I beg to differ about your experience with http_tunnel. I've used it
before and it is as close to realtime as most people need. I used both
telnet and ssh with it without lag or problems. The only extremely
obvious part about http_tunnel is how long it leaves connections open.
- Aaron Schultz
- [EMAIL PROTECTED]
------
/"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
\ / ASCII Ribbon Campaign
X - NO HTML/RTF in e-mail
/ \ - NO Word docs in e-mail
On Thu, 20 Apr 2000, David Lang wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> to answer the many comments about the ability to tunnel over other ports.
>
> Yes, it is possible to setup SSH on port 80, but if you are tunning a
> outbound HTTP proxy that is smart enough to only pass valid HTTP requests
> this is no longer possible.
>
> it is possible to tunnel through valid HTTP, mail, or anything that you
> allow, but by not allowing SSH I raise the difficulty of doing this, avoid
> providing the tools nessasary to do this, probably add to the
> inconvieniance of doing this (telnet does not tunnel well through HTTP,
> you can tunnel commands and their results, but it is not real-time
> interactive) and as a result hopefully raise the bar high enough that
> nobody bothers to go to that much work.
>
> Even with a good proxy, allowing https provides a way to tunnel through
> the firewall (if you tell the proxy what to do it will happily do it) but
> again it is raising the bar a bit.
>
> David Lang
>
>
>
> On Thu, 20 Apr 2000, Mark E. Drummond wrote:
>
> > Date: Thu, 20 Apr 2000 16:03:44 -0400
> > From: Mark E. Drummond <[EMAIL PROTECTED]>
> > To: David Lang <[EMAIL PROTECTED]>
> > Cc: Firewalls <[EMAIL PROTECTED]>
> > Subject: Re: ssh defeats the firewall
> >
> > David Lang wrote:
> > >
> > > 1. someone goes to the efort of getting the passwords and then finds an
> > > application bug that gets them on the machine where they can use them (in
> > > which case they may be getting on as root anyway)
> > >
> > > 2. inside people useing SSH to tunnel stuff through that I have no control
> > > over becouse "it's only for me and it's not really a risk anyway"
> >
> > Interesting. I was considering simply limiting ssh traffic to and from
> > defined administrative workstations on either side. But of course that
> > denies my end-users the same protection.
> >
> > What if a user was to bring up an ssh daemon on a port that was allowed
> > through your firewall?
> >
> > --
> > Mark Drummond|ICQ#19153754|mailto:[EMAIL PROTECTED]
> > UNIX System Administrator|Royal Military College of Canada
> > The Kingston Linux Users Group|http://signals.rmc.ca/klug/
> > Saving the World ... One CPU at a Time
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.2
>
> iQEVAwUBOP9bOT7msCGEppcbAQHHiAf/eGzYnj5m1eqGgseVL9jagdzIYGZKDfyi
> JBB/6UOJnb/jb2w821/nRskRGfa0QRIexDI+sCsx2Fh6lwk6VJTy1VO03ZHQQto7
> I+41vRllgnK5qamDyji5s9KQrKRO/DdgYcjrsSSGOj/41sy5avqKAF0123zrxahu
> aIkMVqeaWhp6H6MI5B+q5XK++1X+Cw0LcSkus1ee8j6KFeFnEUvW0F4OPX2XjaN9
> 6QPQxbOxPFHA9jRMhoDMUd+yROgMczoDRrh3CBYXwULeouqL+RMQUrjpqIZ/pWkT
> WfdWa5yfYHKE+lRDmC27D8XYZtTSLVYiSOqUZ6WcV/2RRbmgc+t1XQ==
> =5dzW
> -----END PGP SIGNATURE-----
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
