[24369] in bugtraq
Re: UPDATE: [wcolburn@nmt.edu: SMTP relay through checkpoint firewall]
daemon@ATHENA.MIT.EDU (Randal L. Schwartz)
Thu Feb 21 20:20:14 2002
To: Mike Benham <moxie@thoughtcrime.org>
Cc: Steve VanDevender <stevev@hexadecimal.uoregon.edu>,
"William D. Colburn (aka Schlake)" <wcolburn@nmt.edu>,
<bugtraq@securityfocus.com>, Dan Lunceford <dan@nmt.edu>,
Ryan <ryan@nmt.edu>, <support@aquilagroup.com>,
Madeline Navarrette <mnavarre@ts.checkpoint.com>
From: merlyn@stonehenge.com (Randal L. Schwartz)
Date: 21 Feb 2002 05:50:40 -0800
In-Reply-To: <Pine.BSO.4.33.0202191447560.21860-100000@moxie.thoughtcrime.org>
Message-ID: <m1wux754gf.fsf@halfdome.holdit.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
>>>>> "Mike" == Mike Benham <moxie@thoughtcrime.org> writes:
Mike> People use the CONNECT method from inside a LAN to make SSL/HTTPS
Mike> connections through a proxy. I think it makes sense for proxies to
Mike> support the method by default, since browsing secure pages is very
Mike> common, but it shouldn't be accessable from outside the LAN.
Out of the box, Apache-based mod_proxy servers permit CONNECT to port
443 and 563 *only*, but can add additional ports or deny even those
ports. In my limited experience, almost *all* other firewall proxy
servers I've encountered seem to permit any-host/any-port from inside,
either through a bad default configuration, or perhaps bungling by the
admins. Kudos to Apache for getting it right again.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
