1 |
On Monday 18 February 2008, Mick wrote: |
2 |
> Hi All, |
3 |
> |
4 |
> I think that I have confused myself with this. I am behind a |
5 |
> firewall/http proxy which seems to only allow outbound connections on |
6 |
> ports 80 & 443 for web browsing. This is not enough for me, as I |
7 |
> would like to use my mail client to send and receive mail from behind |
8 |
> the firewall. |
9 |
> |
10 |
> I tried connecting to ssh servers which listen on different ports, |
11 |
> besides tcp/22 and I was not successful. This is probably an |
12 |
> indication that the internet gateway machine only accepts connections |
13 |
> for packets that have a destination to ports 80 & 443. |
14 |
> |
15 |
> If the above is correct, am I right to assume that to be able to run a |
16 |
> tunnel through this internet gateway I should run something like: |
17 |
> |
18 |
> ssh -L 2222:localhost:443 me@remote_sshd.com |
19 |
|
20 |
This command still tries to contact the remote host on port 22, and is |
21 |
blocked by the firewall. |
22 |
|
23 |
IIUC to exit the local firewall you should have the remote sshd listening |
24 |
on port 443 or 80. |
25 |
|
26 |
ssh -p 443 me@remote_sshd.com |
27 |
|
28 |
Of course, the remote /etc/ssh/sshd_config must have "Port 443" (or 80). |
29 |
If this works and you are able to actually connect to the remote ssh, you |
30 |
can add local or remote port forwarding to this basic command. |
31 |
|
32 |
So, as an example for email, you can do something: |
33 |
|
34 |
ssh -p 443 -L 2222:smtpserver:25 me@remote_sshd.com |
35 |
|
36 |
and configure your mail client to send to localhost, port 2222. |
37 |
Another alternative (depending upon how many ports you need to forward) |
38 |
could be to use SOCKS. |
39 |
|
40 |
> or are ssh packets somehow distinguishable by their headers, so that a |
41 |
> cleverly crafted firewall will still identify them and drop them? |
42 |
|
43 |
That depends. The block might be solely port-based, or the firewall might |
44 |
very well able to do deep packet inspection beyond the TCP port, and |
45 |
recognize HTTP packets (as well as FTP, IRC, etc.), even if they use a |
46 |
different port. However, I'm not sure how it would be able to look into |
47 |
encrypted packets, like eg SSH or HTTPS packets (other than maybe |
48 |
recognize that they are indeed SSH or HTTPS, it should not be able to |
49 |
understand what's actually passing inside the flow, since the payloads |
50 |
are encrypted). Such a firewall could however block SSH packets even if |
51 |
they are destined to port 80 or 443 (since they are not HTTP traffic), |
52 |
so the above commands would not work. |
53 |
However, even with this kind of firewall you might still be able to |
54 |
tunnel SSH inside HTTP, so that packets look like regular HTTP traffic |
55 |
and can traverse the firewall. |
56 |
A program for doing that is httptunnel (in portage). |
57 |
|
58 |
Hope this helps. |
59 |
-- |
60 |
gentoo-user@l.g.o mailing list |