On Tue, 6 Mar 2001, H. Wade Minter wrote:
> I've got an odd situation that may not have a solution, but I
> figured I'd ask anyway.
>
> Due to corporate requirements, my company's firewall policy blocks
> outgoing file transfers (FTP puts), but allows FTP gets and outgoing
> telnet. I don't like using telnet for the obvious reasons, so I
> suggested they enable outgoing SSH.
>
> They did for a few weeks, but killed it recently. When I asked why,
> they said it was because people can copy files out using scp without
> the firewall being able to monitor it.
>
> So my question is: Is there any way, on a firewall-type level, to
> block scp traffic, while allowing ssh and slogin? This would allow
> them to stop file copies, but let secure shells go through.
There is no way to do this. By the time the firewall sees the connection,
its contents are encrypted.
Furthermore, even if you were to somehow block the specific case of scp,
it would still be possible to copy files by cat'ing tar files about the
place. This is not unique to ssh, you can move files easily over just
about any connection (telnet included) using zmodem or kermit.
-d
--
| Damien Miller <[EMAIL PROTECTED]> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
