From owner-freebsd-net Sun Sep 8 2: 0:16 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5967837B400 for ; Sun, 8 Sep 2002 02:00:11 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id B301943E3B for ; Sun, 8 Sep 2002 02:00:10 -0700 (PDT) (envelope-from julian@elischer.org) Received: from InterJet.elischer.org ([12.232.206.8]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020908090010.WTFD25823.sccrmhc02.attbi.com@InterJet.elischer.org>; Sun, 8 Sep 2002 09:00:10 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id BAA50657; Sun, 8 Sep 2002 01:55:03 -0700 (PDT) Date: Sun, 8 Sep 2002 01:55:02 -0700 (PDT) From: Julian Elischer To: Michael Bretterklieber Cc: freebsd-net@FreeBSD.ORG Subject: Re: protocol inspection (tunneling ssh over http proxy) In-Reply-To: <3D7B0928.2020403@inode.at> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Run a squid (or apache) proxy for web access, and then ONLY allow port 80 traffic from the proxy. On Sun, 8 Sep 2002, Michael Bretterklieber wrote: > Hi, > > the problem is that they use not port 22 for the ssh connection, they > use port 80 or 443. > > I need some software that gurantees that over the http-port flows only > http and not someting else. > > bye, > > Mike Nowlin schrieb: > >>We have problems in our company, that some users, wich have not directly > >>access to the internet, let ssh tunnel over our http-proxy. Extending > >>ssh for tunneling is very easy (see Putty or corkscrew) and its also not > >>a problem for them to let on another machine sshd run on port 443 or 80. > >> > >>At the moment I have no idea how to prevent the users from tunneling ssh > >>over http. > > > > > > You mean that they're opening connections via SSH through the proxy to > > remote machines on port 22, then using the SSH tunnel capability to > > allow connections back to their machine over the tunnel? (Sorry, I'm a > > bit brain-fried right now.) If so, can't you restrict the proxy to not > > allow remote requests out to port 22? > > > > mike > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > -- > -- > -------------------------------------- > E-mail: Michael.Bretterklieber@jawa.at > ---------------------------- > JAWA Management Software GmbH > Liebenauer Hauptstr. 200 > A-8041 GRAZ > Tel: ++43-(0)316-403274-12 > Fax: ++43-(0)316-403274-10 > GSM: ++43-(0)676-93 96 698 > homepage: http://www.jawa.at > --------- privat ----------- > E-mail: mbretter@inode.at > homepage: http://www.inode.at/mbretter > -------------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message