Firewall Piercing mini-HOWTO | ||
---|---|---|
Prev |
8. Final notes
8.1. Other settings
I have no idea how to pierce firewalls with lesser operating systems, but you can take one of these old disused computers (about anything with 8MB of RAM and an ethernet card should do), install Linux or BSD as on it, and pierce the firewall with it, while serving as a router for other machines running lesser OSes. See appropriate HOWTOs about routing, IP forwarding, NAT, etc.
I don't know the details, but a promising tool to pierce firewalls is Chris Mason's Bouncer, which acts as a SOCKS-proxy-over-SSL.
There are other kinds of firewalls than those that allow for direct ssh or telnet connections. As long as a continuous flow of packets may transmit information through a firewall in both directions, it is possible to pierce it; only the price of writing the piercer may be higher or lower.
In a very easy case, we saw that you can just launch ssh over a pty master and do some pppd in the slave tty. You may even want to do it without an adverse firewall, just so as to build a secure ``VPN'' (Virtual Private Network). The VPN mini-HOWTO gives all the details you need about this. We invite you, as an exercise, to modify fwprc so as to use this technique, or perhaps even so as to use it inside a previous non-secure fwprc session.
Now, if the only way through the firewall is a WWW proxy (usually, a minimum for an Internet-connected network), you might want to use Chris Chiappa's script ssh-https-tunnel.
Another promising program for piercing through HTTP is Lars Brinkoff's httptunnel, a http server and client combination that achieves a TCP/IP tunnel connection through the proxy-friendly HTTP protocol. You should then be able to run fwprc (preferably over ssh) over that connection, although I haven't tried it yet. Could anyone test and report? Note that httptunnel is still under development, so you may help implement the features it currently lacks, like, having multiple connections, and/or serving fake pages so as to mislead suspicious adverse firewall administrators.
Whatever goes through your firewall, be it telnet, HTTP or other TCP/IP connections, or something real weird like DNS queries, ICMP packets, e-mail (see mailtunnel, icmptunnel), or whatelse, you can always write a tunnel client/server combination, and run a ssh and/or PPP connection through it. The performance mightn't be high, depending on the effective information communication rate after paying the overhead for coding around filters and proxies; but such a tunnel is still interesting as long as it's good enough to use fetchmail, suck, and other non-interactive programs.
If you need cross a 7-bit line, you'll want to use SLIP instead of PPP. I never tried, because lines are more or less 8-bit clean these days, but it shouldn't be difficult. If necessary, fall back to using the Term-Firewall mini-HOWTO.
If you have an 8-bit clean connection and you're root on linux both sides of the firewall, you might want to use ethertap for better performance, encapsulating raw ethernet communications on top of your connection. David Madore has written ethertap-over-TCP and ethertap-over-UDP tunneling ftp://quatramaran.ens.fr/pub/madore/misc/. There remains to write some ethertap-over-tty to combine with fwprc-like tools.
If you really need more performance than you can get while paying for a user-space sequential communication tunnel through which to run PPP, then you're in the very hard case where you might have to re-hack a weird IP stack, using (for instance) the Fox project's packet-protocol functors. You'll then achieve some direct IP-over-HTTP, IP-over-DNS, IP-over-ICMP, or such, which requires not only an elaborate protocol, but also an interface to an OS kernel, both of which are costly to implement.
Finally, if you're not fighting against an adverse firewall, but just building your own VPN, there is a large offer of VPN tools, and although the tricks I present are simple, work well, and might be enough for your needs, it could be a good idea to look at this evolving offer (that I do not know much about) for a solution that fits your requirements of performance and maintainability.
8.2. HOWTO maintenance
I felt it was necessary to write it, but I don't have that much time for that, so this mini-HOWTO is very rough. Thus will it stay, until I get enough feedback so as to know what sections to enhance, or better, until someone comes and takes over maintenance for the mini-HOWTO. Feedback welcome. Help welcome. mini-HOWTO maintenance take-over welcome.
In any case, the above sections have shown many problems whose solution is just a matter of someone (you?) spending some time (or money, by hiring someone else) to sit down and write it: nothing conceptually complicated, though the details might be burdensome or tricky.
Do not hesitate to contribute more problems, and hopefully more solutions, to this mini-HOWTO.
8.3. Related Documents
The LDP publishes many documents related to this mini-HOWTO. most notably the Linux Security Knowledge Base, the VPN HOWTO and the VPN mini-HOWTO. For more general questions about networking, routing and firewalling, start from the Networking Overview HOWTO. See also the Linux Firewall and Security site.
Then again, when facing a problem with some program, one reflex for any Linux user should be to RTFM: Read The Fscking Manual pages for the considered programs.
8.4. Final Word
I've come to the conclusion that much like the need for Design Patterns came directly from the fact that people were using inferior languages like C++ or Java that don't allow to directly express higher-level programming constructs (whereas good languages such as LISP allow to express them), the need HOWTOs comes directly from the fact that Linux and UNIX systems are inferior operating systems that do not allow to directly express those simple tasks that people attempt to do with them.
If you think that all this mucking around with stupid scripts and silly HOWTOs is overly complicated and that a decent computer system ought to automate it all for you, then welcome with me among UNIX haters and other people who hate current low-level operating systems, and yearn for declarative computing systems that take care of the silly details and let us focus on things that matter. (Maybe have a peek at my own TUNES project).
8.5. Extra copy of IMPORTANT DISCLAIMER --- BELIEVE IT!!!
"I hereby disclaim all responsibility for your use of this hack. If it backfires on you in any way whatsoever, that's the breaks. Not my fault. If you don't understand the risks inherent in doing this, don't do it. If you use this hack and it allows vicious vandals to break into your company's computers and costs you your job and your company millions of dollars, well that's just tough nuggies. Don't come crying to me."