462 lines
10 KiB
HTML
462 lines
10 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Final notes</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="Firewall Piercing mini-HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Reverse piercing"
|
|
HREF="x353.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Firewall Piercing mini-HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x353.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
> </TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="AEN381"
|
|
>8. Final notes</A
|
|
></H1
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN383"
|
|
>8.1. Other settings</A
|
|
></H2
|
|
><P
|
|
>I have no idea how to pierce firewalls with lesser operating systems,
|
|
but you can take one of these old disused computers
|
|
(about anything with 8MB of RAM and an ethernet card should do),
|
|
install Linux or BSD as on it, and pierce the firewall with it,
|
|
while serving as a router for other machines running lesser OSes.
|
|
See appropriate HOWTOs about routing, IP forwarding, NAT, etc.</P
|
|
><P
|
|
>I don't know the details, but a promising tool to pierce firewalls is
|
|
Chris Mason's <A
|
|
HREF="http://www.r00t3d.org.uk/"
|
|
TARGET="_top"
|
|
>Bouncer</A
|
|
>,
|
|
which acts as a SOCKS-proxy-over-SSL.</P
|
|
><P
|
|
>There are other kinds of firewalls
|
|
than those that allow for direct ssh or telnet connections.
|
|
As long as a continuous flow of packets
|
|
may transmit information through a firewall in both directions,
|
|
it is possible to pierce it;
|
|
only the price of writing the piercer may be higher or lower.</P
|
|
><P
|
|
>In a very easy case, we saw that you can just launch <B
|
|
CLASS="COMMAND"
|
|
>ssh</B
|
|
>
|
|
over a pty master and do some <B
|
|
CLASS="COMMAND"
|
|
>pppd</B
|
|
> in the slave tty.
|
|
You may even want to do it without an adverse firewall,
|
|
just so as to build a secure ``VPN'' (Virtual Private Network).
|
|
The <A
|
|
HREF="http://www.linuxdoc.org/HOWTO/mini/VPN.html"
|
|
TARGET="_top"
|
|
>VPN mini-HOWTO</A
|
|
>
|
|
gives all the details you need about this.
|
|
We invite you, as an exercise,
|
|
to modify <B
|
|
CLASS="COMMAND"
|
|
>fwprc</B
|
|
>
|
|
so as to use this technique,
|
|
or perhaps even so as to use it
|
|
inside a previous non-secure <B
|
|
CLASS="COMMAND"
|
|
>fwprc</B
|
|
> session.</P
|
|
><P
|
|
>Now, if the only way through the firewall is a WWW proxy
|
|
(usually, a minimum for an Internet-connected network),
|
|
you might want to use
|
|
<A
|
|
HREF="http://www.snurgle.org/~griffon/"
|
|
TARGET="_top"
|
|
>Chris Chiappa</A
|
|
>'s
|
|
script
|
|
<A
|
|
HREF="http://www.snurgle.org/~griffon/ssh-https-tunnel"
|
|
TARGET="_top"
|
|
>ssh-https-tunnel</A
|
|
>.</P
|
|
><P
|
|
>Another promising program for piercing through HTTP is
|
|
<A
|
|
HREF="http://lars.nocrew.org/"
|
|
TARGET="_top"
|
|
>Lars Brinkoff</A
|
|
>'s
|
|
<A
|
|
HREF="http://www.nocrew.org/software/httptunnel/"
|
|
TARGET="_top"
|
|
>httptunnel</A
|
|
>,
|
|
a http server and client combination that achieves a TCP/IP tunnel connection
|
|
through the proxy-friendly HTTP protocol.
|
|
You should then be able to run <B
|
|
CLASS="COMMAND"
|
|
>fwprc</B
|
|
>
|
|
(preferably over <B
|
|
CLASS="COMMAND"
|
|
>ssh</B
|
|
>)
|
|
over that connection, although I haven't tried it yet.
|
|
Could anyone test and report?
