Not everything everything--I'm looking for whitelist/blacklist filtering for /proxies alone/ to be added. In this scenario, every time JoeBox processes an outbound HTTP request (as determined by L7 filtering), it looks to see if the request is to a whitelisted proxy. If it is, it's allowed to proceed to the destination. If not, the JoeBox checks to see if it's to a previously auto-blacklisted open proxy. If it is, the connection attempt is blocked. If it's not, it's allowed to continue to the final test, which is the JoeBox checks to see if the connection attempt is to an open proxy (which it can do by trying to use it as one). If it is an open proxy, the connection attempt is blocked and the host:port is written to the auto-blacklisted open proxy list (with an expiration date of 1d or so). If it's not an open proxy, the connection attempt proceeds to its destination. It's kinda convoluted written out, but I can probably scare up a flowchart or something if it still doesn't make sense. This wouldn't solve all of them (e.g., the sites that just work as web apps so kids can look at Facebook as you said), but it would probably cut down on P2P-over-HTTP-proxy traffic in a way that I don't think L7 filtering alone will do. On Thursday, June 30, 2011 at 3:15 PM, Ray Soucy wrote: > I'm not exactly clear on what you're asking. > > Are you suggesting that we block everything by default and only use > allow lists to permit access? > > You can effectively do this by placing a "." on a line by itself in > your global block list, then creating entries for the sites you want > to allow in your allow list. > > But coming up with a list of allowed sites would be a pretty big > challenge unless you want to be really restrictive. > > Any usable commercial list for this sort of thing would likely be too > big to produce reasonable performance as well, which is likely why I'm > not aware of any that exist. > > Most proxy sites used today are just web applications; each being > different; there isn't really a way to determine if it's an open proxy > or a proxy site without some AI that doesn't exist yet. > > On a side note, the ".xxx" adult content domain has been approved. As > a result, you might want to stick ".xxx" in your global block list. > > On Thu, Jun 30, 2011 at 2:00 PM, Kyle Green <[log in to unmask] (mailto:[log in to unmask])> wrote: > > It'd be nice if the JoeBox to be configured such that we can whitelist > > acceptable proxies (for legitimate uses of squid or dansguardian or > > whatever), and then it checks every further HTTP request to see if > > it's an open proxy (and caches the result for a day or so). > > > > Can that get put on the feature wish list? It just seems to me that > > relying on set blacklists for this is going to result in us > > perpetually being three steps behind. > > > > Thanks. > > > > On Jun 30, 2011, at 1:49 PM, Ray Soucy <[log in to unmask] (mailto:[log in to unmask])> wrote: > > > > > Seth, > > > > > > I contacted MecNet to see if they could look at additional sources for > > > their URL lists, and they have made an update. I've applied the > > > update on your Joebox (the rest of users will get the update > > > overnight). > > > > > > Do you notice any change? Or is it still letting most through? > > > > > > On Thu, Jun 30, 2011 at 7:47 AM, Seth Thompson <[log in to unmask] (mailto:[log in to unmask])> wrote: > > > > I have this enabled and the majority of proxies are still available. > > > > Seth > > > > > > > > On Mon, Jun 27, 2011 at 2:14 PM, Ray Soucy <[log in to unmask] (mailto:[log in to unmask])> wrote: > > > > > > > > > > "Sites with proxies to bypass filters" would be the MECguard category. > > > > > Have you tried enabling this for your group filter lists? I'm not > > > > > sure how comprehensive the list is... > > > > > > > > > > On Mon, Jun 27, 2011 at 1:48 PM, Ed Bourdeau > > > > > <[log in to unmask] (mailto:[log in to unmask])> wrote: > > > > > > Overall I am very happy with the JoeBox/MecGuard setup. My number 1 > > > > > > input > > > > > > for future change is that you add a Proxy settings option to MecGuard. > > > > > > By > > > > > > this I mean a more automated method to block proxies. If you could > > > > > > check a > > > > > > box, and have your choice of black lists that you could subscribe to > > > > > > this > > > > > > would make the filtering much more manageable. Right now this is my #1 > > > > > > hole. > > > > > > > > > > > > Thanks,,Ed > > > > > > > > > > > > > > > > > > > > > > > > Ed Bourdeau > > > > > > > > > > > > Director of Technology > > > > > > > > > > > > Erskine Academy > > > > > > > > > > > > Tel. 1-207-445-2962-ext 125 > > > > > > > > > > > > > > > > > > > > -- > > > > > Ray Soucy > > > > > > > > > > Epic Communications Specialist > > > > > > > > > > Phone: +1 (207) 561-3526 > > > > > > > > > > Networkmaine, a Unit of the University of Maine System > > > > > http://www.networkmaine.net/ > > > > > > > > > > > > > > > > -- > > > > Seth H. Thompson > > > > Technology Director > > > > Regional School Unit No. 5 > > > > 207-865-4706 x232 > > > > > > > > > > > > -- > > > Ray Soucy > > > > > > Epic Communications Specialist > > > > > > Phone: +1 (207) 561-3526 > > > > > > Networkmaine, a Unit of the University of Maine System > > > http://www.networkmaine.net/ > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/