-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gordon Messmer wrote:
>Right. That's why I suggested allowing outbound SSH only from a few >trusted hosts. 'Trusted' in this case means that they are controlled by >the network admins, and not their users. Anyone who needs to ssh out >gets an account on a trusted host, and can use the ssh there provided. >No TCP tunnels are allowed by the ssh or sshd on those hosts. That's a help, but are you similarly able (administratively speaking) to restrict destination IPs on all other ports? Otherwise, any workstation could do the same thing on a different port, of course. Restricting 80 in this way would make web browsing awfully difficult, but it's the only way to stop it, unless all users are on rigidly controlled workstations with noexec home directories ... - -d - -- David Talkington PGP key: http://www.prairienet.org/~dtalk/0xCA4C11AD.pgp -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQA/AwUBPJPg0L9BpdPKTBGtEQK1SQCgi7NnYZiCcUegmmrYqYWxuqqpmW4Ani2k lgk85emtNQwYHeTzmUKvpe35 =a6pp -----END PGP SIGNATURE----- _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list