On Thu, Aug 12, 2010 at 8:13 PM, Cinaed Simson <[email protected]> wrote: > On 08/12/2010 03:44 PM, Tim Dickson wrote: >>> I don't know the IP addresses of the SSH servers on the Internet. >> >> Then only allow to the SSH servers you know/want? You can go either way... >> block all and allow only certain IPs >> Or allow all, and block certain IPs >> On 2.0 you can block by OS type too... >> > I need to block all outbound SSH client connections to the Internet on > all open outbound ports without interfering with the normal function of > the those ports. >
Then you either need to start working with the L7 bits in 2.0 (offhand not sure what kind of shape that's in at the moment) for protocol detection, or force all outbound traffic to go through a proxy server that enforces protocols. There is nothing in 1.2.x that can differentiate between IMAP on 143 and SSH on 143. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
