Date: Sun, 8 Sep 2002 01:29:37 -0700 From: Kevin Stevens <Kevin_Stevens@pursued-with.net> To: Mike Nowlin <mike@argos.org> Cc: freebsd-net@FreeBSD.ORG Subject: Re: protocol inspection (tunneling ssh over http proxy) Message-ID: <1CB3AEDE-C305-11D6-A534-003065715DA8@pursued-with.net> In-Reply-To: <3D7B05C7.E254DAB0@argos.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday, Sep 8, 2002, at 01:09 US/Pacific, Mike Nowlin wrote: >> We have problems in our company, that some users, wich have not >> directly >> access to the internet, let ssh tunnel over our http-proxy. Extending >> ssh for tunneling is very easy (see Putty or corkscrew) and its also >> not >> a problem for them to let on another machine sshd run on port 443 or >> 80. >> >> At the moment I have no idea how to prevent the users from tunneling >> ssh >> over http. > > You mean that they're opening connections via SSH through the proxy to > remote machines on port 22, then using the SSH tunnel capability to > allow connections back to their machine over the tunnel? (Sorry, I'm a > bit brain-fried right now.) If so, can't you restrict the proxy to not > allow remote requests out to port 22? No, he means they are initiating SSH sessions over port 80 or 443, after having set up the remote servers to answer SSH requests on those ports. Application-level proxies can prevent this by monitoring the conversation, but IPFW doesn't operate at that level. To the OP, I doubt that IPFW will be modified to incorporate that functionality - it's too far beyond the architecture. If you need to control that activity, you should probably look for a different tool. Just my $.02. KeS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1CB3AEDE-C305-11D6-A534-003065715DA8>