From owner-freebsd-questions@freebsd.org Mon Aug 17 08:51:18 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A8EC83AC6BE for ; Mon, 17 Aug 2020 08:51:18 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BVSSj05BXz4QCt for ; Mon, 17 Aug 2020 08:51:16 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 9CD035C00B9; Mon, 17 Aug 2020 04:51:15 -0400 (EDT) Received: from imap6 ([10.202.2.56]) by compute4.internal (MEProxy); Mon, 17 Aug 2020 04:51:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm3; bh=MOjXR c+HnLPirjXA/jj+LWrRtWUO3fbatN2ysxY0WUE=; b=qJqMznzRHhMnPgkfSmmmF RDzemPG2xqtsd2Jg6tbLtQ8UD5avC+ZkZOJbSTqkTw3YNRAr36xKxuEhLnID0T9d 5sCAuxUyPcc5sjwiPwXPiqnwEdo/z0dZa/9lAC6sLWc/3kl4/poIUj0vIeQanfbV IQiJxA37kyNXcqG9Eo5o/aOU/5VG5ve1CXsA/lpg1akattYM1hVOfjxEKbZqYeYK rmvSPiWN3WUyYme46bL0Rjb90AngULkQ5TT+JsgsIaUiQJ2G0GiDQYp80bwYAF2V 86mJWET33ywrENxCscaerGPygpP1uWd+63eoyBjueVMz4sB0InyuGGIdDnVGUVn3 A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=MOjXRc+HnLPirjXA/jj+LWrRtWUO3fbatN2ysxY0W UE=; b=XWhoeZts6iW4+UmZfnUhy85Urt9jIbjwxXN6qbVIn3j56Ds1YTZ19spM1 PbaSzTOZydKqU+7QR3ChSNVcGJke0wPhP5sCX994DyC2Tuiatx5+9o6Q9D4ufvyQ Kr1s46AVI3LpIOwh7D3gOWGiIfsHIUVwgLmD7C4h8EIL5em6PaP8ygXDKgPYj7gH vPPd0msw64y3tG+0x2I5hzWg6ntpj/ZBibcxjVtcW8VWQSQASb0JRSmd70N4qiA0 GNMXILEDy7/FyWMreB2WFgTyYSTZlKaeE8j95kpNh3SwovVo1l57UG3PbJO3iQ5t u4+OQAiAZ5ZcpnEcH2YcMqI08tmeA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedruddtfedgtdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfffgr vhgvucevohhtthhlvghhuhgsvghrfdcuoegutghhsehskhhunhhkfigvrhhkshdrrghtqe enucggtffrrghtthgvrhhnpeeghedvfffgleeiuedvfeelkeduheekteeftefftedvgefh gfeggedviedttdfggfenucffohhmrghinheptghoohhlrghjkeeirdgtohhmpdgthhhmug drfhhrpdhgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgr mhepmhgrihhlfhhrohhmpegutghhsehskhhunhhkfigvrhhkshdrrght X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 496A61400A1; Mon, 17 Aug 2020 04:51:15 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-192-gd9d7a78-fm-20200816.001-gd9d7a786 Mime-Version: 1.0 Message-Id: <0060287c-5912-428a-9186-023167c3cebc@www.fastmail.com> In-Reply-To: References: Date: Mon, 17 Aug 2020 10:50:54 +0200 From: "Dave Cottlehuber" To: freebsd-questions , "Aryeh Friedman" Subject: =?UTF-8?Q?Re:_OT:_Dealing_with_a_hosting_company_with_it's_head_up_it's_?= =?UTF-8?Q?rear_end?= Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1597654277; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=MOjXRc+HnLPirjXA/jj+LWrRtWUO3fbatN2ysxY0WUE=; b=Yf7z8F5CvVSA9jAJ4Z3YHjs0G9NXGIak7vBXHohwCreoX3dIQzM8HuFvYheqZqOwcFrbq+ B5I8wffPE3bu1rEUZned2xx+ZXF9GC04KtIsYAyribAy5nnNc9h8fpirWo5qhBKkGpXnJg B8Olbaiur735Y1nRb1Qa56rcrOuacHFq8cLiVSeriJNR13qvKyUF7shzYljN3U8Aq3jo5t Nz6XQx3i2bSY/GDH9OsqVM2H/9a3bT5GQLMcecmh88TjdGwQ+KBrU2gC1ueUTGYywN6kd4 A8eDfC5gexYtPLzQyS4LpUGuup+Ul0kEYcmBJqOf0Hmf0+5PAbYF4ej7peoeJg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1597654277; a=rsa-sha256; cv=none; b=S09taGqRr7JRuNK2046KqoACjnnW69y2jx7lzcxWijizPr1NOStY85mFXXnmltmtJ4NlCH R9nKvfzRpHYSAB4m/j861TuJgSxM3eWNmyjmbEg1lrGIQ+RIONyAMvPqtLhRPNoskgJqMI