Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 08 Sep 2002 20:18:57 +0200
From:      Michael Bretterklieber <mbretter@inode.at>
To:        freebsd-net@FreeBSD.ORG
Subject:   Re: protocol inspection (tunneling ssh over http proxy)
Message-ID:  <3D7B9491.9090305@inode.at>
References:  <Pine.BSF.4.21.0209080153490.50002-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is a multi-part message in MIME format.
--------------020003080003080504020900
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

I'm already running squid as proxy. But if I allow only port 80, then no
https works. Also if they let run there sshd on port 80 on a server 
somewhere then this doesen't prevent ssh-tunneling over http.

I attached the tcpdump of a tunnel'd ssh-connection over http.

192.168.201.1 is my gateway with squid and an adsl internet connection 
(mpd).
192.168.201.12 is my bad boy, wich uses Putty for tunneling ssh over http.

I think, I can nothing do to break the tunnel.

Or am I wrong?

bye,

Julian Elischer schrieb:
> Run a squid (or apache) proxy for web access,
> and then ONLY allow port 80 traffic from the proxy.
> 
> 
> On Sun, 8 Sep 2002, Michael Bretterklieber wrote:
> 
> 
>>Hi,
>>
>>the problem is that they use not port 22 for the ssh connection, they 
>>use port 80 or 443.
>>
>>I need some software that gurantees that over the http-port flows only 
>>http and not someting else.
>>
>>bye,
>>
>>Mike Nowlin schrieb:
>>
>>>>We have problems in our company, that some users, wich have not directly
>>>>access to the internet, let ssh tunnel over our http-proxy. Extending
>>>>ssh for tunneling is very easy (see Putty or corkscrew) and its also not
>>>>a problem for them to let on another machine sshd run on port 443 or 80.
>>>>
>>>>At the moment I have no idea how to prevent the users from tunneling ssh
>>>>over http.
>>>
>>>
>>>You mean that they're opening connections via SSH through the proxy to
>>>remote machines on port 22, then using the SSH tunnel capability to
>>>allow connections back to their machine over the tunnel?  (Sorry, I'm a
>>>bit brain-fried right now.)  If so, can't you restrict the proxy to not
>>>allow remote requests out to port 22?
>>>
>>>mike
>>>
>>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>>with "unsubscribe freebsd-net" in the body of the message
>>>
>>>
>>
>>-- 
>>--
>>--------------------------------------
>>E-mail: Michael.Bretterklieber@jawa.at
>>----------------------------
>>JAWA Management Software GmbH
>>Liebenauer Hauptstr. 200
>>A-8041 GRAZ
>>Tel: ++43-(0)316-403274-12
>>Fax: ++43-(0)316-403274-10
>>GSM: ++43-(0)676-93 96 698
>>homepage: http://www.jawa.at
>>--------- privat -----------
>>E-mail:   mbretter@inode.at
>>homepage: http://www.inode.at/mbretter
>>--------------------------------------
>>
>>
>>
>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>with "unsubscribe freebsd-net" in the body of the message
>>
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 
> 

-- 
--
--------------------------------------
E-mail: Michael.Bretterklieber@jawa.at
----------------------------
JAWA Management Software GmbH
Liebenauer Hauptstr. 200
A-8041 GRAZ
Tel: ++43-(0)316-403274-12
Fax: ++43-(0)316-403274-10
GSM: ++43-(0)676-93 96 698
homepage: http://www.jawa.at
--------- privat -----------
E-mail:   mbretter@inode.at
homepage: http://www.inode.at/mbretter
--------------------------------------


--------------020003080003080504020900
Content-Type: text/plain;
 name="tcpdump.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="tcpdump.txt"

