Re: problems with getting through firewall using CVSup

Fri, 28 Feb 2003 07:47:40 -0800

You could funnel your CVS traffic through an open port like 80 or 22 or tunnel it inside of HTTP or SSH, but this will require a gateway on the outside, or someone running a CVS repository on one of those ports. If you think that the fw admins watch their logs and traffic patterns then you're likely to get caught either way. If you've been going to long lengths to circumvent their security then they're more likely to take issue with you. If it's an ISP, try talking to them and explaining the neccessity of what you want to do. If you're at work, do the same but make a business case for it. This way, if the fw admins are unreasonable maybe a manager will be more willing to listen. If it's a bandwidth utilization issue, try throttling your bandwidth using something like AltQ, or schedule your CVS updates for off-hours.

If you make the fw admins mad you may experience "unexplainable" network outages or packet loss ;)


Steve



Igor Pokrovsky wrote:
Patrick M. Hausen wrote:

Hi!
Sergey Osokin wrote:


Is there any way to make it work?
To fool firewall?

Yes, looks like a bad/fool/stupid firewall administriva. 

No. This looks exactly like the correct way to implement
a firewall.

Everything which is not on the "explicitly permitted" list
is denied by default.

So users tring new and "interesting" protocols and services
have to check if what they are trying to do is in accordance
with the security policy first.

I know, there are lots of companies that permit any inside
initiated TCP connection. I'd call this stupid if not
explicitly decided upon and documented.


Yes. I agree, maybe this is a good policy. And moreover
I think that they closed port 5999 on firewall because
of my activities :-) Perhaps they thought that I'm trying
do something, which will break their security. Maybe because
port number is not very popular :-)


And last - maybe they are running a strict application level
gateway like Gauntlet or Sidewinder? If this is the case the
admin must define a custom TCP proxy for CVSup, first.

No. Fortunatly.

But is there any way to do anything without asking firewall
admin to open 5999 port?



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message

Reply via email to