I guess I'm at a backwards company because the network admin has all the out bound ports blocked except for ports 80 and 22.
How do you send e-mail, ftp, or view secure, https, sites? ~jp
I guess I'm at a backwards company because the network admin has all the out bound ports blocked except for ports 80 and 22.
How do you send e-mail, ftp, or view secure, https, sites?
Hm.. Good question. I do believe that the network admin does have https open (port 443 if I remember correctly). She must also have port 25 (I think that is correct for email). I do know she has it to where everyone must use secure ftp to get out. What I do know is that she doesn't allow anyone to get out on weird ports like 5901 5801 etc. Just those she knows that are going to be used like port 80, 22, email, and secure ftp. It's crazy I know. I've been trying to get her to change this for months but still no luck.
On Wednesday 13 July 2005 00:44, Jay Paulson wrote:
I guess I'm at a backwards company because the network admin has all the out bound ports blocked except for ports 80 and 22.
How do you send e-mail, ftp, or view secure, https, sites?
Hm.. Good question. I do believe that the network admin does have https open (port 443 if I remember correctly). She must also have port 25 (I think that is correct for email). I do know she has it to where everyone must use secure ftp to get out. What I do know is that she doesn't allow anyone to get out on weird ports like 5901 5801 etc. Just those she knows that are going to be used like port 80, 22, email, and secure ftp. It's crazy I know. I've been trying to get her to change this for months but still no luck.
I only allow SSH into my linux boxes anyway. So I agree with her! Of course allowing ssh, is allowing almost anything since you can tunnel to your hearts content, but then again it's all secure... Jerry
I guess I'm at a backwards company because the network admin has all the out bound ports blocked except for ports 80 and 22.
How do you send e-mail, ftp, or view secure, https, sites?
Hm.. Good question. I do believe that the network admin does have https open (port 443 if I remember correctly). She must also have port 25 (I think that is correct for email). I do know she has it to where everyone must use secure ftp to get out. What I do know is that she doesn't allow anyone to get out on weird ports like 5901 5801 etc. Just those she knows that are going to be used like port 80, 22, email, and secure ftp. It's crazy I know. I've been trying to get her to change this for months but still no luck.
I only allow SSH into my linux boxes anyway. So I agree with her! Of course allowing ssh, is allowing almost anything since you can tunnel to your hearts content, but then again it's all secure...
I totally agree!! I just need to figure out exactly how to do it. I know it has to do with ssh -L but I'm not sure on it after that. I've tried but not understanding what it is doing it's like trying to find water when you are blind.
On Wednesday 13 July 2005 13:45, Jay Paulson wrote:
I totally agree!! I just need to figure out exactly how to do it. I know it has to do with ssh -L but I'm not sure on it after that. I've tried but not understanding what it is doing it's like trying to find water when you are blind.
OK, lets try to explain with basic terms how the tunneling works: I'll call your work machine mac, and your home machine - suse. The simplified command in general is: ssh -L port:host:hostport where: port - this is the local port on the machine you start ssh client - your mac. ssh will open this port and start listen for connections on it. If some program (your vnc viewer) makes a connection, then the traffic is forwarded. host - the machine which should accept the connection. NOT the ssh connection, the tunneled one. I.e. this is a machine at the other end of the tunnel - it may be the machine to which you created the ssh session, or any other machine on that network. So, for your situation the value for this param should be "localhost". This is localhost by point of view of the receiving end of the ssh connection (suse). hostport - this is the port on the host (look above), to which to redirect the connection. Now, a little example, which does not solve your problem, but will explain how it works: work> ssh -L 11111:home2:22222 home1 What happens is: ssh connection is established from machine work to machine home1. ssh client starts to listen for connections on port 11111 on machine work. If a program connects to this port on machine work - this traffic is going to be encrypted and send to machine home1. there it is decrypted, and connection to port 22222 on home 2 is established. Now in order to solve your problem, from the mac machine start ssh session to your suse machine: mac> ssh -L 5901:localhost:5901 suse This will open local (mac) port 5901 and will forward all connections to local (suse) port 5901 on suse. Now, I do not know what is the vnc client on mac, but there should :) be a way to tell it to what server:port, or server:window to connect. Just, instead to tell it to connect to suse, tell it to connect to localhost (mac). This should do it. Aaaa, I have no brakes :), long huh? Cheers Sunny
On Tuesday, July 12, 2005 06:37 pm, James D. Parra wrote:
I guess I'm at a backwards company because the network admin has all the out bound ports blocked except for ports 80 and 22.
How do you send e-mail, ftp, or view secure, https, sites?
You send email via port 25 to the mail server on the LAN, either behind the firewall or in a DMZ (with the port open). It's a good idea not to allow workstations to send email to an MTA on the Internet; if you have a PC infected with a mass mailing virus, the virus then can't use its own smtp engine except to try to infect other machines on the LAN. And if the virus is clever and tries to use the corporate MTA, presumably the sysadmin will catch the spike in activity and shut the machine off. With a setup that tight, I'm surprised web browsing isn't done via a proxy, again closing off port 80 outbound at the firewall except to the internal or DMZ-hosted web proxy server. These days there are many so-called "firewall-friendly" remote PC management tools that require port 80 or high ports to be open, so putting in a proxy server and tightening up the firewall is, in principle, a good idea--and becoming increasingly common practice. But the sysadmin should make some accommodation here; she can then track the usage. -- _________________________________________________________ A Message From... L. Mark Stone Reliable Networks of Maine, LLC "We manage your network so you can manage your business." 477 Congress Street Portland, ME 04101 Tel: (207) 772-5678 Web: http://www.rnome.com
I guess I'm at a backwards company because the network admin has all the out bound ports blocked except for ports 80 and 22.
How do you send e-mail, ftp, or view secure, https, sites?
You send email via port 25 to the mail server on the LAN, either behind the firewall or in a DMZ (with the port open). It's a good idea not to allow workstations to send email to an MTA on the Internet; if you have a PC infected with a mass mailing virus, the virus then can't use its own smtp engine except to try to infect other machines on the LAN. And if the virus is clever and tries to use the corporate MTA, presumably the sysadmin will catch the spike in activity and shut the machine off.
With a setup that tight, I'm surprised web browsing isn't done via a proxy, again closing off port 80 outbound at the firewall except to the internal or DMZ-hosted web proxy server.
Actually browsing is done through a proxy. *sigh*
These days there are many so-called "firewall-friendly" remote PC management tools that require port 80 or high ports to be open, so putting in a proxy server and tightening up the firewall is, in principle, a good idea--and becoming increasingly common practice.
But the sysadmin should make some accommodation here; she can then track the usage.
-- _________________________________________________________ A Message From... L. Mark Stone
Reliable Networks of Maine, LLC
"We manage your network so you can manage your business."
477 Congress Street Portland, ME 04101 Tel: (207) 772-5678 Web: http://www.rnome.com
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Jay Paulson Web Design Specialist Southwest Educational Development Laboratory 211 E. 7th St., Suite 200 Austin, TX 78701-3253 512-476-6861 (voice) 512-476-2286 (fax) http://www.sedl.org
participants (5)
-
James D. Parra -
Jay Paulson -
Jerry Westrick -
L. Mark Stone -
Sunny