Using Tor Network and pfBlockerNG

  • I was reading this post about blocking Tor exit nodes: which led me to wonder how one would go about allowing a lan device to initate traffic through the Tor network and recieve a response through the Tor Network, but at the same time block non-LAN initiated incoming traffic from the Tor network?

    Am I correct in assuming that this could be accomplished by using the lists in the above post to create 2 separate List Alias in pfBlockerNG as follows:

    List Alias #1. Creates a "Deny Inbound" rule for the list, and
    List Alias #2. Creates a "Permit Outbound" as the list option

    Also, does anybody know of a list of "bad/compromised" Tor exit relays?

  • Moderator

    You only need to allow the outbound and that will create a firewall state (Stateful Firewall) which will allow the packets back thru the Inbound (WAN)… If you have Internet facing ports, then you could use a Permit Inbound rule for those specific ports.

    Don't think there is a specific Bad TOR node list.... Sometimes they are added to some IP Blacklists, but the feed maintainers try not to add TOR nodes to blocklists...

  • I think I got it! But let me put out 2 examples to see if I really do.

    Example 1

    Let's say I have an outbound GeoIP deny rule that blocks China. Tor wants to establish a circuit with the entrance relay being in China. Am I correct that the circuit would not be established because China is blocked by the outbound rule?

    Example 2

    Again I have China denied by an outbound rule. I'm browsing in Tor with an entrance relay in Germany which is not blocked. I hit a link in the Tor browser to a site in China. The result is it gets blocked?

  • Moderator

    if you want to use GEOIP and TOR, you can create a TOR alias and add the TOR exit node feeds. Set the Action to "Permit Outbound".  Then ensure that the Rule Order option has the permit rules above the Block/Reject rules. Firewall rules are processed top to bottom.

Log in to reply