20:26:48.173534 arp who-has 192.168.201.1 tell 192.168.201.12
20:26:48.173664 arp reply 192.168.201.1 is-at 0:d0:c9:6:36:17
20:26:48.173912 192.168.201.12.1052 > 192.168.201.1.8080: S 667310761:667310761(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
20:26:48.174163 192.168.201.1.8080 > 192.168.201.12.1052: S 2509983361:2509983361(0) ack 667310762 win 65535 <mss 1460>
20:26:48.174432 192.168.201.12.1052 > 192.168.201.1.8080: . ack 1 win 17520 (DF)
20:26:48.177539 192.168.201.12.1052 > 192.168.201.1.8080: P 1:62(61) ack 1 win 17520 (DF)
20:26:48.179034 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:48.231527 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.232300 192.168.201.1.8080 > 192.168.201.12.1052: P 1:40(39) ack 62 win 65535 (DF)
20:26:48.232667 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:48.278087 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.278599 192.168.201.1.8080 > 192.168.201.12.1052: P 40:65(25) ack 62 win 65535 (DF)
20:26:48.278873 192.168.201.12.1052 > 192.168.201.1.8080: . ack 65 win 17456 (DF)
20:26:48.279144 192.168.201.12.1052 > 192.168.201.1.8080: P 62:96(34) ack 65 win 17456 (DF)
20:26:48.279727 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:48.322659 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.335569 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.336202 192.168.201.1.8080 > 192.168.201.12.1052: P 65:341(276) ack 96 win 65535 (DF)
20:26:48.339715 192.168.201.12.1052 > 192.168.201.1.8080: P 96:252(156) ack 341 win 17180 (DF)
20:26:48.340348 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:48.430412 192.168.201.1.8080 > 192.168.201.12.1052: . ack 252 win 65535 (DF)
20:26:48.440204 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.450436 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
20:26:48.465797 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.466296 192.168.201.1.8080 > 192.168.201.12.1052: P 341:353(12) ack 252 win 65535 (DF)
20:26:48.466844 192.168.201.12.1052 > 192.168.201.1.8080: P 252:280(28) ack 353 win 17168 (DF)
20:26:48.467375 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:48.506635 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.520410 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
20:26:48.539219 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.539693 192.168.201.1.8080 > 192.168.201.12.1052: P 353:365(12) ack 280 win 65535 (DF)
20:26:48.541095 192.168.201.12.1052 > 192.168.201.1.8080: P 280:420(140) ack 365 win 17156 (DF)
20:26:48.541702 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:48.601571 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.608883 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.609419 192.168.201.1.8080 > 192.168.201.12.1052: P 365:505(140) ack 420 win 65535 (DF)
20:26:48.620417 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
20:26:48.700597 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:48.769277 192.168.201.12.1052 > 192.168.201.1.8080: P 420:448(28) ack 505 win 17016 (DF)
20:26:48.769871 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:48.819178 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.819734 192.168.201.1.8080 > 192.168.201.12.1052: P 505:549(44) ack 448 win 65535 (DF)
20:26:48.830412 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
20:26:48.910589 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:48.950742 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:48.951278 192.168.201.1.8080 > 192.168.201.12.1052: P 549:561(12) ack 448 win 65535 (DF)
20:26:48.951550 192.168.201.12.1052 > 192.168.201.1.8080: . ack 561 win 16960 (DF)
20:26:48.952201 192.168.201.12.1052 > 192.168.201.1.8080: P 448:484(36) ack 561 win 16960 (DF)
20:26:48.952700 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:49.006404 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:49.006939 192.168.201.1.8080 > 192.168.201.12.1052: P 561:573(12) ack 484 win 65535 (DF)
20:26:49.007384 192.168.201.12.1052 > 192.168.201.1.8080: P 484:496(12) ack 573 win 16948 (DF)
20:26:49.007904 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:49.071772 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:49.072345 192.168.201.1.8080 > 192.168.201.12.1052: P 573:649(76) ack 496 win 65535 (DF)
20:26:49.090412 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
20:26:49.170596 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:49.187993 192.168.201.12.1052 > 192.168.201.1.8080: . ack 649 win 16872 (DF)
20:26:49.199686 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:49.200327 192.168.201.1.8080 > 192.168.201.12.1052: P 649:741(92) ack 496 win 65535 (DF)
20:26:49.210420 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
20:26:49.290606 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:49.388285 192.168.201.12.1052 > 192.168.201.1.8080: . ack 741 win 16780 (DF)
20:26:49.446457 10.0.0.138 > 10.0.0.1: [|gre] (gre encap)
20:26:51.501002 192.168.201.12.1052 > 192.168.201.1.8080: P 496:516(20) ack 741 win 16780 (DF)
20:26:51.501625 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:51.548928 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:51.560418 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)
20:26:51.600417 192.168.201.1.8080 > 192.168.201.12.1052: . ack 516 win 65535 (DF)
20:26:51.680241 192.168.201.12.1052 > 192.168.201.1.8080: P 516:536(20) ack 741 win 16780 (DF)
20:26:51.680783 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:51.728029 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:51.728571 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:51.770436 192.168.201.1.8080 > 192.168.201.12.1052: . ack 536 win 65535 (DF)
20:26:51.846470 10.0.0.138 > 10.0.0.1: [|gre] (gre encap)
20:26:51.848759 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:51.849334 192.168.201.1.8080 > 192.168.201.12.1052: P 741:781(40) ack 536 win 65535 (DF)
20:26:51.849692 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:51.991997 192.168.201.12.1052 > 192.168.201.1.8080: . ack 781 win 16740 (DF)
20:26:51.999972 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:52.000418 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:52.146729 10.0.0.138 > 10.0.0.1: [|gre] (gre encap)
20:26:53.344206 192.168.201.12.1052 > 192.168.201.1.8080: P 536:556(20) ack 781 win 16740 (DF)
20:26:53.344864 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:53.395861 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:53.396440 192.168.201.1.8080 > 192.168.201.12.1052: P 781:817(36) ack 556 win 65535 (DF)
20:26:53.397799 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:53.398320 192.168.201.1.8080 > 192.168.201.12.1052: P 817:837(20) ack 556 win 65535 (DF)
20:26:53.398607 192.168.201.12.1052 > 192.168.201.1.8080: . ack 837 win 16684 (DF)
20:26:53.398750 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:53.398877 192.168.201.12.1052 > 192.168.201.1.8080: P 556:568(12) ack 837 win 16684 (DF)
20:26:53.399159 192.168.201.12.1052 > 192.168.201.1.8080: F 568:568(0) ack 837 win 16684 (DF)
20:26:53.399327 192.168.201.1.8080 > 192.168.201.12.1052: . ack 569 win 65535 (DF)
20:26:53.400119 192.168.201.1.8080 > 192.168.201.12.1052: F 837:837(0) ack 569 win 65535 (DF)
20:26:53.400414 192.168.201.12.1052 > 192.168.201.1.8080: . ack 838 win 16684 (DF)
20:26:53.400948 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:53.401188 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:53.466508 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:53.467045 10.0.0.1 > 10.0.0.138: gre-proto-0x880B (gre encap)
20:26:53.475462 10.0.0.138 > 10.0.0.1: gre-proto-0x880B (gre encap)
20:26:53.490434 10.0.0.1 > 10.0.0.138: [|gre] (gre encap)

--------------020003080003080504020900--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D7B9491.9090305>