| 1 |
On Monday 18 February 2008, Mick wrote: |
| 2 |
> Hi All, |
| 3 |
> |
| 4 |
> I think that I have confused myself with this. I am behind a |
| 5 |
> firewall/http proxy which seems to only allow outbound connections on |
| 6 |
> ports 80 & 443 for web browsing. This is not enough for me, as I |
| 7 |
> would like to use my mail client to send and receive mail from behind |
| 8 |
> the firewall. |
| 9 |
> |
| 10 |
> I tried connecting to ssh servers which listen on different ports, |
| 11 |
> besides tcp/22 and I was not successful. This is probably an |
| 12 |
> indication that the internet gateway machine only accepts connections |
| 13 |
> for packets that have a destination to ports 80 & 443. |
| 14 |
> |
| 15 |
> If the above is correct, am I right to assume that to be able to run |
| 16 |
> a tunnel through this internet gateway I should run something like: |
| 17 |
> |
| 18 |
> ssh -L 2222:localhost:443 me@remote_sshd.com |
| 19 |
|
| 20 |
Yup, that's pretty much it. Essentially you have set up a tunnel from |
| 21 |
port 2222 on the local machine (the exact port is irrelevant for |
| 22 |
firewall purposes, it's mostly random in normal connections anyway) to |
| 23 |
port 443 on remote_sshd.com. |
| 24 |
|
| 25 |
Hopefully you have control over that remote host and now you can do |
| 26 |
anything you feel like from there, bypassing probably hours of work by |
| 27 |
some firewall admin <evil grin> |
| 28 |
|
| 29 |
Which all goes to show the utter futility out firewalling outbound |
| 30 |
connections from anyone with clue > 0. Unless of course ... |
| 31 |
|
| 32 |
> or are ssh packets somehow distinguishable by their headers, so that |
| 33 |
> a cleverly crafted firewall will still identify them and drop them? |
| 34 |
|
| 35 |
There are such products around, called names like Level 7 firewalls etc. |
| 36 |
They look inside packets and try to deduce what's being transported. |
| 37 |
HTML traffic is easy, just look for appropriate URLs. https is less so, |
| 38 |
to the best of my knowledge https traffic looks a whole lot like ssh, |
| 39 |
as they are basically wrapped in the same layer. The essential |
| 40 |
difference is the remote port number. |
| 41 |
|
| 42 |
Try the above and see what happens |
| 43 |
|
| 44 |
-- |
| 45 |
Alan McKinnon |
| 46 |
alan dot mckinnon at gmail dot com |
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-user@l.g.o mailing list |
Archives