How to block proxy software like Hidemyass

  • Hello guys,

    What is the most effective way to block proxy softwares like hidemyass so that nobody can bypass our firewall rules? I have squiduard installed and also using OpenDNS IP's but still I'm unable to block it. Please advice. Thank you!

  • Get a master list of all the IP addresses for the service that you want to block.  Create an alias and load it with those IP addresses.  Block access via firewall to a destination represented by the alias.  This is the whack-a-mole method and is not that great.  If the user is using VPN software that uses particular source or destination ports then you can block based on that.  Squidguard has a blacklist category for Anonvpn, but I have no idea what's in that category.

  • LAYER 8 Netgate

    Tell them not to and if they continue, fire them.

  • @KOM thanks for the advice..But what if they use other proxy software? I think that won't work..I have already denied access to squidguard Anonvpn blacklist category but still no luck.

    @Derelict That's a good idea. lol ;D

  • Like I said, there is no magic solution when it comes to blocking moving targets.  At the end of the day, all you can do is block access to particular IP addresses.  That's it.  It's up to you to figure out what those IP addresses might be.  There is no one "block every commercial VPN and every IP address they use in the whole world' list that I'm aware of, and if there was such a thing it would probably have a subscription fee.  What if your user has a VPS and is hosting his own OpenVPN or IPSEC instance?

  • Is there a feature in pfSense when a user use a proxy software it alerts the admin? So I can disconnect them from the network?

  • Nope.  How would it know?

  • Not sure how.. :)

    Any ideas pfSense users?

  • If the traffic is encrypted and you don't know what IPs or ports to block, then logically there is nothing you can do. The only way to even have a chance is to create a whitelist and only allow access to certain IP addresses.

Log in to reply