Re: port redirection

1999-07-06 Thread Jonathan Lupa 
On Sun, Jul 04, 1999 at 12:49:49AM -0400, Jonathan Lupa wrote:
 On Sun, Jul 04, 1999 at 09:49:53AM +1000, Dan Everton wrote:
  One thing I can think of is (and this is based on a very hazy grasp of
  what ipmasq and ipportfw are actually doing) is that that the cvspserver is
  trying to create another connection channel back to the originating server 
  and
  that isn't working for some reason. Anybody know if cvspserver does that 
  (like
  the control and data ports in ftp)?

OK, well, after finally getting this to work, I figured I'd post up what I 
found for
posterities sake. Hope it helps someone.

Problem: CVS server is behind a masquerading firewall, Have a Win9x client, 
want secure
access to CVS server.

Solution:

Step 1. For 2.0 kernels, patch ipportfw support in to your firewall box's 
kernel.
See http://www.ox.compsoc.org.uk/~steve/portforwarding.html. For 2.2 
kernels
masqueraded forwarding is built in...man ipmasqadm.
Step 2. Add port forwarding lines to your firewall box.
I put ipportfw -A -tXXX.XXX.XXX.XXX/2401 -R 192.168.YYY.YYY/2401.  In 
this
example, the XXX's are my ppp0 interface and the YYY's refer to my 
internal
CVS server. Use your appropriate IPs.

I found that I could redirect to different ports on my firewall 
successfully,
but that my windows CVS client didn't like that. YMMV.

btw, if you saw my earlier posts where I said that I tried this and it 
wasn't
working- well, that was the crack talking.  I tried again and it was 
fine. =)

Step 3. Telnet in to check that the portforward worked. Caveat: don't try the 
telnet
from the firewall itself, it got confused for me and failed.  I used a 
remote system
to telnet directly to port 2401 of the ppp0 IP address, and hit return 
after it
connected. It should give you some tripe about bad authentification. 
(rightfully)

Step 4. While it might seem like a good idea to use the ext method in your 
CVSROOT
variable and set your external connection type to your ssh program, I 
couldn't
find any windows ssh implementations that used stdin/stdout methods. 
They all
wanted to use that new fangled GUI that you've read so much about. 
(Besides,
we just went to all that work to get the pserver punched through the 
firewall.)

SO! I setup my ssh client to do a secure port redirection from 
localhost:2401
to my ppp0's IP:2401.  Note: The windows CVS software didn't like it 
when I
told it my IP (127.0.0.1). That CVSROOT line wants to do a 
getHostByName()
or some such, so use localhost, and cross your fingers.  If it can't 
find
localhost, try copying C:\windows\hosts.sam to c:\windows\hosts.

If you were going to skip the ssh layer and use the pserver method to go
right to your firewall, follow your heart, but unless I missed it, 
passwords
default to system passwords and are sent in clear text.

Step 5. Enjoy working on your palm applicataions (or whatever) from work AND 
home! =)

There are various notes about this scattered through netnews, and a search on 
www.deja.com
for cvs ssh should yeild all you need, it just takes a whole load of digging.

Good luck!

Jonathan

ps. apologies for typos... I hand copied lines and spell terribly. =(
~
[EMAIL PROTECTED]

Re: port redirection

1999-07-04 Thread Dan Everton 
On Fri, Jul 02, 1999 at 03:24:50PM -0400, Jonathan Lupa wrote:
 On Thursday, July 01, 1999 10:37 AM, Dan Everton
 [SMTP:[EMAIL PROTECTED] wrote:
  On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote:
 
  There is a patch available. You can find it here
  http://www.ox.compsoc.org.uk/~steve/portforwarding.html
  
  I think it's packaged somewhere in the Debian distribution... *checks
  package listing* yes it is. You can find it here:
  http://www.debian.org/Packages/stable/net/ipportfw.html
 
 Wow. This opened some doors for me! But now, I get to flood with newbie
 questions. =)
 
 First of all, I have a 486-33dx4 acting as my masq-firewall. Its at Kernel
 2.0.36, has a ppp0 properly set up and masquerades to a small network of
 192.168.2.* addressed computers.  The firewall rules are below.
   ipfwadm -F -p deny
   ipfwadm -F -a m -S192.168.2.0/24 -D 0.0.0.0/0
   ipfwadm -I -p accept
   # the following line blocks incoming telnets since I use ssh to
 connect
   ipfwadm -I -a r -DXXX.XXX.XXX.XXX/32 23 # address removed to protect
 the ignorant (me).
 
