Block TOR
-
pfsense 2.3.1
Captive Portal via Windows Radius
SquidI want to block access to TOR for my BYOD users. So far I was thinking of just adding the TOR exit nodes to the firewall. I downloaded pfblocker but cannot work out where to add the exit node IP addresses.
any ideas? -
Create a new Alias in the IPv4 tab called "TOR". And add the TOR exit node URLs to the source field. Click on the blue infoblock icons on the pages for further details.
-
On the General tab under pfblocker I have selected enabled.
I then move right to the ipv4 tab and click add.
Alias name TorExitnodes
List Action = deny bothi then scrolled down to IPv4 Custom list. I enter the hundreds of IP addresses click save.
I then click on firewall rules and add source TorExitNodes any any but when I click save, it says TorExitNodes is not a valid source IP address or alias.
-
Any IPs that are added to the customlist, must be formatted with one IP address per line (See the help text)
For TOR, you don't need to manually enter the IPs in the customlist… Best to download the IPs from these sources:
https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
https://rules.emergingthreats.net/open/suricata/rules/tor.rules
http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gzand add them to the "Source" field.
Typically you only need to "Deny Outbound", unless you have open ports and want to protect those specific ports...
-
Blocking Exit Nodes will primarily only stop Tor users from connecting to you. It will not stop your users from connecting to Tor.
You need to block access to both Tor Relays and Bridges. Blocking all Bridges and proxies is less than easy.
-
ahh I see. My goal is to stop my users using tor browsers whether on their laptops or mobiles and bypassing blocked websites.
-
BBcan
Do you mean add the URLS you sent into the source section (attached image)
-
Yes exactly.
There are other CSV lists available from here:
https://torstatus.blutmagie.de/
https://www.dan.me.uk/tornodesAnd the IDS url from Proofpoint seems to list both Exit Nodes and Relays etc…
https://rules.emergingthreats.net/open/suricata/rules/tor.rules -
What am I entering in the Header/Label box. It cannot be left blank
-
The Header/Label field is used to name the downloaded files. So each header name needs to be unique and not contain any spaces or special characters…
ie: Blut_TOR, DM_TOR, ET_TOR
-
You could try forcing the router to be the DNS server, when I last tested it TOR was unable to connect.
In Firewall/NAT/Port forward
add a new ruleInterface = LAN
Protocol = TCP/UDP
Source ports = *
Dest address = *
Dest ports = 53
NAT IP = 127.0.0.1
NAT Ports = 53
Description = Redirect DNS
LAN TCP/UDP * * * 53 127.0.0.1 53 Redirect DNS
Save -
This is a real ball ache this TOR stuff. I have a Sonicwall but have to use DPI-SSL to implement blocks for my network but the issue I have is I max out the DPI-SSL count fairly easy. To get around that I have implemented Application blocks via my Anti Virus so if Tor browser/firefox portable etc runs, the AV will block it. So although I am not preventing access to TOR unless I use DPI-SSL, I am stopping the app at source which is working perfect for Domain devices. This is why if I can get this pfblocker working, I will have put something in place to block my BYOD users. It just doesn't look good when you go out an buy an expensive UTM firewall and you get some little shit bypassing blocked websites via TOR.
-
try above method
-
AGeekHere
The URLs in the source field seem to be doing the trick. I can see them appearing in in the Deny Filter and I cannot make a connection with a TOR browser.
I just gave the header a file name. Thanks BBcan177
I will certainly look at your method too. Just curious why Tor would not connect if I made the router the DNS sever
-
You can use Pfblocker with IP black list functionality that includes IP addresses of all Tor exit nodes (updating it manually from public sources). Or Snort with the same (but more difficult to set up properly)
-
just tested it again, it no longer works, oh well.
-
just tested it again, it no longer works, oh well.
I`d try it too - no effect (((
No ideas more? (