diff --git a/LDP/howto/docbook/HOWTO-INDEX/adminSect.sgml b/LDP/howto/docbook/HOWTO-INDEX/adminSect.sgml index aa9e8c0f..19ec0307 100644 --- a/LDP/howto/docbook/HOWTO-INDEX/adminSect.sgml +++ b/LDP/howto/docbook/HOWTO-INDEX/adminSect.sgml @@ -408,7 +408,7 @@ Firewall-Piercing, Firewall Piercing mini-HOWTO -Updated: April 2001. +Updated: July 2001. Directions for using ppp over telnet to do network activities transparently through an Internet firewall. diff --git a/LDP/howto/docbook/HOWTO-INDEX/miniChap.sgml b/LDP/howto/docbook/HOWTO-INDEX/miniChap.sgml index b9d0804b..516fd22a 100644 --- a/LDP/howto/docbook/HOWTO-INDEX/miniChap.sgml +++ b/LDP/howto/docbook/HOWTO-INDEX/miniChap.sgml @@ -436,7 +436,7 @@ Firewall-Piercing, Firewall Piercing mini-HOWTO -Updated: April 2001. +Updated: July 2001. Directions for using ppp over telnet to do network activities transparently through an Internet firewall. diff --git a/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml b/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml index 457bf69a..681533d6 100644 --- a/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml +++ b/LDP/howto/docbook/HOWTO-INDEX/networkingSect.sgml @@ -591,7 +591,7 @@ Firewall-Piercing, Firewall Piercing mini-HOWTO -Updated: April 2001. +Updated: July 2001. Directions for using ppp over telnet to do network activities transparently through an Internet firewall. @@ -783,7 +783,7 @@ Firewall-Piercing, Firewall Piercing mini-HOWTO -Updated: April 2001. +Updated: July 2001. Directions for using ppp over telnet to do network activities transparently through an Internet firewall. diff --git a/LDP/howto/linuxdoc/Firewall-Piercing.sgml b/LDP/howto/linuxdoc/Firewall-Piercing.sgml index 81fb5fd1..7f2ea4f4 100644 --- a/LDP/howto/linuxdoc/Firewall-Piercing.sgml +++ b/LDP/howto/linuxdoc/Firewall-Piercing.sgml @@ -5,7 +5,7 @@ Firewall Piercing mini-HOWTO François-René Rideau, fare@tunes.org -v0.7, 4 November 2000 +v0.9, 13 July 2001 Directions for using ppp over ssh or telnet @@ -40,12 +40,11 @@ Don't come crying to me. Legal Blurp

-Copyright © 1998-2000 by François-René Rideau. +Copyright © 1998-2001 by François-René Rideau. -This document is free software; you can redistribute it and/or modify it -under the terms of the GNU General Public License -as published by the Free Software Foundation; -either version 2 of the License, or (at your option) any later version. +This document is free software published under the + . @@ -86,7 +85,8 @@ an ancient and no-more-supported program named Term as well as on peculiarities of a not-so-standard telnet implementation, that is, many obsolete and non-portable facts. Nevertheless, there was a necessity for a mini-HOWTO about piercing firewalls, -and despite its shortcomings, his mini-HOWTO was a model and an encouragement. +and despite the limitations of its hacks, +this mini-HOWTO was a model and an encouragement. I'd also like to congratulate @@ -128,13 +128,14 @@ You can and you shall protect them from the outside world, but you can't protect them from themselves. Because there exists such things as system administrators -who are either unresponsive, absent, plain incompetent, +who are either unresponsive, absent, overworked, plain incompetent, or more generally managed by incompetent people, it so happens that a user may find himself behind a firewall that he may cross, but only in awkward ways. This mini-HOWTO explains a generic and portable way to pierce tunnels into firewalls, -by turning any tiny small crack into a full-fledged information superhighway, +by turning any thin, tiny trickle of bits +into a full-fledged information superhighway, so the user can seamlessly use standard tools to access computers on the other side of the firewall. The very same technique can be used by competent system administrators @@ -200,7 +201,7 @@ Re-read the disclaimer above. Other requirements

It is assumed that you know what you're doing, -that you know about setting up a network connection, +that you know about configuring a network connection, that in case of doubt, you will have read all relevant documentation (HOWTOs, manual pages, web pages, mailing-list archives, RFCs, courses, tutorials). @@ -212,10 +213,23 @@ the ways currently known to work), and that you can let a daemon run as a background task on the remote site (or benefit from and existing daemon, sshd, telnetd, or sendmail/procmail). -It is assumed that you'll know how to configure an IP emulator (pppd, slirp) +It is assumed that you know or are willing to learn +how to configure an IP emulator (pppd, slirp) or an Internet access daemon and its associated library (SOCKS, Term) on each side, according to your needs in terms of connectivity and to your access rights, with your recompiling some software if needed. + +Last but not least, so that you can use the hacks described in this document, +it is assumed that you are root on the side of the firewall +that needs full transparent IP access to the other side. +Indeed, you'll want to run the PPP daemon on this side which +allows for use the normal kernel packet routing facilities. +In case you're not root on this side, your case is not desperate though: +indeed, Barak Pearlmutter's + +describes how to use Term, a purely userland program, +to the end of piercing firewalls. @@ -414,10 +428,11 @@ Automatic reconnection is left as an exercise to the reader. REMOTE_ACCOUNT=root@remote.fqdn.tld REMOTE_PPPD="pppd ipcp-accept-local ipcp-accept-remote" LOCAL_PPPD="pppd silent 192.168.0.1:192.168.0.2" -cotty -d -- $LOCAL_PPPD -- ssh -t $REMOTE_ACCOUNT $REMOTE_PPPD +$LOCAL_PPPD pty "ssh -t $REMOTE_ACCOUNT $REMOTE_PPPD" -(Note: this command requires cotty 0.4 or later.) +Note that I haven't been able to use this trick with slirp on the remote side, + @@ -557,7 +572,7 @@ Contribution in that direction welcome. -Getting the triggering mail +Getting the trigger message

If you are firewalled, your mail may as well be in a central server that doesn't do procmail filtering or allow telnet sessions. @@ -575,6 +590,13 @@ Too frequent a poll won't be nice to either the server or your host. Too infrequent a poll means you'll have to wait before the message gets read and the reverse connection gets established. I use two-minute poll frequency. +

+

+Another way to poll for messages, when you don't have a mailbox, +but do have outbound FTP access, is to use +. +

 @@ -607,6 +629,12 @@ to modify fwprc Now, if the only way through the firewall is a WWW proxy (usually, a minimum for an Internet-connected network), you might want to use + 's +script + . + +Another promising program for piercing through HTTP is 's , @@ -642,7 +670,6 @@ but it shouldn't be difficult. If necessary, fall back to using the . - If you have an 8-bit clean connection and you're root on linux both sides of the firewall, you might want to use ethertap for better performance,