Re: access wikipedia (walk through the great firewall of China)
在 2006-12-08五的 06:53 +,Matthew Seaman写道: ??? wrote: Hello. My office use this method to access wikipedia behind the great firewall of China: 1) we have a server in europ, let's call it server; 2) I run this command on my desktop: $ ssh -L 80:en.wikipedia.org:80 server; 3) everybody in the office edit /etc/hosts, add this line: [my_ip_addr] en.wikipedia.org So my computer become a 'proxy'. The trouble is I have to keep the ssh running there. The 'proxy' will not automatically set up next time I reboot my computer. Is it possible to install some software to run as a daemon and do this proxy? I think of stunnel, but I have too few knowledge to know if stunnel can do this. There are two general possibilities here: a) A Web cache/proxy -- squid is the canonical example, but you can do this sort of stuff in apache very readily. I think apache would be a good place for you to start, as most sysadmins have at least a passing acquaintance with its configuration. You'ld need set up a proxy on your European server to redirect any web traffic to en.wikipedia.org -- your users would use the service exactly as they do at the moment, but they'd put the IP of the European server into their hosts file, rather than your desktop. If that is a problem, then you can chain together a series of proxies starting with your desktop machine, then the European server -- but performance may be a tad slow. We have a lot of problems accessing any sort of proxy outside China, the latest technology in the great firewall of China, if you had read the newspaper, is content-based filtering. 443 port of many foreign servers are also being blocked. b) IPsec or other VPN tunnel between your server in Europe and a local firewall -- preferably your local firewall should be on the egress path from your LAN. Then you can arrange routing so that packets to destinations in Europe pass through the tunnel and use your European server as the gateway to the internet. In this case, there shouldn't be any need for your users to have to spoof the address of en.wikipedia.org in their hosts files. IPSec comes standard with FreeBSD, but you'ld probably want to combine it with pf(4) or other firewall software which you can use to control redirecting appropriate packets through your tunnel. If IPSec is too mind-mangling for you, OpenVPN (in ports) is a pretty good alternative. You'll almost definitely want to configure a NAT gateway on the European server. Either of these solutions will run automatically on system startup, if so configured. Option (a) will send your web traffic across the net in clear-text unless you can chain two proxies together and get creative about using HTTPS. Or you can combine both approaches: use a local HTTP proxy with a VPN tunnel to your European server. Thank you very much for your detailed explanation, I believe me and many other people on the list is going to benefit from it. Currently the only website we want very much but being blocked is wikipedia. Other websites being blocked are mostly about politics and news, which we are not interested (I think most people in China are not interested what foreign news says, and getting used to ignore 3rd party politic information). Wikipedia is an exception because it has a lot of useful information, not just politics. So basically if wikipedia is accessible, we are happy. Your general solution looks really complicated to me that I would like to do it as weekend fun, but probably not going to be able to maintain it. Information is like this: you don't need to block all information in order to prevent people knowing them, you only need to put barrier higher. There are many ways to workaround (walk-through) the Great Firewall, but every time when I look into different complicated solutions, I say to myself is it worthy to spend so much time on it? And ends up saying to myself, save the time, let's just don't read these news. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: access wikipedia (walk through the great firewall of China)
张韡武 [EMAIL PROTECTED] wrote: Hello. My office use this method to access wikipedia behind the great firewall of China: 1) we have a server in europ, let's call it server; 2) I run this command on my desktop: $ ssh -L 80:en.wikipedia.org:80 server; 3) everybody in the office edit /etc/hosts, add this line: [my_ip_addr] en.wikipedia.org So my computer become a 'proxy'. The trouble is I have to keep the ssh running there. The 'proxy' will not automatically set up next time I reboot my computer. I think it would be a lot easier if you'd just install Tor (http://tor.eff.org/). If you use the security/tor-devel port, you can run it on your company's gateway and build an intercepting proxy with PF (or natd but I haven't tried that). This way you wouldn't have to touch the client systems at all. Currently the great firewall of Wikipedia prevents Tor users from contributing, but if you're only interested in reading, this shouldn't be a problem. Note that Tor doesn't hide the fact that you are using it. My understanding is that Tor usage is currently still legal in China (or at least not prosecuted) and quite popular there, but of course you should confirm that before you start using it on an IP address that can be traced back to you. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
Re: access wikipedia (walk through the great firewall of China)
On Fri, 8 Dec 2006, ~_ wrote: Hello. My office use this method to access wikipedia behind the great firewall of China: 1) we have a server in europ, let's call it server; 2) I run this command on my desktop: $ ssh -L 80:en.wikipedia.org:80 server; 3) everybody in the office edit /etc/hosts, add this line: [my_ip_addr] en.wikipedia.org So my computer become a 'proxy'. The trouble is I have to keep the ssh running there. The 'proxy' will not automatically set up next time I reboot my computer. Is it possible to install some software to run as a daemon and do this proxy? I think of stunnel, but I have too few knowledge to know if stunnel can do this. maybe autossh ? http://www.harding.motd.ca/autossh/ Its in ports Port: autossh-1.4a Path: /usr/ports/security/autossh Info: Automatically restart SSH sessions and tunnels Otherwise as many other people have said there are may better ways to do this. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: access wikipedia (walk through the great firewall of China)
On Friday 08 December 2006 07:12, Vince Hoffman wrote: On Fri, 8 Dec 2006, å¼ é~_¡æ¦ wrote: Hello. My office use this method to access wikipedia behind the great firewall of China: 1) we have a server in europ, let's call it server; 2) I run this command on my desktop: $ ssh -L 80:en.wikipedia.org:80 server; 3) everybody in the office edit /etc/hosts, add this line: [my_ip_addr] en.wikipedia.org So my computer become a 'proxy'. The trouble is I have to keep the ssh running there. The 'proxy' will not automatically set up next time I reboot my computer. Is it possible to install some software to run as a daemon and do this proxy? I think of stunnel, but I have too few knowledge to know if stunnel can do this. maybe autossh ? http://www.harding.motd.ca/autossh/ Its in ports Port: autossh-1.4a Path: /usr/ports/security/autossh Info: Automatically restart SSH sessions and tunnels Autossh might do this better/more elegantly, but a quick and dirty solution would be something like this: 1) Set up certificates so that ssh server from your machine will automatically log in to the server without prompting for a password. 2) Write a script to see if ssh is running and run it if it's not, e.g. #!/bin/sh netstat -na | grep LISTEN | grep 80 || \ /usr/bin/ssh -fnN -L 80:en.wikipedia.org:80 server 3) Add an entry to your crontab to run the script every X minutes. JN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: access wikipedia (walk through the great firewall of China)
On Fri, 08 Dec 2006 14:25:59 +0800 张韡武 [EMAIL PROTECTED] wrote: Hello. My office use this method to access wikipedia behind the great firewall of China: 1) we have a server in europ, let's call it server; 2) I run this command on my desktop: $ ssh -L 80:en.wikipedia.org:80 server; 3) everybody in the office edit /etc/hosts, add this line: [my_ip_addr] en.wikipedia.org So my computer become a 'proxy'. The trouble is I have to keep the ssh running there. The 'proxy' will not automatically set up next time I reboot my computer. You can put the command into /etc/rc.local for it to be executed at boot time. Jona ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
access wikipedia (walk through the great firewall of China)
Hello. My office use this method to access wikipedia behind the great firewall of China: 1) we have a server in europ, let's call it server; 2) I run this command on my desktop: $ ssh -L 80:en.wikipedia.org:80 server; 3) everybody in the office edit /etc/hosts, add this line: [my_ip_addr] en.wikipedia.org So my computer become a 'proxy'. The trouble is I have to keep the ssh running there. The 'proxy' will not automatically set up next time I reboot my computer. Is it possible to install some software to run as a daemon and do this proxy? I think of stunnel, but I have too few knowledge to know if stunnel can do this. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: access wikipedia (walk through the great firewall of China)
在 2006-12-08五的 14:25 +0800,张韡武写道: Hello. My office use this method to access wikipedia behind the great firewall of China: 1) we have a server in europ, let's call it server; 2) I run this command on my desktop: $ ssh -L 80:en.wikipedia.org:80 server; 3) everybody in the office edit /etc/hosts, add this line: [my_ip_addr] en.wikipedia.org So my computer become a 'proxy'. The trouble is I have to keep the ssh running there. The 'proxy' will not automatically set up next time I reboot my computer. Is it possible to install some software to run as a daemon and do this proxy? I think of stunnel, but I have too few knowledge to know if stunnel can do this. Forgot to mention another requirement is to be able to automatically re-connect if the ssh connection drops. It's difficult to maintain a connection the whole day.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: access wikipedia (walk through the great firewall of China)
??? wrote: Hello. My office use this method to access wikipedia behind the great firewall of China: 1) we have a server in europ, let's call it server; 2) I run this command on my desktop: $ ssh -L 80:en.wikipedia.org:80 server; 3) everybody in the office edit /etc/hosts, add this line: [my_ip_addr] en.wikipedia.org So my computer become a 'proxy'. The trouble is I have to keep the ssh running there. The 'proxy' will not automatically set up next time I reboot my computer. Is it possible to install some software to run as a daemon and do this proxy? I think of stunnel, but I have too few knowledge to know if stunnel can do this. There are two general possibilities here: a) A Web cache/proxy -- squid is the canonical example, but you can do this sort of stuff in apache very readily. I think apache would be a good place for you to start, as most sysadmins have at least a passing acquaintance with its configuration. You'ld need set up a proxy on your European server to redirect any web traffic to en.wikipedia.org -- your users would use the service exactly as they do at the moment, but they'd put the IP of the European server into their hosts file, rather than your desktop. If that is a problem, then you can chain together a series of proxies starting with your desktop machine, then the European server -- but performance may be a tad slow. b) IPsec or other VPN tunnel between your server in Europe and a local firewall -- preferably your local firewall should be on the egress path from your LAN. Then you can arrange routing so that packets to destinations in Europe pass through the tunnel and use your European server as the gateway to the internet. In this case, there shouldn't be any need for your users to have to spoof the address of en.wikipedia.org in their hosts files. IPSec comes standard with FreeBSD, but you'ld probably want to combine it with pf(4) or other firewall software which you can use to control redirecting appropriate packets through your tunnel. If IPSec is too mind-mangling for you, OpenVPN (in ports) is a pretty good alternative. You'll almost definitely want to configure a NAT gateway on the European server. Either of these solutions will run automatically on system startup, if so configured. Option (a) will send your web traffic across the net in clear-text unless you can chain two proxies together and get creative about using HTTPS. Or you can combine both approaches: use a local HTTP proxy with a VPN tunnel to your European server. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
