250 lines
4.4 KiB
HTML
250 lines
4.4 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Reverse piercing</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="Firewall Piercing mini-HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Routing"
|
|
HREF="x296.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Final notes"
|
|
HREF="x381.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Firewall Piercing mini-HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x296.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x381.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="AEN353"
|
|
>7. Reverse piercing</A
|
|
></H1
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN355"
|
|
>7.1. Rationale</A
|
|
></H2
|
|
><P
|
|
>Sometimes, only one side of the firewall can launch telnet sessions
|
|
into the other side; however, some means of communication is possible
|
|
(typically, through e-mail).
|
|
Piercing the firewall is still possible, by triggering with
|
|
whatever messaging capability is available
|
|
a telnet connection from the ``right'' side of the firewall to the other.</P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>fwprc</B
|
|
> includes code to trigger such connections
|
|
from an OpenPGP-authentified email message;
|
|
all you need is add <B
|
|
CLASS="COMMAND"
|
|
>fwprc</B
|
|
>
|
|
as a <B
|
|
CLASS="COMMAND"
|
|
>procmail</B
|
|
> filter
|
|
to messages using the protocol,
|
|
(instructions included in <B
|
|
CLASS="COMMAND"
|
|
>fwprc</B
|
|
> itself).
|
|
Note however, that if you are to launch <B
|
|
CLASS="COMMAND"
|
|
>pppd</B
|
|
>
|
|
with appropriate privileges,
|
|
you might need create your own suid wrapper to become root.
|
|
Instructions enclosed in <B
|
|
CLASS="COMMAND"
|
|
>fwprc</B
|
|
>.</P
|
|
><P
|
|
>Also, authentified trigger does not remotely mean secure connection.
|
|
You should really use <B
|
|
CLASS="COMMAND"
|
|
>ssh</B
|
|
> (perhaps over telnet)
|
|
for secure connections.
|
|
And then, beware of what happens between the triggering of a telnet
|
|
connection, and <B
|
|
CLASS="COMMAND"
|
|
>ssh</B
|
|
> taking over that connection.
|
|
Contribution in that direction welcome.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN368"
|
|
>7.2. Getting the trigger message</A
|
|
></H2
|
|
><P
|
|
>If you are firewalled, your mail may as well be in a central mailserver
|
|
that doesn't do procmail filtering or allow telnet sessions.
|
|
No problem! You can run <B
|
|
CLASS="COMMAND"
|
|
>fetchmail</B
|
|
>
|
|
in daemon mode (or within a cron job)
|
|
to poll your mailserver and deliver mail to your linux system
|
|
which itself will have been configured to use <B
|
|
CLASS="COMMAND"
|
|
>procmail</B
|
|
>
|
|
at delivery.
|
|
Note that if you run <B
|
|
CLASS="COMMAND"
|
|
>fetchmail</B
|
|
> as a background daemon,
|
|
it will lock away any other fetchmail that you'd like to run
|
|
only at other times, like when you open a <B
|
|
CLASS="COMMAND"
|
|
>fwprc</B
|
|
>;
|
|
of course, if you can also run a fetchmail daemon as a fake user.
|
|
Too frequent a poll won't be nice to either the mailserver or your host.
|
|
Too infrequent a poll means you'll have to wait before the message gets read
|
|
and the reverse connection gets established.
|
|
I use two-minute poll frequency.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN375"
|
|
>7.3. Other automated tools for reverse piercing</A
|
|
></H2
|
|
><P
|
|
>Another way to poll for messages, when you don't have a mailbox,
|
|
but do have outbound FTP access, is to use
|
|
<A
|
|
HREF="http://dhirajbhuyan.hypermart.net/ftp-tunnel.html"
|
|
TARGET="_top"
|
|
>FTP tunnel</A
|
|
>.</P
|
|
><P
|
|
>A tool to maintain a permanent connection between a firewalled host and
|
|
an external proxy, so as to export services from the host to the world, is
|
|
<A
|
|
HREF="http://www.employees.org/~hek2000/projects/firewallTunnel/"
|
|
TARGET="_top"
|
|
>firewall tunnel</A
|
|
>.</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x296.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x381.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Routing</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Final notes</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |