.org/firefox/41.0.1/releasenotes/
Actually, I am a little skeptical of this explanation. You didn't mention any other sites being blocked other than Google. The documentation on App Control signatures isn't consistent with blocking of Google sites in particular vs. blocking of all traffic.
???