On Monday 18 February 2008, Mick wrote: > Hi All, > > I think that I have confused myself with this. I am behind a > firewall/http proxy which seems to only allow outbound connections on > ports 80 & 443 for web browsing. This is not enough for me, as I > would like to use my mail client to send and receive mail from behind > the firewall. > > I tried connecting to ssh servers which listen on different ports, > besides tcp/22 and I was not successful. This is probably an > indication that the internet gateway machine only accepts connections > for packets that have a destination to ports 80 & 443. > > If the above is correct, am I right to assume that to be able to run a > tunnel through this internet gateway I should run something like: > > ssh -L 2222:localhost:443 [EMAIL PROTECTED]
This command still tries to contact the remote host on port 22, and is blocked by the firewall. IIUC to exit the local firewall you should have the remote sshd listening on port 443 or 80. ssh -p 443 [EMAIL PROTECTED] Of course, the remote /etc/ssh/sshd_config must have "Port 443" (or 80). If this works and you are able to actually connect to the remote ssh, you can add local or remote port forwarding to this basic command. So, as an example for email, you can do something: ssh -p 443 -L 2222:smtpserver:25 [EMAIL PROTECTED] and configure your mail client to send to localhost, port 2222. Another alternative (depending upon how many ports you need to forward) could be to use SOCKS. > or are ssh packets somehow distinguishable by their headers, so that a > cleverly crafted firewall will still identify them and drop them? That depends. The block might be solely port-based, or the firewall might very well able to do deep packet inspection beyond the TCP port, and recognize HTTP packets (as well as FTP, IRC, etc.), even if they use a different port. However, I'm not sure how it would be able to look into encrypted packets, like eg SSH or HTTPS packets (other than maybe recognize that they are indeed SSH or HTTPS, it should not be able to understand what's actually passing inside the flow, since the payloads are encrypted). Such a firewall could however block SSH packets even if they are destined to port 80 or 443 (since they are not HTTP traffic), so the above commands would not work. However, even with this kind of firewall you might still be able to tunnel SSH inside HTTP, so that packets look like regular HTTP traffic and can traverse the firewall. A program for doing that is httptunnel (in portage). Hope this helps. -- gentoo-user@lists.gentoo.org mailing list
