Re: SSH tunneling/port forwarding and stateful packet inspection

From: Richard E. Silverman (
Date: 02/26/04

Date: 25 Feb 2004 21:18:15 -0500

> My terminology is not mixed up. According to my packet trace, because I
> have reconfigured SSH to run over port 443 the trace shows it as SSL
> traffic.

You are mistaken. Your packet trace identifies the TCP connection as
carrying the SSL protocol simply because the destination port is 443,
which is the well-known port for HTTP over SSL. In other words, your
tracing tool is not inspecting the contents of the connection, merely
labelling it on the basis of the destination port -- which in this case is
misleading because you happen to be running an SSH server on the port
normally used for HTTPS.

> Of course the contents are encrypted. This is my whole conclusion why
> the stateful packet inspection capabilities of the firewall do not blow
> it going outbound. Because to it, it is just an SSL packet encapsulating
> SSH data, which of course is encrypted.

The data are indeed encrypted, but by SSH; there is no SSL connection
anywhere in this scenario. Also, even if it were not encrypted
(e.g. select the "none" cipher for the SSH connection), the port-forwarded
TCP connections would still not be blocked by the firewall, as the
forwarding is happening at an entirely different level, as I pointed out
in my last post.

  Richard Silverman