Date: Sat, 24 Mar 2001 09:41:49 +0100 From: Stefan Esser <se@freebsd.org> To: Mark Murray <mark@grondar.za> Cc: current@FreeBSD.ORG, Stefan Esser <se@freebsd.org> Subject: Re: Re: Whatever happened to CTM? Message-ID: <20010324094149.A1185@StefanEsser.FreeBSD.org> In-Reply-To: <200103211258.f2LCwRf43298@gratis.grondar.za>; from mark@grondar.za on Wed, Mar 21, 2001 at 02:59:28PM %2B0200 References: <20010321103940.A2339@StefanEsser.FreeBSD.org> <200103211258.f2LCwRf43298@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2001-03-21 14:59 +0200, Mark Murray <mark@grondar.za> wrote: > > Just an idea: > > > > How about a CVSUP via HTTPS server (just as a means to tunnel CVSUP > > through a HTTPS proxy ...) ? > > > > Most probably a CVSUP daemon bound to port 443 would do (there are > > programs that tunnel arbitrary data through a HTTPS proxy, though > > I admit this is cheating ;-) > > You should be able to do it with SSH (assuming that you can get out with > ssh!) No, if I could get out with SSH, there was no problem ... The firewall rules are very strict: The only way to send and receive bytes through the firewall is the HTTP CONNECT method as offered by a HTTPS proxy. And even that method is further restricted to prevent misuse. > $ ssh -v -l yourname otherhost.example.com -L5559:cvsup.example.com:5559 > > Then doing a cvsup with the server set to 127.0.0.1 will work. Yes, I know about this, and have been using similar setups on several occasions. The information may be useful to others, with less restrictive firewall setups. But I can't even connect fully transparently through even a single TCP port, only by means of a HTTPS capable application gateway ... (I'm not willing to go into too much detail here. I'm responsible for the firewall policy, and I just can't break or bend the rules enforced by me on a large company, just because its *me* this time, who absolutely needs that direct TCP connection ;-) I know that misusing 443/tcp for CVSup is not much better than attempts by some commercial software companies to tunnel everything over 80/tcp. In the end, firewalls as we know them will only be able to protect against the most primitive (header level) attacks, the protection against malicious data sent over such a connection will have to be provided by the endpoints (and I have been demanding SSL with client and server certificates for most of the B2B INTERNET services, at work). Anyway: If CTM was to ever be given up (it's good to read, that Ulf will get his CTM box connected again, soon), then there should be a alternate access method, that works through tightly configured firewalls. And CVsup via SSL might be a good candidate ... Regards, STefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010324094149.A1185>