Objective of this guide
The purpose of this guide is to explain how to configure pfSense to block the Tor browser.
Hardware and software environment used
Tested hardware: We performed the configuration on a single hardware system as, in fact, the configuration can be replicated on any device compatible with the pfSense system. However, we recommend not using a lower power system than the system used in our tests.
Tested Corporate Firewall:
The entire Compact Small UTM line
All the Small UTM line
The software used on the appliance is pfSense® version 2.4.4-RELEASE-p3
The TOR browser, when started, first establishes a connection with a server, with which it establishes a tunnel. Once the tunnel has been created, the user will have free access to the resources provided by the TOR network. To avoid this you need to prevent the TOR browser from connecting.
Here is the Tor connection screen:
Below is a possible configuration of pfSense to block Tor:
- First install pfBlockerNG;
- From System->Package Manage, locate the pfBlockerNG package and by clicking on the + Install button, install it.
After installation, select Firewall->pfBlockerNG and enable the “Enable/Disable” service
Select the LAN in the inbound Firewall Rules, and the WANs / networks under outbound Firewall Rules
Then save and then select the “IPV4” tab
Click on the “+ Add” button and then configure as shown in the figure, putting the following URL in the source heading
We offer only one URL, which is reasonably effective.
In particular configured: “Alias Name“, “ipv4 Lists“, “Lists Action“, “Update Frequency“
Click on “Update“, select “Reload” and click on “Run“, then select “Update” and click on “Run“.
If you launch the Tor browser it should return an error similar to this one
The configuration of pfBlockerNG can be very complex; in our example it is used only to block the TOR network. To block other similar networks, it will be sufficient to find a “URL” that contains the IPs to be blocked and insert it in the configuration.
Firewall->pfBlockerNG->IPv4, in the “IPV4 lists” field.