jxEbY+Xft8QSYLFHjz5fP2BrX/Dcqsl+3WUO/IKOm5t8Xq3GZl3JEqm51sfrUMFmjUq18w Br2EpTzNAeyJ15KJQlxcj6Y52TssBfSk37ydeR1bBHRtmL71bWVZaNe1+qLkOvlZp2LNY9 A6wD8i3NnJJ8C9ZDAei/5IqA0Z6XeCzLYWlZaR+FukHZ/ZFtrNTrCa8Hp36wbQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm3 header.b=qJqMznzR; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=XWhoeZts; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.26 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Rspamd-Queue-Id: 4BVSSj05BXz4QCt X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm3 header.b=qJqMznzR; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=XWhoeZts; dmarc=none; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.26 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-1.18 / 15.00]; XM_UA_NO_VERSION(0.01)[]; RWL_MAILSPIKE_GOOD(0.00)[66.111.4.26:from]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26]; ARC_SIGNED(0.00)[i=1]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; SUBJ_EXCESS_QP(1.20)[]; FREEMAIL_TO(0.00)[freebsd.org,gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.26:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.964]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm3,messagingengine.com:s=fm3]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_SHORT(-0.86)[-0.856]; NEURAL_HAM_LONG(-0.97)[-0.973]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[skunkwerks.at]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Aug 2020 08:51:18 -0000 > "[Insert client name here], we do not allow RDP or SSH into our datace= nter. Get them to give you an additional ipv6 subnet and run ssh on port 80 or= whatever only on that. You only need 1 bastion goat to get through usin= g ssh ProxyCommand. Or if that=E2=80=99s not possible run haproxy or similar in front of wha= tever http(s) traffic is allowed, and use tcp detection to redirect actu= al ssh traffic to ssh while letting the rest through. https://coolaj86.com/articles/adventures-in-haproxy-tcp-tls-https-ssh-op= envpn/ https://blog.chmd.fr/ssh-over-ssl-episode-4-a-haproxy-based-configuratio= n.html https://github.com/yrutschle/sslh I=E2=80=99m all until next week but if you want a hand figuring this out= remind me offline on Monday. If they allow udp traffic then consider sticking ZeroTier or wireguard i= n and using that. Both are free and don=E2=80=99t need =E2=80=98dangerou= s tcp=E2=80=99... I prefer using haproxy as we use it everywhere but the basic idea (port = share, detect traffic type, proxy tcp) has multiple solutions. > So how do we/the client tell the hosting company they are full of sh*t= (the > client has a 3 year contract with a pay in full to break clause with t= hem > which would be over $100k to break) This is what account managers are good for.=20 Get your customer=E2=80=99s account manager to talk with their account m= anager and explain that you=E2=80=99ll pull the plug and lawyer up, if = std unix ssh isn=E2=80=99t allowed and point out that google and aws sup= port it. They always cave. Make sure your acct manager is prepped on the= tech first. how did anybody manage to set these boxes up? It must have been painful.= Dave