Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block TOR

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 6 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      Any IPs that are added to the customlist, must be formatted with one IP address per line (See the help text)

      For TOR, you don't need to manually enter the IPs in the customlist… Best to download the IPs from these sources:

      https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
      https://rules.emergingthreats.net/open/suricata/rules/tor.rules
      http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz

      and add them to the "Source" field.

      Typically you only need to "Deny Outbound", unless you have open ports and want to protect those specific ports...

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • N
        Nullity
        last edited by

        Blocking Exit Nodes will primarily only stop Tor users from connecting to you. It will not stop your users from connecting to Tor.

        You need to block access to both Tor Relays and Bridges. Blocking all Bridges and proxies is less than easy.

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • I
          insurin
          last edited by

          ahh I see. My goal is to stop my users using tor browsers whether on their laptops or mobiles and bypassing blocked websites.

          1 Reply Last reply Reply Quote 0
          • I
            insurin
            last edited by

            BBcan

            Do you mean add the URLS you sent into the source section (attached image)

            pf.PNG
            pf.PNG_thumb

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              Yes exactly.

              There are other CSV lists available from here:

              https://torstatus.blutmagie.de/
                  https://www.dan.me.uk/tornodes

              And the IDS url from Proofpoint seems to list both Exit Nodes and Relays etc…
                  https://rules.emergingthreats.net/open/suricata/rules/tor.rules

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • I
                insurin
                last edited by

                What am I entering in the Header/Label box. It cannot be left blank

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  The Header/Label field is used to name the downloaded files. So each header name needs to be unique and not contain any spaces or special characters…

                  ie:  Blut_TOR, DM_TOR, ET_TOR

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • A
                    aGeekhere
                    last edited by

                    You could try forcing the router to be the DNS server, when I last tested it TOR was unable to connect.

                    In Firewall/NAT/Port forward
                    add a new rule

                    Interface = LAN
                    Protocol = TCP/UDP
                    Source ports = *
                    Dest address = *
                    Dest ports = 53
                    NAT IP = 127.0.0.1
                    NAT Ports = 53
                    Description = Redirect DNS
                    LAN TCP/UDP * * * 53 127.0.0.1 53 Redirect DNS
                    Save

                    Never Fear, A Geek is Here!

                    1 Reply Last reply Reply Quote 0
                    • I
                      insurin
                      last edited by

                      This is a real ball ache this TOR stuff. I have a Sonicwall but have to use DPI-SSL to implement blocks for my network but the issue I have is I max out the DPI-SSL count fairly easy. To get around that I have implemented Application blocks via my Anti Virus so if Tor browser/firefox portable etc runs, the AV will block it. So although I am not preventing access to TOR unless I use DPI-SSL, I am stopping the app at source which is working perfect for Domain devices. This is why if I can get this pfblocker working, I will have put something in place to block my BYOD users. It just doesn't look good when you go out an buy an expensive UTM firewall and you get some little shit bypassing blocked websites via TOR.

                      1 Reply Last reply Reply Quote 0
                      • A
                        aGeekhere
                        last edited by

                        try above method

                        Never Fear, A Geek is Here!

                        1 Reply Last reply Reply Quote 0
                        • I
                          insurin
                          last edited by

                          AGeekHere

                          The URLs in the source field seem to be doing the trick. I can see them appearing in in the Deny Filter and I cannot make a connection with a TOR browser.

                          I just gave the header a file name. Thanks BBcan177

                          I will certainly look at your method too. Just curious why Tor would not connect if I made the router the DNS sever

                          1 Reply Last reply Reply Quote 0
                          • V
                            Valeriy
                            last edited by

                            You can use Pfblocker with IP black list functionality that includes IP addresses of all Tor exit nodes (updating it manually from public sources). Or Snort with the same (but more difficult to set up properly)

                            1 Reply Last reply Reply Quote 0
                            • A
                              aGeekhere
                              last edited by

                              just tested it again, it no longer works, oh well.

                              Never Fear, A Geek is Here!

                              1 Reply Last reply Reply Quote 0
                              • T
                                Tolpa
                                last edited by

                                @aGeekHere:

                                just tested it again, it no longer works, oh well.

                                I`d try it too - no effect (((
                                No ideas more? (

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.