From owner-freebsd-questions@FreeBSD.ORG Fri Dec 8 06:54:10 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D8BB616A40F for ; Fri, 8 Dec 2006 06:54:10 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECEA743CAA for ; Fri, 8 Dec 2006 06:53:10 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id kB86rpLi047688; Fri, 8 Dec 2006 06:53:51 GMT (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=permerror; spf=permerror X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk kB86rpLi047688 Message-ID: <45790BF8.9050102@infracaninophile.co.uk> Date: Fri, 08 Dec 2006 06:53:44 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.8 (X11/20061110) MIME-Version: 1.0 To: =?ISO-8859-15?Q?=3F=3F=3F?= References: <1165559159.8140.5.camel@joe.realss.com> In-Reply-To: <1165559159.8140.5.camel@joe.realss.com> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigC471B67C35E56A845D073D01" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [IPv6:::1]); Fri, 08 Dec 2006 06:54:01 +0000 (GMT) X-Virus-Scanned: ClamAV 0.88.6/2303/Fri Dec 8 05:07:51 2006 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_TESTING,NO_RELAYS autolearn=ham version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: access wikipedia (walk through the great firewall of China) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2006 06:54:10 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC471B67C35E56A845D073D01 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable ??? wrote: > Hello. My office use this method to access wikipedia behind the great > firewall of China: >=20 > 1) we have a server in europ, let's call it server; > 2) I run this command on my desktop: > $ ssh -L 80:en.wikipedia.org:80 server; > 3) everybody in the office edit /etc/hosts, add this line: > [my_ip_addr] en.wikipedia.org >=20 > So my computer become a 'proxy'. >=20 > The trouble is I have to keep the ssh running there. The 'proxy' will > not automatically set up next time I reboot my computer. >=20 > Is it possible to install some software to run as a daemon and do this > proxy? >=20 > I think of stunnel, but I have too few knowledge to know if stunnel can= > do this. There are two general possibilities here: a) A Web cache/proxy -- squid is the canonical example, but you can do this sort of stuff in apache very readily. I think apache=20 would be a good place for you to start, as most sysadmins have at least a passing acquaintance with its configuration. You'ld need set up a proxy on your European server to redirect any web traffic to en.wikipedia.org -- your users would use the service exactly as they do at the moment, but they'd put the IP of the European server into their hosts file, rather than your desktop. If that is a problem, then you can chain together a series of proxies starting with your desktop machine, then the European server -- but performance may be a tad slow. b) IPsec or other VPN tunnel between your server in Europe and a local firewall -- preferably your local firewall should be on the egress path from your LAN. Then you can arrange routing so that packets to destinations in Europe pass through the=20 tunnel and use your European server as the gateway to the internet. In this case, there shouldn't be any need for your users to have to spoof the address of en.wikipedia.org in=20 their hosts files. IPSec comes standard with FreeBSD, but you'ld probably want to combine it with pf(4) or other firewall software which you can use to control redirecting appropriate packets through your tunnel. If IPSec is too mind-mangling for you, OpenVPN (in ports) is a pretty good alternative. You'll almost definitely want to configure a NAT gateway on the European server. =20 Either of these solutions will run automatically on system startup, if so configured. Option (a) will send your web traffic across the net in clear-text unless you can chain two proxies together and get creative about using HTTPS. Or you can combine both approaches: use a local HTTP proxy with a VPN tunnel to your European server. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigC471B67C35E56A845D073D01 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFeQv/8Mjk52CukIwRCNbUAJ0ftWUXdMg65ueMQa/kFoBbtCjs4wCfQGIp REF2MrKM8tuThg7yuyTgt1I= =tY6J -----END PGP SIGNATURE----- --------------enigC471B67C35E56A845D073D01--