Block TOR exit nodes inbound to a rule?
We have a public facing server that is being being hammered from TOR exit nodes. I'd like to block these IP's inbound to this rule. As a last resort, I can add the exit IP list to the Default Threat Protection blocked sites list, but I'd prefer to just limit it to this one rule. Talking to a colleague, he had said that his firewall systems include TOR in his geo blocking rules which would make it easy, but alas, it appears Watchguard does not have this ability.
Any suggestions on short of adding hundreds of IP's and networks to the blocked sites list?
Best Answer
- 
             james.carson
                        
                        
                            Moderator, WatchGuard Representative james.carson
                        
                        
                            Moderator, WatchGuard RepresentativeHi @CraigS 
 If you're just looking to limit inbound traffic, you can make a seperate firewall rule for that inbound traffic and apply a traffic management action to it.You could create an alias (under setup -> aliases) and use that in the from field instead of any external. For example: 
 Rule - Name - From - To
 1 - Webserver From TOR nodes - TOR Node Alias - SNAT external -> 192.168.10.252
 2 - Webserver All Others - Any External - SNAT external -> 192.168.10.252For Traffic management action, you could rate limit per IP address (so multiple clients using the same TOR node would effectively divide up whatever you assigned/gave them.) -James Carson 
 WatchGuard Customer Support5

Answers
Hi @CraigS
You can quickly import items to blocked sites by using the import button (in policy manager.)
Go to Setup -> Default Threat Protection -> Blocked Sites, and click import.
The file needs to be formatted as one IP per line, as so. You can add a comment by using this character with the comment following: |comment
Like this:
1.2.3.4
64.74.30.0/24|comment
I would suggest checking out application control first, as there is a definition for TOR under Tunneling and Proxy services. You may be able to simply drop that traffic using app control.
Thank you,
-James Carson
WatchGuard Customer Support
I'm familiar with importing IP's to the blocked sites list, but I was hoping for a more surgical method than blocking TOR exit node IP's across the board.
This is an inbound connection I'm attempting to limit the traffic on, application control wouldn't help in this case.
Yes, that's it! I had forgotten about creating an alias list and using that as a deny rule. This is what I as looking for (although maintaining the TOR list will require diligence).
Did you implement this ? I was concerned that the number of addresses that needs to be checked against would result in latency or the size of the list would be problematic for the size of the firewall config.
https://isc.sans.edu/api/threatlist/torexit/
Yes we did implement it. We have 2,275 addresses (TOR and Compromised Hosts) in our alias list. We have 210 rules and the only slowdown we see is while opening the Firewall Policy Manager (M370).
There is also a feature request FBX-5140 to add an optional subscription add on to block TOR Exit nodes as part of BotNet subscription. You could open a case to add a "me too" to this RFE.
fast forward to June 2022...
Introduction
Fireware v12.8.1 is a maintenance release for Firebox T20, T40, T55, T70, T80, Firebox M Series (except M200 and M300), FireboxV, and Firebox Cloud appliances.
This release provides a new Tor Exit Node Blocking service and includes a number of resolved issues and security fixes. Features in this release include:
Tor Exit Node Blocking
You can use the new Tor Exit Node Blocking service to block inbound traffic from Tor exit nodes to the Firebox. Tor provides anonymity that can be used to hide malicious activity.
If your configuration has Botnet Detection enabled, after you upgrade to Fireware v12.8.1, Tor Exit Node Blocking is enabled in all policies by default.
Thanks, I saw that and already implemented it. It definitely reduces some attempted attacks and probes.