On 06/01/10 16:46, Robert Mortimer wrote: >>> On 05/01/10 16:11, Luke Jaeger wrote: >>>> Has anyone had any success blocking Tor thru pfsense/squidguard? >> Some >>> of >>>> our savvier students are starting to use it to get around the >> content >>>> filters ... >>> >>> that's a classic case of having a "permit any + deny specific" >> policy. >>> You'll have to turn it round, make it "deny all + permit specific", >> set >>> up an http proxy with same policy and (don't allow CONNECT except >> under >>> fine control) and don't allow anything else out of your network >> except >>> that explicitly wanted. >>> >> >> You are wrong, "deny all + permit specific" is not enough for blocking >> >> TOR. >> > > Depends how specific you are - if it looks like web access then it's going to > be hard to be specific enough without being too specific
well, I did say to use a web proxy, which also has a whitelist of permitted sites, you literally only let your users access very specific services and hosts on the internet, and NOTHING else is allowed. you're now going to say "but that's unmanageable", and I have two answers. 1/ security is a moving target and hard work, so if you can't trust your users you'll have to have the resources to manage their access effectively OR 2/ educate your users so that you can trust them and have suitable contracts and measures in place to punish them so that they will follow procedures --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
