From owner-freebsd-net Sun Sep 8 1:29:42 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A3CC37B400 for ; Sun, 8 Sep 2002 01:29:40 -0700 (PDT) Received: from pursued-with.net (adsl-66-125-9-242.dsl.sndg02.pacbell.net [66.125.9.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01FC343E75 for ; Sun, 8 Sep 2002 01:29:40 -0700 (PDT) (envelope-from Kevin_Stevens@pursued-with.net) Received: from Fffinch.local. (fffinch [192.168.168.101]) by pursued-with.net (8.12.5/8.12.5) with ESMTP id g888Tbuq017846; Sun, 8 Sep 2002 01:29:37 -0700 (PDT) (envelope-from Kevin_Stevens@pursued-with.net) Date: Sun, 8 Sep 2002 01:29:37 -0700 Subject: Re: protocol inspection (tunneling ssh over http proxy) Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v543) Cc: freebsd-net@FreeBSD.ORG To: Mike Nowlin From: Kevin Stevens In-Reply-To: <3D7B05C7.E254DAB0@argos.org> Message-Id: <1CB3AEDE-C305-11D6-A534-003065715DA8@pursued-with.net> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.543) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sunday, Sep 8, 2002, at 01:09 US/Pacific, Mike Nowlin wrote: >> We have problems in our company, that some users, wich have not >> directly >> access to the internet, let ssh tunnel over our http-proxy. Extending >> ssh for tunneling is very easy (see Putty or corkscrew) and its also >> not >> a problem for them to let on another machine sshd run on port 443 or >> 80. >> >> At the moment I have no idea how to prevent the users from tunneling >> ssh >> over http. > > You mean that they're opening connections via SSH through the proxy to > remote machines on port 22, then using the SSH tunnel capability to > allow connections back to their machine over the tunnel? (Sorry, I'm a > bit brain-fried right now.) If so, can't you restrict the proxy to not > allow remote requests out to port 22? No, he means they are initiating SSH sessions over port 80 or 443, after having set up the remote servers to answer SSH requests on those ports. Application-level proxies can prevent this by monitoring the conversation, but IPFW doesn't operate at that level. To the OP, I doubt that IPFW will be modified to incorporate that functionality - it's too far beyond the architecture. If you need to control that activity, you should probably look for a different tool. Just my $.02. KeS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message