|
|
Note that <B
|
|
CLASS="COMMAND"
|
|
>httptunnel</B
|
|
> is still under development,
|
|
so you may help implement
|
|
the features it currently lacks,
|
|
like, having multiple connections, and/or serving fake pages
|
|
so as to mislead suspicious adverse firewall administrators.</P
|
|
><P
|
|
>Whatever goes through your firewall,
|
|
be it telnet, HTTP or other TCP/IP connections,
|
|
or something real weird like DNS queries, ICMP packets, e-mail
|
|
(see <A
|
|
HREF="http://www.detached.net/mailtunnel/"
|
|
TARGET="_top"
|
|
>mailtunnel</A
|
|
>,
|
|
<A
|
|
HREF="http://www.detached.net/icmptunnel/"
|
|
TARGET="_top"
|
|
>icmptunnel</A
|
|
>),
|
|
or whatelse,
|
|
you can always write a tunnel client/server combination,
|
|
and run a <B
|
|
CLASS="COMMAND"
|
|
>ssh</B
|
|
> and/or PPP connection through it.
|
|
The performance mightn't be high,
|
|
depending on the effective information communication rate
|
|
after paying the overhead for coding around filters and proxies;
|
|
but such a tunnel is still interesting as long as it's good enough
|
|
to use <B
|
|
CLASS="COMMAND"
|
|
>fetchmail</B
|
|
>, <B
|
|
CLASS="COMMAND"
|
|
>suck</B
|
|
>,
|
|
and other non-interactive programs.</P
|
|
><P
|
|
>If you need cross a 7-bit line, you'll want to use SLIP instead of PPP.
|
|
I never tried, because lines are more or less 8-bit clean these days,
|
|
but it shouldn't be difficult.
|
|
If necessary, fall back to using the
|
|
<A
|
|
HREF="http://www.linuxdoc.org/HOWTO/mini/Term-Firewall.html"
|
|
TARGET="_top"
|
|
>Term-Firewall mini-HOWTO</A
|
|
>.</P
|
|
><P
|
|
>If you have an 8-bit clean connection and you're root on linux both sides
|
|
of the firewall, you might want to use ethertap for better performance,
|
|
encapsulating raw ethernet communications on top of your connection.
|
|
David Madore has written ethertap-over-TCP and ethertap-over-UDP tunneling
|
|
<A
|
|
HREF="ftp://quatramaran.ens.fr/pub/madore/misc/"
|
|
TARGET="_top"
|
|
>ftp://quatramaran.ens.fr/pub/madore/misc/</A
|
|
>.
|
|
There remains to write some ethertap-over-tty to combine with fwprc-like tools.</P
|
|
><P
|
|
>If you really need more performance than you can get
|
|
while paying for a user-space sequential communication tunnel
|
|
through which to run PPP,
|
|
then you're in the very hard case
|
|
where you might have to re-hack a weird IP stack,
|
|
using (for instance) the Fox project's packet-protocol functors.
|
|
You'll then achieve some direct IP-over-HTTP, IP-over-DNS, IP-over-ICMP,
|
|
or such, which requires not only an elaborate protocol,
|
|
but also an interface to an OS kernel, both of which are costly to implement.</P
|
|
><P
|
|
>Finally, if you're not fighting against an adverse firewall,
|
|
but just building your own VPN, there is a large offer of VPN tools,
|
|
and although the tricks I present are simple, work well,
|
|
and might be enough for your needs, it could be a good idea
|
|
to look at this evolving offer (that I do not know much about)
|
|
for a solution that fits your requirements of performance and maintainability.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN416"
|
|
>8.2. HOWTO maintenance</A
|
|
></H2
|
|
><P
|
|
>I felt it was necessary to write it,
|
|
but I don't have that much time for that,
|
|
so this mini-HOWTO is very rough.
|
|
Thus will it stay,
|
|
until I get enough feedback so as to know what sections to enhance,
|
|
or better, until someone comes and takes over maintenance for the mini-HOWTO.
|
|
Feedback welcome. Help welcome. mini-HOWTO maintenance take-over welcome.</P
|
|
><P
|
|
>In any case, the above sections have shown many problems
|
|
whose solution is just a matter of someone (you?)
|
|
spending some time (or money, by hiring someone else)
|
|
to sit down and write it:
|
|
nothing conceptually complicated,
|
|
though the details might be burdensome or tricky.</P
|
|
><P
|
|
>Do not hesitate to contribute more problems, and hopefully more solutions,
|
|
to this mini-HOWTO.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN421"
|
|
>8.3. Related Documents</A
|
|
></H2
|
|
><P
|
|
>The <A
|
|
HREF="http://www.linuxdoc.org/"
|
|
TARGET="_top"
|
|
>LDP</A
|
|
>
|
|
publishes many documents related to this
|
|
<A
|
|
HREF="http://www.linuxdoc.org/HOWTO/HOWTO-INDEX/mini.html"
|
|
TARGET="_top"
|
|
>mini-HOWTO</A
|
|
>.
