[ previous ] [ next ] [ threads ]
 From:  William Arlofski <waa dash m0n0wall at revpol dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Blocking outbound traffic - concessus
 Date:  Thu, 31 Mar 2005 17:06:37 -0500
- gpg control packet
Chris Bagnall wrote:

>>You are absolutely correct. This is the reason I often
>>recommend a proxy server.  The combination of squid
>>(http://squid-cache.org) and Dan's Guardian
>>(http://www.dansguardian.org) and a strict set of rules to
>>only allow port 80/443 traffic from the proxy server allows
>>for filtering,blocking etc via Dan's Guardian. :)
> I would strongly discourage going down that route. You'll only generate
> resentment amongst the workforce who feel they aren't being trusted as they
> should be by their employer.
> I have in the past refused to work for employers who feel it's their right
> to either monitor my web browsing, or restrict my access to important (to
> me!) services such as instant messaging.
> When I explain my position on censorship, most of my clients are very
> understanding, and once we've had a discussion about it, they've understood
> why I won't do it. I've only ever had to bluntly refuse a client once - that
> was when they wanted unrestricted access to an employee's email account.
> Treat your employees like people, not like potential criminals. If you need
> to discourage P2P, fair enough, log the common ports, and if someone's using
> it, it's damned easy to spot. A quiet word in that person's ear is a lot
> nicer than draconian blocking / filtering some companies implement. Any
> other bandwidth control can be accomplished using QoS.
> Sorry for the rant, but it is a topic on which I feel quite strongly.
> Regards,
> Chris

I am also a strong privacy advocate and am not too keen on "censoring",
especially if it is ME that is being monitored or censored. :)

I probably should have qualified my filtering/blocking comment with
"Most of my clients are boarding schools with students ranging from 5th
grade to High school where filtering, blocking and logging is a
requirement." I just recommend and implement a solution for them.

I also should have mentioned that even though all users' traffic goes
through the proxy, we generally configure the systems such that only the
students' traffic is logged and filtered. Adult users are allowed to go
where they want on the web unfiltered and unlogged. This way they have
the best of both worlds and (most) people are quite happy.

Also, my reason(s) for blocking everything and then opening up
individual ports as needed is not because the users are being treated as
criminals, rather, the Windows machines are being treated as the danger
they truly represent to the privacy of the end-users and the integrity
of the network. (ie: spam-zombies, backdoors etc.)


Bill Arlofski
Reverse Polarity
waa at revpol dot com