is there hope?... was Re: Re: [ale] ssh -D : the Coolest sshtrick yet.

Christopher Fowler cfowler at outpostsentinel.com
Thu Mar 20 09:52:24 EST 2003


I was faced with the same situation when one of our guys did a remote
install and needed support.  I wanted true unblocked network access to
the embedded device. 

Before he went out, I had the question "If he needs support, how can I
make a connection from here into there via their firewall".  There
firewall allowed connections from their network to the outside but not
the other way around.

Our device has pppd.  So does my firewall and all my linux boxes.  What
I did was to write a short C program that would use any port specified
on the command line + a pseudo tty and tunnel the ppp.  After I
initiated the server process, he initiated the client.  When it was 
over, I had full web, ssh, telnet, snmp, tftp, etc... access to that
device from here.  Just by tunneling thorough port 80 of the firewall.

The benefit to this method is that if you have a home network and Linux
at your location, you can tunnel too an become a part of your home
network. 

Even though the C program was a hack to help him out, I've used it every
day since then to connect our 2 networks together.  The tunnel is not
encrypted, so I try to use encrypted protocols whenever I can.  But I
could have easily used stunnel for that.  Just have not got around to
it. I would suggest using it. stunnel is good product.


On Thu, 2003-03-20 at 09:35, Robert L. Harris wrote:
> 
> 
> Turn off ftp (ports 20 and 21) on your home machine and configure SSH to
> listen on port 21 as well with the Port directive in
> /etc/ssh/sshd_config.  Then just "ssh -p 21 ..."
> 
> 
> Thus spake Jason Vinson (jason.vinson at mindspring.com):
> 
> > I am working on a contract in a pretty tight environment.  I have found ports 20, 21, and 80 open for incoming and outgoing, and I want to log into my home machine via ssh.  i can't do a standard ssh on port 22 because it's not open for outgoing or incoming connections, and my home machine only has 22 and 80 forwarded to a linux box on my network.  How can i log into home with this firewall in my way using ssh?  is there hope?
> > 
> > TIA,
> > Jason
> > 
> > 
> > -------Original Message-------
> > From: "Robert L. Harris" <Robert.L.Harris at rdlg.net>
> > Sent: 03/20/03 09:19 AM
> > To: ale at ale.org
> > Subject: Re: [ale] ssh -D : the Coolest ssh trick yet.
> > 
> > > 
> > > 
> > 
> > WAIT!!!!  Useful Linux related information that's not blatanltly WAY off
> > topic or politically motivated on the ALE list?????  MY GOD what is
> > going on!!!!
> > 
> > 
> > On a more serious note, great info, it's been archived :>
> > 
> > Thanks,
> >   Robert
> > 
> > Thus spake David Bronson (dbron at roman.net):
> > 
> > > Thanks John (and Jason),
> > > 
> > > I use ssh daily but I haven't used the -D switch. You both should get an
> > > Ale gift certificate or something valuable like that.
> > > 
> > > On Thu, Mar 20, 2003 at 09:08:29AM -0500, John Wells wrote:
> > > > In response to a question of mine awhile back, Jason Day pointed out
> > the
> > > > -D flag to ssh, which allows ssh to function as a Socks v4 proxy.
> > > > 
> > > > Just wanted to forward this to the group, in case anyone missed it. 
> > It
> > > > has to be the coolest trick I've learned this year.  It essentially
> > > > allows you to bypass any firewall or web filtering software (at least
> > > > for those applications that support Socks v4 proxies).
> > > > 
> > > > So, for two years now I've been unable to do certain things from work
> > > > because they required access via a web brower to uncommon port numbers
> > > > (6801, etc.) that are blocked by our company's firewall.  I've also
> > been
> > > > wary that Big Brother watches everything I do online here at work. 
> > Not
> > > > that I do anything like surf for pr0n or anything like that, but it's
> > > > just that unsettling feeling of being watched.
> > > > 
> > > > Anyway, ssh -D ends all that trouble.
> > > > 
> > > > Here's how you do it:
> > > > 
> > > > First, you have to have a box outside the firewall that you're able to
> > > > ssh into.  I have a home mail server on my DSL connection, and that
> > > > works just fine.  Second, your company's firewall has to allow ssh
> > > > through (ours does, fortunately).
> > > > 
> > > > So, it's as simple as connecting to your home machine using the -D
> > flag,
> > > > followed by a port number that's not in use on your local machine.
> > > > 
> > > > ssh -D 5555 mylogin at my.homemachine.org
> > > > 
> > > > Once you're logged in, point whatever application you want to run
> > > > through the proxy to localhost:5555.  For mozilla, go to
> > > > Edit->Preferences->Advanced->Proxies.  Choose "Manual proxy
> > > > configuration".  In the SOCKS HOST: box, put 127.0.0.1, and in the
> > Port
> > > > box to the right put 5555 (or whatever port you used).  Also, select
> > the
> > > > SOCKS v4 radio button below these boxes.
> > > > 
> > > > Ok out of the Preferences dialog, and there you go.  Secure web
> > surfing
> > > > from your company's LAN.
> > > > 
> > > > Make sure you don't close the terminal that's logged into your home
> > > > machine while you're using this feature.
> > > > 
> > > > Thanks to Jason for pointing this out.
> > > > 
> > > > John
> > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > <a target=_blank
> > href="http://www.ale.org/mailman/listinfo/ale">http://www.ale.org/mailman/listinfo/ale</a>
> > > 
> > > -- 
> > > David Bronson
> > > Network Administrator
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > <a target=_blank
> > href="http://www.ale.org/mailman/listinfo/ale">http://www.ale.org/mailman/listinfo/ale</a>
> > 
> > :wq!
> > ---------------------------------------------------------------------------
> > Robert L. Harris                     | PGP Key ID: E344DA3B
> >                                          @ x-hkp://pgp.mit.edu 
> > DISCLAIMER:
> >       These are MY OPINIONS ALONE.  I speak for no-one else.
> > 
> > Diagnosis: witzelsucht     	
> > 
> > IPv6 = robert at ipv6.rdlg.net   	<a target=_blank
> > href="http://ipv6.rdlg.net">http://ipv6.rdlg.net</a>
> > IPv4 = robert at mail.rdlg.net   	<a target=_blank
> > href="http://www.rdlg.net">http://www.rdlg.net</a>
> > > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> 
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris                     | PGP Key ID: E344DA3B
>                                          @ x-hkp://pgp.mit.edu 
> DISCLAIMER:
>       These are MY OPINIONS ALONE.  I speak for no-one else.
> 
> Diagnosis: witzelsucht  	
> 
> IPv6 = robert at ipv6.rdlg.net	http://ipv6.rdlg.net
> IPv4 = robert at mail.rdlg.net	http://www.rdlg.net


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list