Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using Tor Network and pfBlockerNG

    Scheduled Pinned Locked Moved pfBlockerNG
    4 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dma_pf
      last edited by

      I was reading this post about blocking Tor exit nodes: https://forum.pfsense.org/index.php?topic=126375.0 which led me to wonder how one would go about allowing a lan device to initate traffic through the Tor network and recieve a response through the Tor Network, but at the same time block non-LAN initiated incoming traffic from the Tor network?

      Am I correct in assuming that this could be accomplished by using the lists in the above post to create 2 separate List Alias in pfBlockerNG as follows:

      List Alias #1. Creates a "Deny Inbound" rule for the list, and
      List Alias #2. Creates a "Permit Outbound" as the list option

      Also, does anybody know of a list of "bad/compromised" Tor exit relays?

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        You only need to allow the outbound and that will create a firewall state (Stateful Firewall) which will allow the packets back thru the Inbound (WAN)… If you have Internet facing ports, then you could use a Permit Inbound rule for those specific ports.

        Don't think there is a specific Bad TOR node list.... Sometimes they are added to some IP Blacklists, but the feed maintainers try not to add TOR nodes to blocklists...

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • D
          dma_pf
          last edited by

          I think I got it! But let me put out 2 examples to see if I really do.

          Example 1

          Let's say I have an outbound GeoIP deny rule that blocks China. Tor wants to establish a circuit with the entrance relay being in China. Am I correct that the circuit would not be established because China is blocked by the outbound rule?

          Example 2

          Again I have China denied by an outbound rule. I'm browsing in Tor with an entrance relay in Germany which is not blocked. I hit a link in the Tor browser to a site in China. The result is it gets blocked?

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            if you want to use GEOIP and TOR, you can create a TOR alias and add the TOR exit node feeds. Set the Action to "Permit Outbound".  Then ensure that the Rule Order option has the permit rules above the Block/Reject rules. Firewall rules are processed top to bottom.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.