Date: Fri, 08 Dec 2006 18:10:04 +0800 From: =?UTF-8?Q?=E5=BC=A0=E9=9F=A1=E6=AD=A6?= <weiwu@sdf.lonestar.org> To: freebsd-questions@freebsd.org Subject: Re: access wikipedia (walk through the great firewall of China) Message-ID: <1165572604.13407.16.camel@joe.realss.com> In-Reply-To: <45790BF8.9050102@infracaninophile.co.uk> References: <1165559159.8140.5.camel@joe.realss.com> <45790BF8.9050102@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
在 2006-12-08五的 06:53 +0000,Matthew Seaman写道: > ??? wrote: > > Hello. My office use this method to access wikipedia behind the great > > firewall of China: > > > > 1) we have a server in europ, let's call it server; > > 2) I run this command on my desktop: > > $ ssh -L 80:en.wikipedia.org:80 server; > > 3) everybody in the office edit /etc/hosts, add this line: > > [my_ip_addr] en.wikipedia.org > > > > So my computer become a 'proxy'. > > > > The trouble is I have to keep the ssh running there. The 'proxy' will > > not automatically set up next time I reboot my computer. > > > > Is it possible to install some software to run as a daemon and do this > > proxy? > > > > I think of stunnel, but I have too few knowledge to know if stunnel can > > do this. > > There are two general possibilities here: > > a) A Web cache/proxy -- squid is the canonical example, but you can > do this sort of stuff in apache very readily. I think apache > would be a good place for you to start, as most sysadmins have > at least a passing acquaintance with its configuration. > > You'ld need set up a proxy on your European server to redirect > any web traffic to en.wikipedia.org -- your users would use the > service exactly as they do at the moment, but they'd put the > IP of the European server into their hosts file, rather than > your desktop. If that is a problem, then you can chain together > a series of proxies starting with your desktop machine, then > the European server -- but performance may be a tad slow. We have a lot of problems accessing any sort of proxy outside China, the latest technology in the great firewall of China, if you had read the newspaper, is content-based filtering. 443 port of many foreign servers are also being blocked. > > b) IPsec or other VPN tunnel between your server in Europe and a > local firewall -- preferably your local firewall should be on > the egress path from your LAN. Then you can arrange routing > so that packets to destinations in Europe pass through the > tunnel and use your European server as the gateway to the > internet. In this case, there shouldn't be any need for your > users to have to spoof the address of en.wikipedia.org in > their hosts files. IPSec comes standard with FreeBSD, but > you'ld probably want to combine it with pf(4) or other firewall > software which you can use to control redirecting appropriate > packets through your tunnel. If IPSec is too mind-mangling > for you, OpenVPN (in ports) is a pretty good alternative. > > You'll almost definitely want to configure a NAT gateway on > the European server. > > Either of these solutions will run automatically on system startup, if > so configured. Option (a) will send your web traffic across the net > in clear-text unless you can chain two proxies together and get creative > about using HTTPS. Or you can combine both approaches: use a local HTTP > proxy with a VPN tunnel to your European server. Thank you very much for your detailed explanation, I believe me and many other people on the list is going to benefit from it. Currently the only website we want very much but being blocked is wikipedia. Other websites being blocked are mostly about politics and news, which we are not interested (I think most people in China are not interested what foreign news says, and getting used to ignore 3rd party politic information). Wikipedia is an exception because it has a lot of useful information, not just politics. So basically if wikipedia is accessible, we are happy. Your general solution looks really complicated to me that I would like to do it as weekend fun, but probably not going to be able to maintain it. Information is like this: you don't need to block all information in order to prevent people knowing them, you only need to put barrier higher. There are many ways to workaround (walk-through) the Great Firewall, but every time when I look into different complicated solutions, I say to myself is it worthy to spend so much time on it? And ends up saying to myself, save the time, let's just don't read these news.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1165572604.13407.16.camel>
