On 2001-03-21 14:59 +0200, Mark Murray <[EMAIL PROTECTED]> wrote:
> > Just an idea:
> > 
> > How about a CVSUP via HTTPS server (just as a means to tunnel CVSUP
> > through a HTTPS proxy ...) ?
> > 
> > Most probably a CVSUP daemon bound to port 443 would do (there are 
> > programs that tunnel arbitrary data through a HTTPS proxy, though
> > I admit this is cheating ;-)
> You should be able to do it with SSH (assuming that you can get out with
> ssh!)

No, if I could get out with SSH, there was no problem ...

The firewall rules are very strict: The only way to send and receive
bytes through the firewall is the HTTP CONNECT method as offered by a 
HTTPS proxy. And even that method is further restricted to prevent misuse.

> $ ssh -v -l yourname otherhost.example.com -L5559:cvsup.example.com:5559
> Then doing a cvsup with the server set to will work.

Yes, I know about this, and have been using similar setups on several
occasions. The information may be useful to others, with less restrictive
firewall setups. But I can't even connect fully transparently through even
a single TCP port, only by means of a HTTPS capable application gateway ...
(I'm not willing to go into too much detail here. I'm responsible for the
firewall policy, and I just can't break or bend the rules enforced by me on 
a large company, just because its *me* this time, who absolutely needs that
direct TCP connection ;-)

I know that misusing 443/tcp for CVSup is not much better than attempts by
some commercial software companies to tunnel everything over 80/tcp. In the
end, firewalls as we know them will only be able to protect against the most
primitive (header level) attacks, the protection against malicious data sent 
over such a connection will have to be provided by the endpoints (and I have 
been demanding SSL with client and server certificates for most of the B2B
INTERNET services, at work).

Anyway: If CTM was to ever be given up (it's good to read, that Ulf will 
get his CTM box connected again, soon), then there should be a alternate
access method, that works through tightly configured firewalls. And CVsup
via SSL might be a good candidate ...

Regards, STefan

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to