At present no reliable way to block Tor Browser?

Hi,

I  have been able to stop downloading the tor browser using the application and web policies. I created my own web url group and added torproject.org to it. Then I added that to my 'block bad stuff' policy and while I can access the tor site, I cannot download the tor browser.

I have not installed tor browser so I cannot tell if this approach stops the tor browser from connecting. Also there was a post by one the Sophos Devs about tuning the IPS settings to assist with blocking tor.

Ian

I removed my web block and installed tor browser on my MBP running Mojave latest version.

I was unable to connect using tor browser with and without setting up the proxy bypass int per browser. It failed to connect to two different IP addresses.

I have application and web policies using standard XG supplied lists.

Ian

Hi Sacha,

why I asked about your ports was that the MS site advises not all ports are required except if you want really high quality calls.

I shall experiment during the day, the weather's not inductive to working outside.

Ian

Hi Sacha,

a couple of points of interest

1/. XG should have stopped me from downloading TOR - it didn't.

2/. Sophos home should have blocked TOR - it didn't.

The fowling are my attempts t connect to the TOR network, with and without configuring HTTP proxy.

The only thing I can't really check is if Skype works, I have added all the ports you are using to my Skype firewall rule. My wife's Skype still connectds but has nothing total to at this stage.

Ian

Update point of interest - TOR currently does not try to use IPv6, if and when it does the current version of XG will not be able to block it easily if at all and allow other applications to function because the current version of XG does not support FQDN in the IPv6 rules.

Further, I have installed Skype and logged in, connects and authenticates okay.

Ian

Hi Sacha Roland,

i think part of your current issue is with your service definitions being too narrow.

I think they should be like this.

Ian

Thanks to Ian, I got Skype working while keeping Tor Browser blocked by removing services for High Quality Skype Calls and editing my standard skype ports to these:

Okay, I'll try that as well. But how to deal with the IPv6 addresses listed here: https://www.dan.me.uk/torlist/

And what exactly do you mean when writing "The update can be used on the object, without touching the firewall object."?

The IPv6 addresses would have to be in IPv6 IP Hosts. But this can also be dealt with in a Script to split them up.

You need only to configure the Firewall rule once with the objects in it and the Deny. 

The Script would only update the objects and does not need to change the firewall rule. 

Unfortunately, when I check "Tor is censored in my country" in Tor settings and choose "Select a built-in bridge > meek-azure" then Tor connects to the internet.

Hi Sacha,

which firewall rules his your connection gong through?

I tried that configuration you posted and it failed very quickly to establish a connection.

So far using the alternate connection offered the application has been 'loading relay information' for over 15 minutes and still trying.

I am currently running v18.0.1 MR-1 patched and I have not made any changes since I last tested TOR access except for a rollback and and a rollforward.

Ian

update: 30 minutes later no connection, but I have not tried asking the project team for a proxy.

Thank you so much for keeping track with tis issue, Ian.

I traced the culprit firewall rule:

(Action: allow)

Source zones: ANY
Source networks and devices: ANY
Destination zones: WAN
Destination networks: see list below
Services: ANY

List of FQDNs:

skype.com
live.com
skypeassets.com
live.net
msecnd.net
auslogics.com
windows.com
msocsp.com
omniroot.com
trouter.io
passport.net
live-int.com
gfx-int.ms
passport-int.net
gfx.ms
ec2-52-6-101-221.compute-1.amazonaws.com
microsoftonline.com
microsoftonline-p.com
onmicrosoft.com
sharepoint.com
outlook.com
lync.com
msftconnecttest.com

After removing this FQDN-group, tor couldn't connect anymore, even with bridge-mode. The FQDNs I put in a web exception rule instead.

But why above FQDNs from big companies allowed tor to connect to the internet? I am curious to understand that.

If I would like to keep the FQDNs in a firewall rule (instead of putting them into web exceptions), what would I have to do to block tor browser anyway? I am curious to understand that as well.

Thank you so much for keeping track with tis issue, Ian.

I traced the culprit firewall rule:

(Action: allow)

Source zones: ANY
Source networks and devices: ANY
Destination zones: WAN
Destination networks: see list below
Services: ANY

List of FQDNs:

skype.com
live.com
skypeassets.com
live.net
msecnd.net
auslogics.com
windows.com
msocsp.com
omniroot.com
trouter.io
passport.net
live-int.com
gfx-int.ms
passport-int.net
gfx.ms
ec2-52-6-101-221.compute-1.amazonaws.com
microsoftonline.com
microsoftonline-p.com
onmicrosoft.com
sharepoint.com
outlook.com
lync.com
msftconnecttest.com

After removing this FQDN-group, tor couldn't connect anymore, even with bridge-mode. The FQDNs I put in a web exception rule instead.

But why above FQDNs from big companies allowed tor to connect to the internet? I am curious to understand that.

If I would like to keep the FQDNs in a firewall rule (instead of putting them into web exceptions), what would I have to do to block tor browser anyway? I am curious to understand that as well.

Hi Sacha,

I see part of the problem being your firewall rule,

You should modify it and where possible avoid the use of 'ANY'. The same with your services you where possible should try to restrict the range of ports offered.

Ian