On Thu, Aug 12, 2010 at 16:29, Cinaed Simson <[email protected]> wrote: > Hi - suppose the office LAN has one open outbound port - say IMAP on > port 143. > > I go home and configure my Linux desktop to run a SSH server on port 143. > > Now I return to the office and attempt to connect to my machine at home > via port 143. > > Can pfsense be configured to stop the outbound SSH connection on port 143?
It's just a war of escalation. You can do layer-7 filtering to pick off basic abuses like this, but what if someone's really determined and writes an IMAP-based transport for their shell? The standard IMAP port supports switching to an encrypted mode post-connection. My personal favorite was the shell that used a custom SMTP transport layer - that one was nasty. Don't forget IP-over-DNS either. :) Pretty much any port you allow out (or even SSL websites) raw will have this problem and you'll never reach 100% closure. You can approximate 100% with application proxies that monitor for and cut off abberrant behavior, but they'll never be perfect. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
