Re: [pfSense Support] blocking Tor Networks

[Luke Jaeger]

Thanks Victor! If you have any thoughts on how to do it, I'll try it ...

Luke Jaeger | Technology Coordinator
Pioneer Valley Performing Arts Charter Public School
www.pvpa.org

On Jan 6, 2010, at 2:19 PM, Víctor Pasten wrote:

-----Original Message-----
From: Paul Mansfield <it-admin-pfse...@taptu.com>
To: support@pfsense.com
Date: Wed, 06 Jan 2010 18:05:45 +0000

Subject: Re: Fwd: [pfSense Support] Re: [***SPAM*** Score/Req: 05.6/5.0]

Re: [pfSense Support] blocking  Tor Networks

On 06/01/10 16:46, Robert Mortimer wrote:

On 05/01/10 16:11, Luke Jaeger wrote:

Has anyone had any success blocking Tor thru pfsense/squidguard?

Some

of

our savvier students are starting to use it to get around the

content

filters ...

that's a classic case of having a "permit any + deny specific"

policy.

You'll have to turn it round, make it "deny all + permit specific",

set

up an http proxy with same policy and (don't allow CONNECT except

under

fine control) and don't allow anything else out of your network

except

that explicitly wanted.

You are wrong, "deny all + permit specific" is not enough for

blocking

TOR.

Depends how specific you are - if it looks like web access then it's

going to be hard to be specific enough without being too specific

well, I did say to use a web proxy, which also has a whitelist of

permitted sites, you literally only let your users access very specific

services and hosts on the internet, and NOTHING else is allowed.

you're now going to say "but that's unmanageable", and I have two
answers.
1/ security is a moving target and hard work, so if you can't trust
your
users you'll have to have the resources to manage their access
effectively
OR
2/ educate your users so that you can trust them and have suitable

contracts and measures in place to punish them so that they will follow

procedures

A proxy server (squid, or another webfilter) cannot stop it (TOR

clients), because it's unable to analyze TOR traffic (encrypted traffic).

I dont say that is impossible block it, but is not easy.




---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org