Block TOR
-
Any IPs that are added to the customlist, must be formatted with one IP address per line (See the help text)
For TOR, you don't need to manually enter the IPs in the customlist… Best to download the IPs from these sources:
https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
https://rules.emergingthreats.net/open/suricata/rules/tor.rules
http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gzand add them to the "Source" field.
Typically you only need to "Deny Outbound", unless you have open ports and want to protect those specific ports...
-
Blocking Exit Nodes will primarily only stop Tor users from connecting to you. It will not stop your users from connecting to Tor.
You need to block access to both Tor Relays and Bridges. Blocking all Bridges and proxies is less than easy.
-
ahh I see. My goal is to stop my users using tor browsers whether on their laptops or mobiles and bypassing blocked websites.
-
BBcan
Do you mean add the URLS you sent into the source section (attached image)
-
Yes exactly.
There are other CSV lists available from here:
https://torstatus.blutmagie.de/
https://www.dan.me.uk/tornodesAnd the IDS url from Proofpoint seems to list both Exit Nodes and Relays etc…
https://rules.emergingthreats.net/open/suricata/rules/tor.rules -
What am I entering in the Header/Label box. It cannot be left blank
-
The Header/Label field is used to name the downloaded files. So each header name needs to be unique and not contain any spaces or special characters…
ie: Blut_TOR, DM_TOR, ET_TOR
-
You could try forcing the router to be the DNS server, when I last tested it TOR was unable to connect.
In Firewall/NAT/Port forward
add a new ruleInterface = LAN
Protocol = TCP/UDP
Source ports = *
Dest address = *
Dest ports = 53
NAT IP = 127.0.0.1
NAT Ports = 53
Description = Redirect DNS
LAN TCP/UDP * * * 53 127.0.0.1 53 Redirect DNS
Save -
This is a real ball ache this TOR stuff. I have a Sonicwall but have to use DPI-SSL to implement blocks for my network but the issue I have is I max out the DPI-SSL count fairly easy. To get around that I have implemented Application blocks via my Anti Virus so if Tor browser/firefox portable etc runs, the AV will block it. So although I am not preventing access to TOR unless I use DPI-SSL, I am stopping the app at source which is working perfect for Domain devices. This is why if I can get this pfblocker working, I will have put something in place to block my BYOD users. It just doesn't look good when you go out an buy an expensive UTM firewall and you get some little shit bypassing blocked websites via TOR.
-
try above method
-
AGeekHere
The URLs in the source field seem to be doing the trick. I can see them appearing in in the Deny Filter and I cannot make a connection with a TOR browser.
I just gave the header a file name. Thanks BBcan177
I will certainly look at your method too. Just curious why Tor would not connect if I made the router the DNS sever
-
You can use Pfblocker with IP black list functionality that includes IP addresses of all Tor exit nodes (updating it manually from public sources). Or Snort with the same (but more difficult to set up properly)
-
just tested it again, it no longer works, oh well.
-
just tested it again, it no longer works, oh well.
I`d try it too - no effect (((
No ideas more? (
