From owner-freebsd-questions@FreeBSD.ORG Fri May 20 15:28:16 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4388A16A4CE for ; Fri, 20 May 2005 15:28:16 +0000 (GMT) Received: from smtp.thilelli.net (smtp.thilelli.net [213.41.129.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EB1B43D8B for ; Fri, 20 May 2005 15:28:13 +0000 (GMT) (envelope-from jpeg@thilelli.net) Received: from localhost (localhost [127.0.0.1]) by bento.thilelli.net (Postfix) with ESMTP id 985B87303E; Fri, 20 May 2005 17:28:12 +0200 (CEST) Received: from bento.thilelli.net ([127.0.0.1]) by localhost (bento.thilelli.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 12267-03-4; Fri, 20 May 2005 17:28:07 +0200 (CEST) Received: from webmail.thilelli.net (localhost [127.0.0.1]) by bento.thilelli.net (Postfix) with ESMTP id 0861C7303F; Fri, 20 May 2005 17:28:07 +0200 (CEST) Received: from 145.248.192.30 (SquirrelMail authenticated user jgabel) by webmail.thilelli.net with HTTP; Fri, 20 May 2005 17:28:07 +0200 (CEST) Message-ID: <12261.145.248.192.30.1116602887.squirrel@webmail.thilelli.net> In-Reply-To: <20050520093105.W39659@mail.goinet.com> References: <58a92a8f050520020374baf403@mail.gmail.com> <50571.145.248.192.30.1116581497.squirrel@webmail.thilelli.net> <20050520073127.T39659@mail.goinet.com> <10959.145.248.192.30.1116595105.squirrel@webmail.thilelli.net> <20050520093105.W39659@mail.goinet.com> Date: Fri, 20 May 2005 17:28:07 +0200 (CEST) From: "Julien Gabel" To: "Tony Shadwick" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: amavisd-new at thilelli.net cc: freebsd-questions@freebsd.org Subject: Re: syncing sources without cvs and cvsup. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jpeg@thilelli.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2005 15:28:16 -0000 >>>>> i need to update my freebsd sources to -current but the firewall i'm >>>>> behind blocks both cvs and cvsup, and ctm is an overkill. >>>> Just for information, why is CTM an "overkill"? I use it at work for >>>> the very same problem as described here, and don't see any drawback >>>> (yet...). >>> Just a thought here. Is ssh blocked? :) You have a machine on the >>> outside that you trust? You could do an ssh tunnel out and then point >>> cvsup to localhost:myforwardedport, could you not? >> Yes, ssh is blocked. We can just use the web and ftp via a farm of >> three proxies, which are able to resolve names on the Net. We can't >> even do that from our workstations or internal servers. So... > Hmm. Is port 80 actually blocked then to everyone but the actual proxy > servers? Just getting a feel for your environment. Try telnet > www.google.com 80. Does it connect? If it does, then I wonder if your > firewall is statefully inspecting non-http traffic across 80. You could > get an ssh server on the outside to listen on 80, then ssh to it as I > mentioned before. It is not possible here. The name resolution is only possible when done from proxies. So not only are the ports blocked, but it is impossible to do a "telnet www.google.com 80" from inside network (and public @ip are not routed internally). That is why we _need_ to pass through our proxies to "get" the Net. Since the outside ssh servers i know (and trust a little) use the HTTP port, it seems not possible to bypass the firewalls using the proposed method (in fact i already though about it, but without much success in the past). > Just trying to come up with ideas. If it's a legitimate business need, Yes it is... as always in banking departments ;) > then I would suggest making a request to your IP dept. to set up a rule > on the firewall to allow cvsup to connect outbound from your box's IP > address, and all to connections to the list of cvsup mirrors for your > country. > > So you're asking for a rule for one host, to connect to a list of say, 20 > hosts. That seems like a very reasonable request to me. Yes. But, in fact, and since fetch(1) knows about HTTP and FTP authenticated proxies, we really have not much need since we can get all that we need using FTP (ports tree and distfiles) and CTM (src-5 sources). We eventually lack the /usr/doc tree, but that doesn't justify a special rule on firewalls and an internal cvsup mirror :-) Thanks for your ideas though! -- -jpeg.