Re: UPDATE: [wcolburn@nmt.edu: SMTP relay through checkpoint firewall]

From: Randal L. Schwartz (merlyn@stonehenge.com)
Date: 02/21/02 

To: Mike Benham <moxie@thoughtcrime.org>
From: merlyn@stonehenge.com (Randal L. Schwartz)
Date: 21 Feb 2002 05:50:40 -0800

>>>>> "Mike" == Mike Benham <moxie@thoughtcrime.org> writes:

Mike> People use the CONNECT method from inside a LAN to make SSL/HTTPS
Mike> connections through a proxy. I think it makes sense for proxies to
Mike> support the method by default, since browsing secure pages is very
Mike> common, but it shouldn't be accessable from outside the LAN.

Out of the box, Apache-based mod_proxy servers permit CONNECT to port
443 and 563 *only*, but can add additional ports or deny even those
ports. In my limited experience, almost *all* other firewall proxy
servers I've encountered seem to permit any-host/any-port from inside,
either through a bad default configuration, or perhaps bungling by the
admins. Kudos to Apache for getting it right again. 

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Relevant Pages

  • Re: Problems using web services & ISA Server - forgot to mention we are running ISA 2000 sp2.
    ... incidents with the ISA Server group. ... > Hello Mike, ... > To make a web service crossing a firewall, we have to set is Proxy ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: WSE SP3 WSDLs and the 2003 IDE
    ... Mike wrote: ... > just renamed Wsdl.EXE and WseWsdl2.exe and the IDE still generated a proxy. ... is called during setup of WSE 2.0 SP3, which explains how the "magic" works. ... WseExtensionImporter). ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Trend & Proxy address
    ... Is there a place in the console to see what the settings are? ... Mike ... by default the proxy port is 8080 ... >> I installed Trend and got to the proxy screen and didn't know the ...
    (microsoft.public.windows.server.sbs)
  • Re: Browsing for Web Parts - SLOW
    ... Not being well-up in Proxy I'll leave that question to someone else. ... (If it's any incentive for lurkers I'll try to add proxy suggestions from ... > Thanks Mike! ... >> There's an answer in the WSS FAQ - ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: apache compromised to send spam, need way to check file access
    ... > Drop me an email to mike AT michaelmoyse.co.uk and I'll send you a PDF ... I have and use firestarter firewall because it was pretty easy ... only open service ports that were needed at the time. ... really did not want, the rp-pppoe package. ...
    (comp.os.linux.security)