|
Home > Archive > Unix Programming > December 2004 > Firewall issue
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Dear All,
Can any body tell me. If there are two host and they are not able to
communicate directly to each other due to a firewall in between. Can
they able to communicate with each other by having a server as an
intermediate.
Though I know that until and unless we open a port for communication
at firewall they will not be able to intract each other. But someone
told me that we can overcome this thing by having a sever as an
intermediate. Is it possible?? If yes then HOW?? What special
functionalities that server will be having??
Waiting for some +ve responses.
| |
| James Knott 2004-12-20, 7:49 am |
| Rajat wrote:
> Can any body tell me. If there are two host and they are not able to
> communicate directly to each other due to a firewall in between. Can
> they able to communicate with each other by having a server as an
> intermediate.
No. If a firewall blocks a protocol, having an intermediary won't make a
difference. The only exception, in some circumstances, would be a proxy.
| |
| Måns Rullgård 2004-12-20, 7:49 am |
| James Knott <james.knott@rogers.com> writes:
> Rajat wrote:
>
>
> No. If a firewall blocks a protocol, having an intermediary won't make a
> difference. The only exception, in some circumstances, would be a proxy.
If both machines can make outgoing connections to a third machine,
it's possible for them to communicate.
Let's say machines A and B are behind firewalls, and we want to make a
TCP connection from A to port 80 on B. Using server C, outside all
firewalls, we can easily get what we want:
A$ ssh -L 80:localhost:8080 C
B$ ssh -R 8080:localhost:80 C
Now, if we connect to port 80 on A, the connection will be forwarded
to port 80 on B.
--
Måns Rullgård
mru@inprovide.com
| |
| IANAL_VISTA 2004-12-20, 5:50 pm |
| Måns Rullgård <mru@inprovide.com> wrote in
news:yw1xbrcpyw56.fsf@ford.inprovide.com:
> James Knott <james.knott@rogers.com> writes:
>
>
> If both machines can make outgoing connections to a third machine,
> it's possible for them to communicate.
>
> Let's say machines A and B are behind firewalls, and we want to make a
> TCP connection from A to port 80 on B. Using server C, outside all
> firewalls, we can easily get what we want:
>
> A$ ssh -L 80:localhost:8080 C
>
> B$ ssh -R 8080:localhost:80 C
>
> Now, if we connect to port 80 on A, the connection will be forwarded
> to port 80 on B.
>
In some/many cases the firewall is configured to ONLY allow OUTBOUND
connections on port 80 and disallow INBOUND connections on port 80.
In such a situation HostA still could not talk directly to HostB.
| |
| Måns Rullgård 2004-12-20, 5:50 pm |
| "IANAL_VISTA" <IANAL_Vista@hotmail.com> writes:
> Måns Rullgård <mru@inprovide.com> wrote in
> news:yw1xbrcpyw56.fsf@ford.inprovide.com:
>
>
> In some/many cases the firewall is configured to ONLY allow OUTBOUND
> connections on port 80 and disallow INBOUND connections on port 80.
> In such a situation HostA still could not talk directly to HostB.
If only port 80 is open for outbound connections, run sshd listening
on port 80 on host C. If NO outgoing connections are allowed, it is
still possible to tunnel traffic over SMTP (email), or even DNS. As
long as there is ANY possibility to exchange information with the
outside world, and you have control over some host on the outside, the
firewall can be bypassed, although some methods are slow.
Firewalls are intended to stop the bad guys on the outside from
accessing resources on the inside. Stopping a malicious user on the
inside is probably impossible with less than pulling the plug.
--
Måns Rullgård
mru@inprovide.com
| |
| phn@icke-reklam.ipsec.nu 2004-12-20, 5:50 pm |
| In comp.protocols.tcp-ip Rajat <myself_rajat@yahoo.com> wrote:
> Dear All,
> Can any body tell me. If there are two host and they are not able to
> communicate directly to each other due to a firewall in between. Can
> they able to communicate with each other by having a server as an
> intermediate.
> Though I know that until and unless we open a port for communication
> at firewall they will not be able to intract each other. But someone
> told me that we can overcome this thing by having a sever as an
> intermediate. Is it possible?? If yes then HOW?? What special
> functionalities that server will be having??
A firewall is usually an administrative-initiated thing.
Punching holes is best done with administrative powers help,
anything else is circumventing administrative powers, which
usually is "A Bad Thing".
Ask fw admin to open up the hole you need.
> Waiting for some +ve responses.
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
| |
| Gordon Burditt 2004-12-23, 6:00 pm |
| >Can any body tell me. If there are two host and they are not able to
>communicate directly to each other due to a firewall in between. Can
>they able to communicate with each other by having a server as an
>intermediate.
Maybe. The purpose of proxies is often to allow this under limited
circumstances. (e.g. you can do outgoing port 80 (http) requests,
but only if it's not to pages containing porn, as determined by
an extensive blocking list. The block might even be selective and
block only parts of a given site).
Example: A cannot do outgoing port 25 traffic. B cannot do incoming
port 25 traffic from the outside world (which includes A), but it
can accept incoming port 25 traffic from C, the site's web server.
So to send email from A to B, A connects to the web site on C (using
http), types in a message on C's webmail form for support requests,
and sends it. C then initiates SMTP to B.
Example: A cannot send mail (SMTP) to most of the world because
it is a spamhaus and is blocked at most mail servers. A hacks into
B, an insecure machine on a DSL line, via some other protocol, and
then uses B (zombie) to send millions of spams to the rest of the
world.
Example: I can only ssh into B from a very limited subnet of systems.
So to get to it from A, I ssh into C, one of that very limited subnet
of systems, then to B from C.
>Though I know that until and unless we open a port for communication
>at firewall they will not be able to intract each other. But someone
>told me that we can overcome this thing by having a sever as an
>intermediate. Is it possible?? If yes then HOW?? What special
>functionalities that server will be having??
Often, that server needs to run a proxy.
Beware that if you are trying to get around administrative restrictions
without the administrator's knowledge, the result will likely be even
more administrative restrictions and/or getting fired when this is
discovered.
Gordon L. Burditt
|
|
|
|
|