[nycbug-talk] Draconian firewall issues

jonathan at kc8onw.net jonathan at kc8onw.net
Sun Sep 23 16:08:13 EDT 2007


On Sun, September 23, 2007 7:47 am, Andy Kosela wrote:
> On 9/23/07, jonathan at kc8onw.net <jonathan at kc8onw.net> wrote:
>
>> I'm currently in a situation where I am behind a horribly draconian
>> firewall that only allows ports 80, 443 and 21 outbound. It also appears
>>  they do layer 7 filtering because my traditional method of using port
>> 21
>> for SSH instead of FTP fails in a flood of RST packets as soon as a
>> packet with a non-text payload is sent.
>>
>
> Let us know how you managed to get it working.

I got it working now.

My .ssh/config I don't know why I had to set hostname to localhost,
anywhere other than the local ssh server I can use the real hostname but
not for the ssh server the proxy also runs on.
#####
ProxyCommand proxytunnel -v -E -p kc8onw.net:443 -d %h:%p

Host XXXX.XXX
HostName localhost
Compression yes
CompressionLevel 9
DynamicForward 8080
ForwardX11Trusted yes
LocalForward 143 localhost:143
#####

I built Proxytunnel 1.7.2 under cygwin and for some reason had to comment
out the printf in the following block in cmdline.c  I know a smidgen of C
but not enough to know why that line errors on compile
###########
#include "cmdline.h"

void
cmdline_parser_print_version (void)
{
  /*printf ("%s %s (rev %d)\nCopyright 2001-2006 Proxytunnel
Project\n%s\n", PACKAGE, VERSION, REV, AUTHORS);*/
}
#########

I have the following in httpd.conf, don't forget to set up an allow/deny
block for the proxy as well.
LoadModule proxy_module             libexec/apache22/mod_proxy.so
LoadModule proxy_http_module        libexec/apache22/mod_proxy_http.so
LoadModule proxy_connect_module     libexec/apache22/mod_proxy_connect.so
#These 2 are in the SSL vhost
AllowCONNECT 22
ProxyRequests on

I also had to patch Apache [1] I used this [2] file because the latest
patch didn't apply cleanly and I was in a hurry and didn't want to patch
it by hand.
[1] http://issues.apache.org/bugzilla/show_bug.cgi?id=29744
[2] http://issues.apache.org/bugzilla/show_bug.cgi?id=29744#c34

If I left something out or someone has more questions please let me know,
Jonathan





More information about the talk mailing list