What about updating the DNS settings to OpenDNS which has its own free filter control - that allows you to deselect "Proxy/Anonymizer"
On Wed, Jan 6, 2010 at 6:05 PM, Paul Mansfield <[email protected]>wrote: > On 06/01/10 16:46, Robert Mortimer wrote: > >>> On 05/01/10 16:11, Luke Jaeger wrote: > >>>> Has anyone had any success blocking Tor thru pfsense/squidguard? > >> Some > >>> of > >>>> our savvier students are starting to use it to get around the > >> content > >>>> filters ... > >>> > >>> that's a classic case of having a "permit any + deny specific" > >> policy. > >>> You'll have to turn it round, make it "deny all + permit specific", > >> set > >>> up an http proxy with same policy and (don't allow CONNECT except > >> under > >>> fine control) and don't allow anything else out of your network > >> except > >>> that explicitly wanted. > >>> > >> > >> You are wrong, "deny all + permit specific" is not enough for blocking > >> > >> TOR. > >> > > > > Depends how specific you are - if it looks like web access then it's > going to be hard to be specific enough without being too specific > > well, I did say to use a web proxy, which also has a whitelist of > permitted sites, you literally only let your users access very specific > services and hosts on the internet, and NOTHING else is allowed. > > you're now going to say "but that's unmanageable", and I have two answers. > 1/ security is a moving target and hard work, so if you can't trust your > users you'll have to have the resources to manage their access effectively > OR > 2/ educate your users so that you can trust them and have suitable > contracts and measures in place to punish them so that they will follow > procedures > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > >
