Date: Fri, 20 May 2005 17:28:07 +0200 (CEST) From: "Julien Gabel" <jpeg@thilelli.net> To: "Tony Shadwick" <tshadwick@goinet.com> Cc: freebsd-questions@freebsd.org Subject: Re: syncing sources without cvs and cvsup. Message-ID: <12261.145.248.192.30.1116602887.squirrel@webmail.thilelli.net> In-Reply-To: <20050520093105.W39659@mail.goinet.com> References: <58a92a8f050520020374baf403@mail.gmail.com> <50571.145.248.192.30.1116581497.squirrel@webmail.thilelli.net> <20050520073127.T39659@mail.goinet.com> <10959.145.248.192.30.1116595105.squirrel@webmail.thilelli.net> <20050520093105.W39659@mail.goinet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> i need to update my freebsd sources to -current but the firewall i'm >>>>> behind blocks both cvs and cvsup, and ctm is an overkill. >>>> Just for information, why is CTM an "overkill"? I use it at work for >>>> the very same problem as described here, and don't see any drawback >>>> (yet...). >>> Just a thought here. Is ssh blocked? :) You have a machine on the >>> outside that you trust? You could do an ssh tunnel out and then point >>> cvsup to localhost:myforwardedport, could you not? >> Yes, ssh is blocked. We can just use the web and ftp via a farm of >> three proxies, which are able to resolve names on the Net. We can't >> even do that from our workstations or internal servers. So... > Hmm. Is port 80 actually blocked then to everyone but the actual proxy > servers? Just getting a feel for your environment. Try telnet > www.google.com 80. Does it connect? If it does, then I wonder if your > firewall is statefully inspecting non-http traffic across 80. You could > get an ssh server on the outside to listen on 80, then ssh to it as I > mentioned before. It is not possible here. The name resolution is only possible when done from proxies. So not only are the ports blocked, but it is impossible to do a "telnet www.google.com 80" from inside network (and public @ip are not routed internally). That is why we _need_ to pass through our proxies to "get" the Net. Since the outside ssh servers i know (and trust a little) use the HTTP port, it seems not possible to bypass the firewalls using the proposed method (in fact i already though about it, but without much success in the past). > Just trying to come up with ideas. If it's a legitimate business need, Yes it is... as always in banking departments ;) > then I would suggest making a request to your IP dept. to set up a rule > on the firewall to allow cvsup to connect outbound from your box's IP > address, and all to connections to the list of cvsup mirrors for your > country. > > So you're asking for a rule for one host, to connect to a list of say, 20 > hosts. That seems like a very reasonable request to me. Yes. But, in fact, and since fetch(1) knows about HTTP and FTP authenticated proxies, we really have not much need since we can get all that we need using FTP (ports tree and distfiles) and CTM (src-5 sources). We eventually lack the /usr/doc tree, but that doesn't justify a special rule on firewalls and an internal cvsup mirror :-) Thanks for your ideas though! -- -jpeg.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?12261.145.248.192.30.1116602887.squirrel>