This article describes the steps involved to block the anonymity network Tor.
If users can connect to Tor, they can bypass Guardian and therefore have an unfiltered connection. This means that they can browse to websites that would otherwise be blocked.
To block Tor, you need to set up both a Firewall rule and a HTTPS Decrypt and Inspect policy.
Tor uses a range of different firewall ports. In the past, it has mainly used 80, 443, 9001, 9050 and 9150. However, this has changed in some of the more recent updates.
Firstly, set up a Firewall rule to block the Tor layer 7 signature. If you have a Smoothwall UTM, follow these instructions:
- Go to Network > Firewall > Firewall rules.
- Click Add section, type the Name "Tor" and click Save changes.
- Point to your new Tor section, click Add rule, and then click Top of section.
- Type the Name "Block Tor".
- Enter or select the network interfaces/IP addresses to which you want the rule to apply.
- Under Applications, look for "Proxies > Tor", select it and click Add.
- From the Action list, select "Drop" and click Save changes.
Secondly, set up a HTTPS Decrypt and Inspect policy. Tor also tries to connect over port 80 and 443. This policy stops it from connecting over those ports:
- Go to Guardian > HTTPS inspection > Policy Wizard.
- Add in the following attributes:
- Who - Everyone*
- What - Everything
- Where - Everywhere*
- When - Always*
- Action - Decrypt and Inspect
* Change as appropriate
When these two rules are applied, Tor can no longer connect.