[svlug] Re: Firewall Tunnel + A Hint

Kevin Kaichuan He hek at cisco.com
Mon Jun 4 14:48:02 PDT 2001

Hi Aludal,

	Thank you for the input.
	Yes, you can use "ssh" to forward/tunnel tcp connection back
and forth. If what you want to do is to tunnel a connection from
intranet to extranet, your "recipe" of "ssh remote_host -L
localport:remote_host:remote_port" will work just fine. But what "Firewall
Tunnel" want to do is to allow reverse tunnelling/forwarding in the direction
from extranet to intranet. Normally firwall sitting between intranet and
extranet will block connection initiated from extranet to intranet. So
the "-R" option of ssh (e.g.: ssh remote_host -R
remote_port:local_host:localport) seems to serve the "reverse tunnelling"
purpose only if there is no firewall between localhost and remotehost. I tried
the "-R" option on the following two cases:

1) localhost and remote host are in the same network, no firewall in between:
	It works fine. You can connect to the remote port on the remote host
   and your connection is tunneled to localhost just fine.
2) localhost and remote host are in different network, firewall sitting
   between dropping TCP connection from remote host to localhost
	It doesn't work. You can not connect to the remote port on the remote
   host this way.

	As to the reason, (correct me if I'm wrong), I'm just guessing the "ssh"
"-R" tunnelling will estabilish a new tunnel from remote to local for each new
connection request that reaches the remote port on the remote host. So such new
connection will be dropped by the firewall for sure since it's initiated from
the external world. While the "Firewall Tunnel" tool will always use
the same tunnel/connetion to tunnel/forward tcp requests from remote to
local and this single connection is initiated from intranet to extranet
in the very beginning. That's why it can export intranet service to
externel. It also means the "firewall tunnel" have to multiplex multiple
tcp connections into the same tunnel at the Front End and demultiplex
the traffic and inject them to the stack at the Back End, which is
more difficult than the "allocating a new tunnel for a new tcp connection"



On Sun, 3 Jun 2001, aludal wrote:
> >? ? ? ?Firewall Tunnel is a tool to enable servers behind a
> >firewall to export services to the external networks with the
> >assistance from an externel host as proxy. The firewall tunnel consists
> >of two parts: a frontend piece running on the proxy machine
> >outside the firewall and a backend piece running on the server
> >inside the firewall. Backend first establishes connection to frontend.
> >And later on when user outside firewall issues requests to the frontend
> >they will be transparently tunnelled to the backend
> >URL: http://www.employees.org/~hek2000/projects/firewallTunnel/

> Well, don't know where to apply your tool in my home system (yet), but just
> for the art of tunneling, could you please enlighten me in validity of the
> following recipe:
> "On your _modem_ host, run
> export http_proxy=http://localhost:3129
> export ftp_proxy=ftp://localhost:3129
> ssh -C -L 3129:proxyhost:3128 username at fasthost.net
> where "proxyhost: is the proxy server for your "well-connected" friends at
> "fasthost.net". The tunnel will make it look like proxy server is running
> >from your computer at port 3129, and everything going over slow link [or any
> link, including xDSL and T3} will be compressed and encrypted
> What do you think of this? Is it a) feasible, to organize such a transport
> with the above means, and b) if so, could it be practical?
> Thank you,
> Alexander Udalov
> P.S. A Hint:
> ---------------
> If somebody feels like crippled with his/her
> installation/font/acceleration/antialiasing/resolution handling of XFree86
> 4.0.1, 4.0.2, 4.0.3, 4.0.99 and or CVS in between, here's sources of 4.1.0 to
> play with:
> ftp://download.sourceforge.net/pub/mirrors/XFree86/4.1.0/
> or here:
> http://ftp-stud.fht-esslingen.de/pub/Mirrors/ftp.xfree86.org/XFree86/4.1.0/source/
> No official declaration was made as of writing, but the product looks like
> final. I haven't built it myself yet, and anybody's comments on building it
> around Pentium III+Matrox Millenium G4x0 (Max) machine would be more than
> welcome.

More information about the svlug mailing list