Summary:
This article describes the steps involved to block the anonymity network Tor.
Problem:
If users can connect to Tor, they can bypass Guardian and therefore have an unfiltered connection. This means that they can browse to websites that would otherwise be blocked. Tor uses a range of different firewall ports. In the past, it has mainly used 80, 443, 9001, 9050 and 9150. However, this has changed in some of the more recent updates.
Solution:
To block Tor, you need to set up both a Firewall rule and a HTTPS Decrypt and Inspect policy:
- Set up a Firewall rule to block the Tor layer 7 signature, see our help topic, Adding new Smoothwall Firewall rules:
- Go to Network > Firewall > Firewall rules.
- Click Add section, type the Name "Tor" and click Save changes.
- Point to your new Tor section, click Add rule, and then click Top of section.
- Type the Name "Block Tor".
- Enter or select the network interfaces/IP addresses to which you want the rule to apply.
- Under Services, add from the list or create any ports Tor may use (some noted above, some research may be required to find the latest ports).
- OPTIONAL: Applications, look for "Proxies > Tor", select it and click Add -This requires a licences for Layer 7 Filtering.
- From the Action list, select "Drop" and click Save changes.
- Set up a HTTPS Decrypt and Inspect policy, see our help topic, Creating HTTPS inspection policies.
Tor also tries to connect over port 80 and 443. This policy stops it from connecting over those ports:- Go to Guardian > HTTPS inspection > Policy Wizard.
- Add in the following attributes:
- Who - Everyone*
- What - Everything
- Where - Everywhere*
- When - Always*
- Action - Decrypt and Inspect
* Change as appropriate
When these two rules are applied, Tor can no longer connect.