From owner-freebsd-questions@freebsd.org Fri Aug 14 08:51:19 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 183F33B9842 for ; Fri, 14 Aug 2020 08:51:19 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BScc62vpYz4S1f for ; Fri, 14 Aug 2020 08:51:18 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (localhost [127.0.0.1]) by mail.cs.ait.ac.th (Postfix) with ESMTP id D48F5112505 for ; Fri, 14 Aug 2020 15:51:10 +0700 (+07) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h= content-type:content-type:mime-version:message-id:date:date :in-reply-to:subject:subject:from:from:received:received :received; s=selector1; t=1597395070; x=1599209471; bh=wPr7CLpVM 2RvG4+TqP1iL5S/KedLAKbWujA78JMB/rE=; b=ThrtIapyJ/uHoBFSU8/H1KLHs ayh4fORzijwABFtUFrP1qjz+9Q/x1mV6gd3EV/eE9imdceMNhGgm579KHlxbPrWV xZ9zcDW3JQ7HRvC+5XKNffW++cWH8/inf2JdUgTUEG1j4GQCfu8Ip6XvRyJbvmfm UeSsT4HrLD9MjMUHqg= X-Virus-Scanned: amavisd-new at cs.ait.ac.th Received: from mail.cs.ait.ac.th ([127.0.0.1]) by mail.cs.ait.ac.th (mail.cs.ait.ac.th [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id T9c9lwv9Ojsv for ; Fri, 14 Aug 2020 15:51:10 +0700 (+07) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.cs.ait.ac.th (Postfix) with ESMTPS id 278A5112504 for ; Fri, 14 Aug 2020 15:51:10 +0700 (+07) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.15.2/8.15.2/Submit) id 07E8pA22063802; Fri, 14 Aug 2020 15:51:10 +0700 (ICT) (envelope-from on@banyan.cs.ait.ac.th) From: Olivier To: freebsd-questions@freebsd.org Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end In-Reply-To: (message from Aryeh Friedman on Fri, 14 Aug 2020 04:35:50 -0400) Date: Fri, 14 Aug 2020 15:51:10 +0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Rspamd-Queue-Id: 4BScc62vpYz4S1f X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cs.ait.ac.th header.s=selector1 header.b=ThrtIapy; dmarc=pass (policy=none) header.from=cs.ait.ac.th; spf=pass (mx1.freebsd.org: domain of Olivier.Nicole@cs.ait.ac.th designates 192.41.170.16 as permitted sender) smtp.mailfrom=Olivier.Nicole@cs.ait.ac.th X-Spamd-Result: default: False [-4.40 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.02)[-1.021]; R_DKIM_ALLOW(-0.20)[cs.ait.ac.th:s=selector1]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.03)[-1.027]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[cs.ait.ac.th:+]; DMARC_POLICY_ALLOW(-0.50)[cs.ait.ac.th,none]; RCVD_IN_DNSWL_MED(-0.20)[192.41.170.16:from]; NEURAL_HAM_SHORT(-0.65)[-0.653]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:4767, ipnet:192.41.170.0/24, country:TH] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2020 08:51:19 -0000 > Nice in theory! The reality is the marching orders we have from the > client (who refuses to bend on this) is "make it work, I don't care how you > do it, just make it work! ... or I will find new programmers who can make > it work"... Good luck on the client doing that because the system is 100% > custom (including the DB engine due to no existing DB meeting the > regulatory requirements of end-to-end encryption [instead of just encrypted > file system and encrypted fields.. the tables themselves need to be > encrypted]) which we have wrote/maintained over the last 8 years including > the occasional new feature (the new feature that is causing all this fuss > is the client wants to autopop the windows MySQL DB the devices use to > avoid duplicate hand copying of data between two forms and due to licensing > costs we forced to do the testing on the production system thus need the > hosting company to set up suitable near real time backups of the MySQL DB). > > >> You mentioned that piort 25 is open, you could modify some SSH client >> and server to start the connection like and SMTP protocol, launch >> STARTLS then so some SSH inside. If the 1st packed is an EHLO and >> everything after is encrypted, they cannot see what is inside. >> > > We actually use port 25 for SMTP so this is a no-go (part of how the > devices work is they send a email when they have data to upload and then > have to be told remotely to upload it [this is one the scripts we have]) If you are ready to do SSH on port 25 (which should be a big no-no considering the stupidity of the hosting company), you can do implement a full IP over IP inside tunnel, with routing and all you need. You will need another machine at the other end of the tunnel. Like a VPN but using SSH tunnel. I have never done that (I have done IP over IP). That means that at the outside layer of IP, you will be able to have all the ports you want, including port 25. Olivier --