 I compiled in port forwarding support and added the following lines to my
 setup which allowed quicktime streaming to work for my Wife's machine:
   ipportfw -A -tXXX.XXX.XXX.XXX/554 -R 192.168.2.2/554
   # and a WHOLE BUNCH of udp routing lines.
 
 Now, what I want to do, but haven't been able to get working is a forwarding
 scheme for CVS. I want to have my gateway XXX.XXX.XXX.XXX box redirect its
 port 6060 to my workstations (192.168.2.1) cvspserver port (2401).
 
 To this affect I entered the following lines:
   ipportfw -A -tXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401
   ipportfw -A -uXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401
 
 Before I was doing portforwarding on 6060 when I telnet to that port on my
 box I get the message telnet: Unable to connect to remote host: Connection
 refused.  AFTER I add port forwarding on 6060 I get telnet: Unable to
 connect to remote host: Connection timed out.
 
 The transactions are starting, they just aren't finishing.  My pet theory is
 that this port forwarding thing isn't dealing with masquerading of the
 returned packets, but like I said, I'm pretty clueless with this.
 
 Any help appreciated!
 Jonathan Lupa
 ~
 [EMAIL PROTECTED]

Near as I can tell, that should work. I've only used the port forwarding
patches in a very limited fashion, but similar lines have worked for all
services I've tried.

One thing I can think of is (and this is based on a very hazy grasp of
what ipmasq and ipportfw are actually doing) is that that the cvspserver is
trying to create another connection channel back to the originating server and
that isn't working for some reason. Anybody know if cvspserver does that (like
the control and data ports in ftp)?

Another possibility is that ipportfw doesn't like rewriting ports (although
I'm almost certain that does work). Have you tried just passing port 2401
one along as opposed to rewriting 6060 down to 2401?

Wish I could help you better.

Dan

-- 
Dan Everton [EMAIL PROTECTED] | Have you tried thinking like a shower?
www.psynet.net/fada  | KBHR's Chris in the Morning

Re: port redirection

1999-07-04 Thread Jonathan Lupa 
On Sun, Jul 04, 1999 at 09:49:53AM +1000, Dan Everton wrote:
 On Fri, Jul 02, 1999 at 03:24:50PM -0400, Jonathan Lupa wrote:
  [setup deleted]
  Now, what I want to do, but haven't been able to get working is a forwarding
  scheme for CVS. I want to have my gateway XXX.XXX.XXX.XXX box redirect its
  port 6060 to my workstations (192.168.2.1) cvspserver port (2401).
  
  To this affect I entered the following lines:
  ipportfw -A -tXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401
  ipportfw -A -uXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401
  
  Before I was doing portforwarding on 6060 when I telnet to that port on my
  box I get the message telnet: Unable to connect to remote host: Connection
  refused.  AFTER I add port forwarding on 6060 I get telnet: Unable to
  connect to remote host: Connection timed out.
  
  The transactions are starting, they just aren't finishing.  My pet theory is
  that this port forwarding thing isn't dealing with masquerading of the
  returned packets, but like I said, I'm pretty clueless with this.
 
 One thing I can think of is (and this is based on a very hazy grasp of
 what ipmasq and ipportfw are actually doing) is that that the cvspserver is
 trying to create another connection channel back to the originating server and
 that isn't working for some reason. Anybody know if cvspserver does that (like
 the control and data ports in ftp)?
 
One of the things that concerned me is that the pserver was trying to do some 
rsh
authentification stuff, but I had expressly blocked those ports in my firewall.
So, I threw open all of the gates, but I still hadd the problem. =(

 Another possibility is that ipportfw doesn't like rewriting ports (although
 I'm almost certain that does work). Have you tried just passing port 2401
 one along as opposed to rewriting 6060 down to 2401?

Yep, that was the second thing I tried.  Keeping the firewall all the way open 
and
just punching the port straight through.  I got the same results as when I wasnt
switching ports.

 Wish I could help you better.

No problem. =)

What I'm thinking of trying now is to configure the client that I care about
(a win95 box at work) to use ssh to do the cvs work.  Of course, that is going
to requrire configuration of my closed source gui proprietary ssh implementation
to work from the command line with the windows cvs client, so I'm not 100%
on whether I'll be able to get that going.

Ah well, I guess the original question still stands : Is it possible to punch
cvs's pserver through a masqurading firewall using port forwarding.

