[otterley]

Not needing a different port. Middleboxes sometimes block ssh on nonstandard ports. Also, to preserve the alignment between the SSH hostname and the web service hostname, as though the user was accessing a single host at a single public address. Usability is key for them.

[Dylan16807]

Why would anyone configure it to do that?

Like, I understand the really restrictive ones that only allow web browsing. But why allow outgoing ssh to port 22 but not other ports? Especially when port 22 is arguably the least secure option. At that point let people connect to any port except for a small blacklist.

[josephcsible]

Middlebox operators aren't known for making reasonable or logical decisions.

[9dev]

Asking back, when I limit the outgoing connections from a network, why would I account for any nonstandard port and make the ruleset unwieldy, just in case someone wanted to do something clever?

[Dylan16807]

A simple ruleset would only block a couple dangerous ports and leave everything else connectable. Whitelisting outgoing destination ports is more complicated and more annoying to deal with for no benefit. The only place you should be whitelisting destination ports is when you're looking at incoming connections.

[9dev]

I definitely block outgoing ports on all our servers by default; Established connections, HTTP(S), DNS, NTP, plus infra-specific rules. There is really no legitimate reason to connect to anything else. The benefit is defence against exfiltration.

[Dylan16807]

If you're allowing direct https out, how are you stopping exfiltration?

Maybe https is routed through a monitoring proxy, but in the situation of allowing ssh the ssh wouldn't be going though one. So I still don't see the point of restricting outgoing ports on a machine that's allowed to ssh out.

[9dev]

You can't, reasonably. It's just a heuristic against many exploits using non-standard ports to avoid detection by proxies or traffic inspection utilities.

[otterley]

I’m not a network security expert, so I don’t know the threat model. I just know that this is a thing companies do sometimes.

[Charon77]

They don't want each vm to have different public IP

[gsich]

Middleboxes are not relevant in this scenario.

[otterley]

Uh, why not? Unless your SSH client is on the same network as theirs, there are going to be middleboxes somewhere in the path.

[gsich]

Because your ISP should (and most do not) alter traffic.

[otterley]

But you’re not considering the many business environments that do.

[gsich]

I don't because that would be impossible. Every business has different rules. But if you (as a business) want to to use this, you will find a way to make the changes to those "middleboxes". It's not your network, it's your business's network.

[otterley]

Large multi-national corporations, by way of their sheer size, tend to force their vendors to bend towards their needs, not to adapt to meet their vendors' unusual networking requirements.