From owner-freebsd-net Sun Sep 8 1:35:47 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 548E637B400 for ; Sun, 8 Sep 2002 01:35:43 -0700 (PDT) Received: from smtp.inode.at (goliath.inode.at [195.58.161.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id D768043E6A for ; Sun, 8 Sep 2002 01:35:42 -0700 (PDT) (envelope-from mbretter@inode.at) Received: from line-e-127.adsl-dynamic.inode.at ([62.99.165.127] helo=inode.at) by smtp.inode.at with esmtp (Exim 3.34 #1) id 17nxXh-0006EZ-00 for freebsd-net@FreeBSD.ORG; Sun, 08 Sep 2002 10:35:41 +0200 Message-ID: <3D7B0B49.6000402@inode.at> Date: Sun, 08 Sep 2002 10:33:13 +0200 From: Michael Bretterklieber User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.1) Gecko/20020826 X-Accept-Language: de-de, de-at, de, en-us, en MIME-Version: 1.0 To: freebsd-net@FreeBSD.ORG Subject: Re: protocol inspection (tunneling ssh over http proxy) References: <1CB3AEDE-C305-11D6-A534-003065715DA8@pursued-with.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, yes. you are right, this has to be done at application-level. IPFW will be the wrong place (level). bye, Kevin Stevens schrieb: > > On Sunday, Sep 8, 2002, at 01:09 US/Pacific, Mike Nowlin wrote: > >>> We have problems in our company, that some users, wich have not directly >>> access to the internet, let ssh tunnel over our http-proxy. Extending >>> ssh for tunneling is very easy (see Putty or corkscrew) and its also not >>> a problem for them to let on another machine sshd run on port 443 or 80. >>> >>> At the moment I have no idea how to prevent the users from tunneling ssh >>> over http. >> >> >> You mean that they're opening connections via SSH through the proxy to >> remote machines on port 22, then using the SSH tunnel capability to >> allow connections back to their machine over the tunnel? (Sorry, I'm a >> bit brain-fried right now.) If so, can't you restrict the proxy to not >> allow remote requests out to port 22? > > > No, he means they are initiating SSH sessions over port 80 or 443, after > having set up the remote servers to answer SSH requests on those ports. > Application-level proxies can prevent this by monitoring the > conversation, but IPFW doesn't operate at that level. > > To the OP, I doubt that IPFW will be modified to incorporate that > functionality - it's too far beyond the architecture. If you need to > control that activity, you should probably look for a different tool. > Just my $.02. > > KeS > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > -- -- -------------------------------------- E-mail: Michael.Bretterklieber@jawa.at ---------------------------- JAWA Management Software GmbH Liebenauer Hauptstr. 200 A-8041 GRAZ Tel: ++43-(0)316-403274-12 Fax: ++43-(0)316-403274-10 GSM: ++43-(0)676-93 96 698 homepage: http://www.jawa.at --------- privat ----------- E-mail: mbretter@inode.at homepage: http://www.inode.at/mbretter -------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message