Block users from using Tor

Unanswered Question
Sep 8th, 2010

The title says it all.

How do I block users from using the Tor network to bypass the firewall?

All I'm able to find is that Tor uses port 9001 (TCP) by default but switches to any other open port (80,443,25,23,22, etc) when it's blocked.

Blocking those 'backup' ports is obviously not the right way, so I'm looking for inspect rules or any other way to classify and block Tor.

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
mirober2 Wed, 09/08/2010 - 05:45

Hi Frank,

I did a quick capture to look at the Tor client while it is connecting. It looks like it encrypts most of the connection traffic, so all your users would probably need to first connect through a proxy that could decrypt the connection and block it that way. Tor is designed to be very resilient, so I don't think you'll find a feasible way to block it at the firewall.

Hope that helps.


Frank Hoeben Wed, 09/08/2010 - 06:24

I was afraid of that.

Plan B would be to tell the AV software to block the Tor executables by default, but files are easily renamed and versions change so file hashes are useless.

Plan C is making the use of firewall bypassing software an offense punishable by death.

Nagaraja Thanthry Wed, 09/08/2010 - 06:35


One alternative could be to tie down the inside interface access-list to a

specific list of allowed ports. From what I understand of working of Tor, it

tries to relay through multiple hosts and for that, the relay servers setup

certain ports. So, if you limit the inside network access to normal ports

like 80/443, and 53, then the access will be limited to these ports. Now,

you can configure HTTP inspection to limit Tor access on port 80 as well

(you might take a performance hit when you configure http inspection). This

will limit the Tor users to use only port 443 for relay.

Hope this helps.



Tagir Temirgaliyev Mon, 10/20/2014 - 08:38

do you have all IP addresses of TOR servers?


palo-alto firewall can block tor because it has protocol inspection

nawir Mon, 10/20/2014 - 18:55

If you check my my link, there are around 6500 server I need to copy paste into botnet blacklist.

I admit its not automatic way to block tor, but at least its work. I already test that.

If management have budget, of course they can buy another easier to manage device.

Its just one alternative to block tor



This Discussion