Date: Fri, 28 Feb 2003 10:50:05 -0500 From: "Steve Bernard" <sbernard@gmu.edu> To: stable@FreeBSD.ORG Subject: Re: problems with getting through firewall using CVSup Message-ID: <3E5F852D.1080301@gmu.edu> In-Reply-To: <3E5F77B4.4392E9FD@cnrm.meteo.fr> References: <200302281442.h1SEg0RV042490@hugo10.ka.punkt.de> <3E5F77B4.4392E9FD@cnrm.meteo.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
You could funnel your CVS traffic through an open port like 80 or 22 or tunnel it inside of HTTP or SSH, but this will require a gateway on the outside, or someone running a CVS repository on one of those ports. If you think that the fw admins watch their logs and traffic patterns then you're likely to get caught either way. If you've been going to long lengths to circumvent their security then they're more likely to take issue with you. If it's an ISP, try talking to them and explaining the neccessity of what you want to do. If you're at work, do the same but make a business case for it. This way, if the fw admins are unreasonable maybe a manager will be more willing to listen. If it's a bandwidth utilization issue, try throttling your bandwidth using something like AltQ, or schedule your CVS updates for off-hours. If you make the fw admins mad you may experience "unexplainable" network outages or packet loss ;) Steve Igor Pokrovsky wrote: > Patrick M. Hausen wrote: > >>Hi! >>Sergey Osokin wrote: >> >> >>>>Is there any way to make it work? >>>>To fool firewall? >>> >>>Yes, looks like a bad/fool/stupid firewall administriva. >> >>No. This looks exactly like the correct way to implement >>a firewall. >> >>Everything which is not on the "explicitly permitted" list >>is denied by default. >> >>So users tring new and "interesting" protocols and services >>have to check if what they are trying to do is in accordance >>with the security policy first. >> >>I know, there are lots of companies that permit any inside >>initiated TCP connection. I'd call this stupid if not >>explicitly decided upon and documented. > > Yes. I agree, maybe this is a good policy. And moreover > I think that they closed port 5999 on firewall because > of my activities :-) Perhaps they thought that I'm trying > do something, which will break their security. Maybe because > port number is not very popular :-) > > >>And last - maybe they are running a strict application level >>gateway like Gauntlet or Sidewinder? If this is the case the >>admin must define a custom TCP proxy for CVSup, first. > > No. Fortunatly. > > But is there any way to do anything without asking firewall > admin to open 5999 port? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E5F852D.1080301>