Date: Sun, 08 Sep 2002 10:33:13 +0200 From: Michael Bretterklieber <mbretter@inode.at> To: freebsd-net@FreeBSD.ORG Subject: Re: protocol inspection (tunneling ssh over http proxy) Message-ID: <3D7B0B49.6000402@inode.at> References: <1CB3AEDE-C305-11D6-A534-003065715DA8@pursued-with.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, yes. you are right, this has to be done at application-level. IPFW will be the wrong place (level). bye, Kevin Stevens schrieb: > > On Sunday, Sep 8, 2002, at 01:09 US/Pacific, Mike Nowlin wrote: > >>> We have problems in our company, that some users, wich have not directly >>> access to the internet, let ssh tunnel over our http-proxy. Extending >>> ssh for tunneling is very easy (see Putty or corkscrew) and its also not >>> a problem for them to let on another machine sshd run on port 443 or 80. >>> >>> At the moment I have no idea how to prevent the users from tunneling ssh >>> over http. >> >> >> You mean that they're opening connections via SSH through the proxy to >> remote machines on port 22, then using the SSH tunnel capability to >> allow connections back to their machine over the tunnel? (Sorry, I'm a >> bit brain-fried right now.) If so, can't you restrict the proxy to not >> allow remote requests out to port 22? > > > No, he means they are initiating SSH sessions over port 80 or 443, after > having set up the remote servers to answer SSH requests on those ports. > Application-level proxies can prevent this by monitoring the > conversation, but IPFW doesn't operate at that level. > > To the OP, I doubt that IPFW will be modified to incorporate that > functionality - it's too far beyond the architecture. If you need to > control that activity, you should probably look for a different tool. > Just my $.02. > > KeS > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > -- -- -------------------------------------- E-mail: Michael.Bretterklieber@jawa.at ---------------------------- JAWA Management Software GmbH Liebenauer Hauptstr. 200 A-8041 GRAZ Tel: ++43-(0)316-403274-12 Fax: ++43-(0)316-403274-10 GSM: ++43-(0)676-93 96 698 homepage: http://www.jawa.at --------- privat ----------- E-mail: mbretter@inode.at homepage: http://www.inode.at/mbretter -------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D7B0B49.6000402>