Blocking Tor with pfBlockerNG in pfSense


I came across few hosts in my pfsense firewall logs hammering my home webserver through Tor. While I understand Tor’s network value, I do not want middle nodes or exit nodes hitting my home webserver for any reasons; I use it for basically media streaming. So, I decided to “block” T0r and pfBlockerNG comes once again to the rescue!

Searching online for a Tor Nodes list (being lazy as usual) I found Dan at www.dan.me.uk offering nice full list including more than just Tor exit nodes. The list is flagged so that you can write your own scripts around it and selectively grab Tor relays and exit nodes IPs as you wish. Since most of the work has already been done by Dan, I’m using his list to create my own ipv4 and ipv6 Tor IP banlists for pfblockerNG.

From Dan’s website, you can fetch https://www.dan.me.uk/torlist/ (FULL) or https://www.dan.me.uk/torlist/?exit (EXIT only) for a list of ips only, one per line – updated every 30 minutes. Ideal for constructing your own tor banlists. Please note that https://www.dan.me.uk/torlist/ can be fetched ONCE every 30 minutes and visiting that link will prevent you from accessing the list again until after the 30 minutes grace period. I don’t blame him!

"Umm… You can only fetch the data every 30 minutes – sorry. It’s pointless any faster as I only update every 30 minutes anyway. If you keep trying to download this list too often, you may get blocked from accessing it completely. (this is due to some people trying to download this list every minute!)"

Anyways, I created two (2) lists off of Dan’s to separate IPv4 and IPv6 Tor Nodes IPs and use them in pfblockerNG; that’s what I will be sharing with you today in case they are of use to you too.

My lists do not make any distinction between Tor Relays and Exits; it simply aggregates them into a block all Tor Nodes IPs, updated hourly:

IPv4 Tor Nodes IPs: https://unlockforus.com/pfblockerng/tor_nodes_ipv4.txt
IPv6 Tor Nodes IPs: https://unlockforus.com/pfblockerng/tor_nodes_ipv6.txt

Feel free to use them in your pfBlockerNG, but remember that fetching the lists more frequently than once per hour only burdens the server without benefiting anyone.

Blocking with pfBlockerNG

In pfSense, assuming that you have already installed and enabled pfBlockerNG, browse to Firewall => pfBlockerNG

Create new Alias under ipv4 and ipv6 (if ipv6 traffic is allowed in your network). Creating the new Alias is self explanatory:

Alias Name: Tor Nodes IPv4
List Description: UnlockForUs full list of all TOR nodes sourced from www.dan.me.uk/torlist/
IPv4 Lists: AUTO ON https://unlockforus.com/pfblockerng/tor_nodes_ipv4.txt TorNodesBlockIPs_ipv4
List Action: Deny Both (or other if you wish to allow outgoing traffic, etc.)
Update Frequency: Every Hour
Enable Logging: Enable

Repeat the steps above to create your ipv6 Tor Nodes IPs alias if also needed:

Alias Name: Tor Nodes IPv6
List Description: UnlockForUs full list of all TOR nodes sourced from www.dan.me.uk/torlist/
IPv4 Lists: AUTO ON https://unlockforus.com/pfblockerng/tor_nodes_ipv6.txt TorNodesBlockIPs_ipv6
List Action: Deny Both (or other if you wish to allow outgoing traffic, etc.)
Update Frequency: Every Hour
Enable Logging: Enable

Scroll down and click Save to commit your settings and finally browse to Firewall => pfBlockerNG => Update Tab and force a manual reload.

Cheers!