From owner-freebsd-stable Fri Feb 28 7:48:34 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0A8C37B401 for ; Fri, 28 Feb 2003 07:48:32 -0800 (PST) Received: from mserver2.gmu.edu (mail02.gmu.edu [129.174.0.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B48C43F85 for ; Fri, 28 Feb 2003 07:48:31 -0800 (PST) (envelope-from sbernard@gmu.edu) Received: from gmu.edu ([141.156.239.170]) by mserver2.gmu.edu (Netscape Messaging Server 4.15) with ESMTP id HB0ZWT00.3UV for ; Fri, 28 Feb 2003 10:48:29 -0500 Message-ID: <3E5F852D.1080301@gmu.edu> Date: Fri, 28 Feb 2003 10:50:05 -0500 From: "Steve Bernard" Organization: George Mason University User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: stable@FreeBSD.ORG Subject: Re: problems with getting through firewall using CVSup References: <200302281442.h1SEg0RV042490@hugo10.ka.punkt.de> <3E5F77B4.4392E9FD@cnrm.meteo.fr> In-Reply-To: <3E5F77B4.4392E9FD@cnrm.meteo.fr> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You could funnel your CVS traffic through an open port like 80 or 22 or tunnel it inside of HTTP or SSH, but this will require a gateway on the outside, or someone running a CVS repository on one of those ports. If you think that the fw admins watch their logs and traffic patterns then you're likely to get caught either way. If you've been going to long lengths to circumvent their security then they're more likely to take issue with you. If it's an ISP, try talking to them and explaining the neccessity of what you want to do. If you're at work, do the same but make a business case for it. This way, if the fw admins are unreasonable maybe a manager will be more willing to listen. If it's a bandwidth utilization issue, try throttling your bandwidth using something like AltQ, or schedule your CVS updates for off-hours. If you make the fw admins mad you may experience "unexplainable" network outages or packet loss ;) Steve Igor Pokrovsky wrote: > Patrick M. Hausen wrote: > >>Hi! >>Sergey Osokin wrote: >> >> >>>>Is there any way to make it work? >>>>To fool firewall? >>> >>>Yes, looks like a bad/fool/stupid firewall administriva. >> >>No. This looks exactly like the correct way to implement >>a firewall. >> >>Everything which is not on the "explicitly permitted" list >>is denied by default. >> >>So users tring new and "interesting" protocols and services >>have to check if what they are trying to do is in accordance >>with the security policy first. >> >>I know, there are lots of companies that permit any inside >>initiated TCP connection. I'd call this stupid if not >>explicitly decided upon and documented. > > Yes. I agree, maybe this is a good policy. And moreover > I think that they closed port 5999 on firewall because > of my activities :-) Perhaps they thought that I'm trying > do something, which will break their security. Maybe because > port number is not very popular :-) > > >>And last - maybe they are running a strict application level >>gateway like Gauntlet or Sidewinder? If this is the case the >>admin must define a custom TCP proxy for CVSup, first. > > No. Fortunatly. > > But is there any way to do anything without asking firewall > admin to open 5999 port? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message