|
|
most notably the
|
|
<A
|
|
HREF="http://www.securityportal.com/lskb/"
|
|
TARGET="_top"
|
|
>Linux Security Knowledge Base</A
|
|
>,
|
|
the <A
|
|
HREF="http://www.linuxdoc.org/HOWTO/VPN.html"
|
|
TARGET="_top"
|
|
>VPN HOWTO</A
|
|
>
|
|
and the <A
|
|
HREF="http://www.linuxdoc.org/HOWTO/mini/VPN.html"
|
|
TARGET="_top"
|
|
>VPN mini-HOWTO</A
|
|
>.
|
|
For more general questions about networking, routing and firewalling,
|
|
start from the
|
|
<A
|
|
HREF="http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html"
|
|
TARGET="_top"
|
|
>Networking Overview HOWTO</A
|
|
>.
|
|
See also the
|
|
<A
|
|
HREF="http://www.linux-firewall-tools.com/linux/"
|
|
TARGET="_top"
|
|
>Linux Firewall and Security site</A
|
|
>.</P
|
|
><P
|
|
>Then again, when facing a problem with some program,
|
|
one reflex for any Linux user should be to
|
|
<A
|
|
HREF="http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?RTFM"
|
|
TARGET="_top"
|
|
>RTFM</A
|
|
>:
|
|
Read The Fscking Manual pages for the considered programs.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN433"
|
|
>8.4. Final Word</A
|
|
></H2
|
|
><P
|
|
>I've come to the conclusion that much like the need for Design Patterns
|
|
came directly from the fact that people were using inferior languages
|
|
like <SPAN
|
|
CLASS="PRODUCTNAME"
|
|
>C++</SPAN
|
|
> or <SPAN
|
|
CLASS="PRODUCTNAME"
|
|
>Java</SPAN
|
|
>
|
|
that don't allow to directly express higher-level programming constructs
|
|
(whereas good languages such as <SPAN
|
|
CLASS="PRODUCTNAME"
|
|
>LISP</SPAN
|
|
>
|
|
allow to express them),
|
|
the need HOWTOs comes directly from the fact that
|
|
<SPAN
|
|
CLASS="PRODUCTNAME"
|
|
>Linux</SPAN
|
|
> and <SPAN
|
|
CLASS="PRODUCTNAME"
|
|
>UNIX</SPAN
|
|
> systems
|
|
are inferior operating systems that do not allow to directly express
|
|
those simple tasks that people attempt to do with them.</P
|
|
><P
|
|
>If you think that all this mucking around with stupid scripts and silly HOWTOs
|
|
is overly complicated and that a decent computer system ought
|
|
to automate it all for you, then welcome with me among
|
|
<A
|
|
HREF="http://www.research.microsoft.com/~daniel/preface.html"
|
|
TARGET="_top"
|
|
>UNIX haters</A
|
|
>
|
|
and other people who hate current low-level operating systems,
|
|
and yearn for declarative computing systems
|
|
that take care of the silly details and let us focus on things that matter.
|
|
(Maybe have a peek at my own
|
|
<A
|
|
HREF="http://tunes.org/"
|
|
TARGET="_top"
|
|
>TUNES project</A
|
|
>).</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN444"
|
|
>8.5. Extra copy of IMPORTANT DISCLAIMER --- BELIEVE IT!!!</A
|
|
></H2
|
|
><P
|
|
><SPAN
|
|
CLASS="QUOTE"
|
|
>"<EM
|
|
>I hereby disclaim all responsibility for
|
|
<EM
|
|
>your</EM
|
|
> use of this hack.
|
|
If it backfires on you in any way whatsoever,
|
|
that's the breaks. Not my fault.
|
|
If you don't understand the risks inherent in doing this, don't do it.
|
|
If you use this hack and it allows vicious vandals
|
|
to break into your company's computers and costs you your job and
|
|
your company millions of dollars, well that's just tough nuggies.
|
|
Don't come crying to me.</EM
|
|
>"</SPAN
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x353.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
> </TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Reverse piercing</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
> </TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |