??changed: - - CVS member access can be done on cvs.sv.gnu.org:22 and download.sv.gnu.org:443 - (without long-term warranty for the latter). - - Anonymous CVS can be done on cvs.sv.gnu.org:2401. As long as you have 'CONNECT' - privileges on the proxy, it should work, even if the - connection is not TLS (eg. cvs pserver is not crypted). =========
CVS member access can be done on cvs.sv.gnu.org:22 and download.sv.gnu.org:443 (without long-term warranty for the latter). Anonymous CVS can be done on cvs.sv.gnu.org:2401. As long as you have 'CONNECT' privileges on the proxy, it should work, even if the connection is not TLS (eg. cvs pserver is not crypted). ??changed: - - First, this documentation is *complainware*. It means that you ============== First, this documentation is *complainware*. It means that you ??changed: - 1. First, systems like Tor (http://tor.eff.org/) can be used, - at the price of a decreased connection speed, to redirect your traffic - to any public computer, and any port, provided you have outgoing - access to port 80 (http) and 443 (https) - which anybody should have - whatever their setup. Unlike what we stated in a previous version of this document, Tor now does work from behind either a firewall or a proxy. - - Therefore, limiting outgoing traffic with per-protocol rules cannot - be effectively done. Moreover, a lot of websites now use HTTPs, a - secure, encrypted protocol that encapsulates HTTP. That means it is - not possible for the firewall to tell anything more than the fact it - is SSL-encrypted traffic, and cannot try to analyse the packers to - discover what the user is actually doing. Preventing HTTPs traffic is - not an option, unless the system administrator wants to prevent access - to all e-commerce websites, as well as websites that only use HTTPs - such as Gna! (https://gna.org/). - - - 1. The other way to bypass a restrictive setup requires a bit of - work from the remote host administrators. Basically he opens the same -[7 more lines...] 1. First, systems like Tor (http://tor.eff.org/) can be used, at the price of a decreased connection speed, to redirect your traffic to any public computer, and any port, provided you have outgoing access to port 80 (http) and 443 (https) - which anybody should have whatever their setup. Unlike what we stated in a previous version of this document, Tor now does work from behind either a firewall or a proxy. Therefore, limiting outgoing traffic with per-protocol rules cannot be effectively done. Moreover, a lot of websites now use HTTPs, a secure, encrypted protocol that encapsulates HTTP. That means it is not possible for the firewall to tell anything more than the fact it is SSL-encrypted traffic, and cannot try to analyse the packers to discover what the user is actually doing. Preventing HTTPs traffic is not an option, unless the system administrator wants to prevent access to all e-commerce websites, as well as websites that only use HTTPs such as Gna! (https://gna.org/). 2. The other way to bypass a restrictive setup requires a bit of work from the remote host administrators. Basically he opens the same service but on port 443 (https). This removes the proxy and speed limitation from the above. This is used, for example, by OVH (see http://help.ovh.com/EmailConfigurationAOLouTELE2/) so that people can send mail even if their ISP block port 25 (smtp). We also setup CVS over SSH on port 443 (https) in addition to port 22 (ssh) to allow people to access our CVS repositories. Note: we implemented that method, without warranty, for project member SSH access only - not anonymous access. Anonymous access is available via *pserver* which ought to be available to you, just like HTTP. ??changed: - - (check http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO#SSHtorify === (check http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO#SSHtorify ??changed: -FascistFirewall 1 -FirewallPorts 80,443 -##If you use a proxy: -#HttpProxy yourproxyhost -#HttpsProxy yourproxyhost -EOF #FascistFirewall 1 ReachableAddresses *:80,*:443 FirewallPorts 80,443 ##If you use a proxy: #HttpProxy yourproxyhost:port #HttpsProxy yourproxyhost:port EOF ??changed: -Host cvs.savannah.gnu.org - ProxyCommand connect -S localhost:9050 %h %p -EOF Host cvs.savannah.gnu.org ProxyCommand connect -S localhost:9050 %h %p EOF ??changed: - cvs -d:ext:<i>username</i>@cvs.savannah.gnu.org/cvsroot/<i>project</i> co <i>module</i> - ... cvs -d:ext:usern...@cvs.savannah.gnu.org/cvsroot/PROJECT co MODULE ... ??changed: - - ***Note***: this was cvs.sv.gnu.org, but we needed that port for https, so it's currently moved to another IP. ============================= ??changed: - ProxyCommand connect -H <i>proxyhost</i>:<i>proxyport</i> %h %p - EOF ProxyCommand connect -H PROXYHOST:PROXYPORT %h %p EOF ??changed: -#!/bin/sh -exec ssh -p 443 $* -EOF #!/bin/sh exec ssh -p 443 $* EOF ++added: =============== ??changed: - - It is pretty easy to make any redirection by your own means. Buy a minimal virtual server for you and you collegues (as cheap as 9 USD per month), so you control an external IP, and use the 'redir' (or 'stunnel') tool to redirect port 443 to any plain or crypted port you want. To redirect traffic from you.somehosting.net (port 443) to cvs.savannah.gnu.org (22):: ===================== It is pretty easy to make any redirection by your own means. Buy a minimal virtual server for you and you collegues (as cheap as 9 USD per month), so you control an external IP, and use the 'redir' (or 'stunnel') tool to redirect port 443 to any plain or crypted port you want. To redirect traffic from you.somehosting.net (port 443) to cvs.savannah.gnu.org (22):: ??changed: - - All those methods are based on a single feature: when https access is allowed, there's no way to analyse the (encrypted) traffic. In particular, URL-based filtering doesn't work with https. So you can do whatever you want on remote port 443. - - However, I've already seen networks where https was simply disallowed, probably for that reason. Only port 80 was available and thus the only choice available to you was: talk the network administrator into allowing outgoing CVS access. - - So don't believe those tricks can work in the long term. Some admins are already blocking Tor nodes, disabling port 443 is just the next step. The only real work around is talking with your system administrator. ============== All those methods are based on a single feature: when https access is allowed, there's no way to analyse the (encrypted) traffic. In particular, URL-based filtering doesn't work with https. So you can do whatever you want on remote port 443. However, I've already seen networks where https was simply disallowed, probably for that reason. Only port 80 was available and thus the only choice available to you was: talk the network administrator into allowing outgoing CVS access. So don't believe those tricks can work in the long term. Some admins are already blocking Tor nodes, disabling port 443 is just the next step. The only real work around is talking with your system administrator. ++added: ==== -- forwarded from https://savannah.gnu.org/maintenance/cvsfrombehindfirewall#msg20090708234206+0...@https://savannah.gnu.org/maintenance _______________________________________________ Savannah-cvs mailing list Savannah-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/savannah-cvs
