Bugtraq mailing list archives

Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall]

From: merlyn () stonehenge com (Randal L. Schwartz)
Date: 21 Feb 2002 05:50:40 -0800

"Mike" == Mike Benham <moxie () thoughtcrime org> writes:


Mike> People use the CONNECT method from inside a LAN to make SSL/HTTPS
Mike> connections through a proxy.  I think it makes sense for proxies to
Mike> support the method by default, since browsing secure pages is very
Mike> common, but it shouldn't be accessable from outside the LAN.

Out of the box, Apache-based mod_proxy servers permit CONNECT to port
443 and 563 *only*, but can add additional ports or deny even those
ports.  In my limited experience, almost *all* other firewall proxy
servers I've encountered seem to permit any-host/any-port from inside,
either through a bad default configuration, or perhaps bungling by the
admins.  Kudos to Apache for getting it right again.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn () stonehenge com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Current thread:

UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] William D. Colburn (aka Schlake) (Feb 19)
- Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Dennis Henderson (Feb 19)
- UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Steve VanDevender (Feb 20)
  - Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Mike Benham (Feb 20)
    - Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Randal L. Schwartz (Feb 21)
  - Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Jason Haar (Feb 21)
  - Re: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint firewall] Ronald F. Guilmette (Feb 21)