Telnet shouldn't be tunneled through SSH. SSH replaces the use of
telnet. See: http://www.employees.org/~satch/ssh/faq/
Almost anything can be tunneled across SSH, if you want to write the
code to do it, whats more important is the services that can be
connected to. For instance if you are tunneling out onto the net from
behind a firewall on a private network then you can tunnel whatever
service you can connect to. If you are thinking of letting the
connection run from the internet through a 'hole' in your firewall to a
specific server then it's a matter of the services that are available.
For instance I can tunnell PPP across a telnet session, if I so desire,
to fake a point of presence the other side of a firewall that allows
telnet to a specific server, but nothing else. Used cleverly I could
then use this to route netbios packets that are running on TCP/IP back
onto a machine outside the firewall, for logging onto your local machines.
The trick is restricting what tools are available on the server the user
is connecting to. (IE, make sure pppd isn't executable, or kermit, or
any filetransfer facilities, if you want to stop filetransfer). This is
especially true if you are making available console access to a server
on a private network behind a firewall.
Check out Practical Unix & Internet Security by Garfinkel & Spafford
(O'Reilly : http://www.ora.com) which points out a lot about this potential.
d.
Saxo Saxo wrote:
>
> Hello,
>
> We are thinking of tunneling Telnet and/or VNC through SSH accross a firewall. One
>of the questions i have is as follows:
> once SSH is allowed through a firewall, how can you restrict what is being tunneled
>through it? Let's say I only want Telnet tunneled. I am advised that once you open up
>the tunnel, any protocol can flow through it and I would have no way of blocking that.
>
> Ideas, insights, recommendations, white papers, websites about tunneling are all
>welcome.
>
> Thanks a lot.
>
> Saxo
>
> __________________________________________________________________
> Get your own free England E-mail address at http://www.england.com
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Dorian Moore is property of Kleber Design Ltd. If found please contact Kleber
by phone on +44 207 581 1362 or visit http://www.kleber.net for further details.
You really shouldn't listen to anything he says... as it may just be an opinion
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
