[Cialug] Question about ssh over ssl and clever firewalls.

[Don Cady]

> True indeed.  I'm not purporting that this is a standard or even common 
> thing -- just possible.  Taking the path of least resistance, most 
> ultra-paranoid net admins would likely just whitelist all their "trusted" 
> ssl sites, thus negating the need for a firewall rule like this.  If 
> you're trying to run an ssh connection over ssl and you aren't on the 
> "trusted" list. . .
>
> It would be interesting to see what such a firewall rule would do in a 
> production environment.  Would there be false negatives, so to speak, on 
> legitimate ssl connections?  Might be a good topic to explore at the next 
> meeting if anyone is interested.  Set up a firewall, craft some rules and 
> have lug members try to hit a gaggle of ssl sites through it.
>
> later,
> kristau

It'd need to be a real gaggle of sites, and even then it wouldn't be 
'production', as some of these places discussed could have inter-business 
SSL connections (as well as ssh,vpn,etc) between them. That said, I'd love 
to see it. It's another thing I haven't yet dove deep enough into in linux.

Don