For instance, we need to open the outbound ports for HTTP, HTTPS,
IMAPS, POP3S, and SMTPS, but we need to ensure someone can't use
SSH/SFTP/FTP/WGET to remote server running on one those ports.
The OS is Solaris 10 (10/09) running IP Filter: v4.1.9 (592).
Any help would be greatly appreciated.
-- Agile
--
Enjoy global warming while it lasts.
Ok, now I get your point better.
I'm not sure how IPFilter can help you in this case - being that
it is a filtering firewall and a NAT service. Hopefully the other
list members can help out with this, Similar questions have
been raised over the past year, but I'm not sure they came to
certain conclusions.
You might take a look in direction of NAT proxy services, i.e.
an FTP proxy which inspects FTP traffic to dynamically open
additional (random) ports for data transfer.
There's also a "match" capability. If I'm not greatly mistaken
(which I can be), this feature allows to inspect several bytes
of the first packet of a new tracked connection (keep state).
For example, it would allow you to check that your new
connection is an HTTP request and reject binary SSH
traffic.
It would not forbid you to stream SSH over HTTP to an
applet, for example, or between a specially crafted
"HTTP-enabled" SSH client and server, but would
probably help against simple cases.
Likewise, I think HTTPS for example would look like any
other SSL channel, be that SSH or SMTPS or OpenVPN,
so you wouldn't find it easy to differentiate that.
--
+============================================================+
| |
| Климов Евгений, Jim Klimov |
| технический директор CTO |
| ЗАО "ЦОС и ВТ" JSC COS&HT |
| |
| +7-903-7705859 (cellular) mailto:jimk...@cos.ru |
| CC:ad...@cos.ru,jimk...@mail.ru |
+============================================================+
| () ascii ribbon campaign - against html mail |
| /\ - against microsoft attachments |
+============================================================+