Re: SSH tunneling/port forwarding and stateful packet inspection
From: Richard E. Silverman (res_at_qoxp.net)
Date: 25 Feb 2004 21:18:15 -0500
> My terminology is not mixed up. According to my packet trace, because I
> have reconfigured SSH to run over port 443 the trace shows it as SSL
You are mistaken. Your packet trace identifies the TCP connection as
carrying the SSL protocol simply because the destination port is 443,
which is the well-known port for HTTP over SSL. In other words, your
tracing tool is not inspecting the contents of the connection, merely
labelling it on the basis of the destination port -- which in this case is
misleading because you happen to be running an SSH server on the port
normally used for HTTPS.
> Of course the contents are encrypted. This is my whole conclusion why
> the stateful packet inspection capabilities of the firewall do not blow
> it going outbound. Because to it, it is just an SSL packet encapsulating
> SSH data, which of course is encrypted.
The data are indeed encrypted, but by SSH; there is no SSL connection
anywhere in this scenario. Also, even if it were not encrypted
(e.g. select the "none" cipher for the SSH connection), the port-forwarded
TCP connections would still not be blocked by the firewall, as the
forwarding is happening at an entirely different level, as I pointed out
in my last post.
-- Richard Silverman email@example.com