Re: SSH tunneling/port forwarding and stateful packet inspection

From: Richard E. Silverman (
Date: 02/26/04

Date: 25 Feb 2004 21:18:15 -0500

> My terminology is not mixed up. According to my packet trace, because I
> have reconfigured SSH to run over port 443 the trace shows it as SSL
> traffic.

You are mistaken. Your packet trace identifies the TCP connection as
carrying the SSL protocol simply because the destination port is 443,
which is the well-known port for HTTP over SSL. In other words, your
tracing tool is not inspecting the contents of the connection, merely
labelling it on the basis of the destination port -- which in this case is
misleading because you happen to be running an SSH server on the port
normally used for HTTPS.

> Of course the contents are encrypted. This is my whole conclusion why
> the stateful packet inspection capabilities of the firewall do not blow
> it going outbound. Because to it, it is just an SSL packet encapsulating
> SSH data, which of course is encrypted.

The data are indeed encrypted, but by SSH; there is no SSL connection
anywhere in this scenario. Also, even if it were not encrypted
(e.g. select the "none" cipher for the SSH connection), the port-forwarded
TCP connections would still not be blocked by the firewall, as the
forwarding is happening at an entirely different level, as I pointed out
in my last post.

  Richard Silverman

Relevant Pages

  • Re: RWW with no https
    ... I do not consider a:8080 a url that is appropriate for a SSL end user connection. ... So just so we are all clear, RWW HAS to go over HTTPS. ... Even if I do https but port 8080 would not matter ...
  • UPDATE: Re: Question regarding SSH via Lantronix SCS100
    ... to do SSH and to authenticate the SSH connection with a local ... unexpectedly closed connection'. ... CONSOLE or AUX port on the router, or does it matter, and what ...
  • Re: SSH options re: NAT
    ... No, SSH is two-fold, a call to it on the client side results in a call ... port, meaning that any connections that come into that port are answered ... programming practice for daemons) Once the connection is established, ... don't want to execute a command on the remote side and you use -N. ...
  • Re: OpenSSH remote port forwarding
    ... use an outgoing SSH connection from here to the Internet... ... Incoming SSH it is possible and it is working. ... > I read many docs on the OpenSSH port forwarding, ... > (this command should open an ssh connection to public-machine and there, ...
  • Re: SFTP
    ... > avoid port transient net devices dropping port 22 ... Port 21 is allocated for FTP, not SSH. ... SSH connection. ... Do not get it mixed up with FTPS. ...