Block TOR Application in Juniper SRX

TOR application allows users to browse any sites, by bypassing firewall. So all the policies, rules configured in SRX goes in vain if users in the network are using TOR application in their browsers. Juniper SRX can’t block TOR application but there is a work around method that can be used to block TOR application to some level. The steps shown here to block TOR application in Juniper SRX is not permanent fix as the IPs used by TOR application changes dynamically.

Block TOR Application in Juniper SRX

To block the TOR application in Juniper SRX, the only way I know to block is by blocking all the IP addresses used by TOR application. There is a site called www.dan.me.uk which finds the list of all the IP addresses used by TOR application, thanks to dan.me.uk.

You can view the list of all the IPs used by TOR application here. There can be about 6000 IP addresses which is quite a lot.

The trick is to use all these IPs in SRX and block them all by using firewall filter. There are 6K IP addresses, how can you put all that in firewall filter in shortcut. Again, the trick is to use Notepad++ application.

Step 1. Copy all the IP addresses from here and paste it in the Notepad++.

Step 2. Now, insert “;” after each IP address. You can do so by using Replace tool in Notepad++, as shown below. Find for “\r” and replace with “;”. Don’t forget to choose Extended option in under search mode in the same box.

Step 3. Now login to SRX and create a firewall filter. Before creating a firewall filter we have to create prefix-list under [edit policy-options] hierarchy.

{primary:node0}[edit policy-options prefix-list TOR-ADDRESS-LIST]
root@SRX# load merge terminal relative
[Type ^D at a new line to end input]

{primary:node0}[edit policy-options]
root@SRX# show
prefix-list TOR-ADDRESS-LIST {
    2.1.254.209/32;
    2.4.148.58/32;
    2.25.26.77/32;
    .
    .
    .
    .
    2.33.88.122/32;
}

Step 4. Now configure the firewall filter. You can also configure logging in SRX to view the logs later.

{primary:node0}[edit firewall filter BLOCK-TOR]
root@SRX# show
term TOR-LIST {
    from {
        source-prefix-list {
            TOR-ADDRESS-LIST;
        }
    }
    then {
        syslog;
        discard;
    }
}
term ALLOW-REST {
    then accept;
}

Step 5. Now apply the filter in Internet facing interface in inbound direction as shown below.

{primary:node0}[edit interfaces reth1]
root@SRX# show
description ****CONNECTED-TO-ISP1***;
redundant-ether-options {
    redundancy-group 1;
}
unit 0 {
    family inet {
        filter {
            input BLOCK-TOR;
        }
        address 100.10.10.2/30;
    }
}

In this way you can block TOR browsers used by your internal users to bypass the firewall.