Thanks!
Jonathan Lupa
~
[EMAIL PROTECTED]

RE: port redirection

1999-07-02 Thread Jonathan Lupa 
On Thursday, July 01, 1999 10:37 AM, Dan Everton
[SMTP:[EMAIL PROTECTED] wrote:
 On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote:

 There is a patch available. You can find it here
 http://www.ox.compsoc.org.uk/~steve/portforwarding.html
 
 I think it's packaged somewhere in the Debian distribution... *checks
 package listing* yes it is. You can find it here:
 http://www.debian.org/Packages/stable/net/ipportfw.html

Wow. This opened some doors for me! But now, I get to flood with newbie
questions. =)

First of all, I have a 486-33dx4 acting as my masq-firewall. Its at Kernel
2.0.36, has a ppp0 properly set up and masquerades to a small network of
192.168.2.* addressed computers.  The firewall rules are below.
ipfwadm -F -p deny
ipfwadm -F -a m -S192.168.2.0/24 -D 0.0.0.0/0
ipfwadm -I -p accept
# the following line blocks incoming telnets since I use ssh to
connect
ipfwadm -I -a r -DXXX.XXX.XXX.XXX/32 23 # address removed to protect
the ignorant (me).

I compiled in port forwarding support and added the following lines to my
setup which allowed quicktime streaming to work for my Wife's machine:
ipportfw -A -tXXX.XXX.XXX.XXX/554 -R 192.168.2.2/554
# and a WHOLE BUNCH of udp routing lines.

Now, what I want to do, but haven't been able to get working is a forwarding
scheme for CVS. I want to have my gateway XXX.XXX.XXX.XXX box redirect its
port 6060 to my workstations (192.168.2.1) cvspserver port (2401).

To this affect I entered the following lines:
ipportfw -A -tXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401
ipportfw -A -uXXX.XXX.XXX.XXX/6060 -R 192.168.2.3/2401

Before I was doing portforwarding on 6060 when I telnet to that port on my
box I get the message telnet: Unable to connect to remote host: Connection
refused.  AFTER I add port forwarding on 6060 I get telnet: Unable to
connect to remote host: Connection timed out.

The transactions are starting, they just aren't finishing.  My pet theory is
that this port forwarding thing isn't dealing with masquerading of the
returned packets, but like I said, I'm pretty clueless with this.

Any help appreciated!
Jonathan Lupa
~
[EMAIL PROTECTED]

Re: port redirection

1999-07-01 Thread Nate 
On Thu, Jul 01, 1999 at 09:30:11AM +0200, Ralf G. R. Bergs wrote:
 On Thu, 01 Jul 1999 04:23:15 +0200 (CEST), Tamas TEVESZ wrote:
 
 On Wed, 30 Jun 1999, Nate wrote:
 
   I would like to redirect some ports to an internal machine on 
   a private IP.  What is the best way to do this?
 
 ipportfw ?
 
 Just to confirm: What you are suggesting is correct.
 
 I use statements like
 
   ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3

ipmasqadm is a potato thingy.  I'm still doing slink.  Do you know how 
I can accomplish this with slink and kernel 2.0.36?  I'm still
trying stuff out with ipfwadm.  Does this sound feasible?


 to redirect ports to internal machines.
 
 
 -- 
 Sign the EU petition against SPAM:  L I N U X   .~.
 http://www.politik-digital.de/spam/The  Choice  /V\
 of a  GNU  /( )\
Generation  ^^-^^
 
 
 
 --  
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: port redirection

1999-07-01 Thread Ralf G. R. Bergs 
On Thu, 01 Jul 1999 01:46:56 -0700, Nate wrote:

 I use statements like
 
   ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3

ipmasqadm is a potato thingy.  I'm still doing slink.  Do you know how 

Ooops. Sorry. Can't you just upgrade the necessary packages Debian 2.1 level?

I can accomplish this with slink and kernel 2.0.36?  I'm still
trying stuff out with ipfwadm.  Does this sound feasible?

To the best of my knowledge port forwarding wasn't available in stock 2.0.x 
kernels. There MIGHT however be a patch to provide port forwarding, but I 
don't know whether it really exists.


-- 
Sign the EU petition against SPAM:  L I N U X   .~.
http://www.politik-digital.de/spam/The  Choice  /V\
of a  GNU  /( )\
   Generation  ^^-^^

Re: port redirection

1999-07-01 Thread thomas lakofski 
i'm missing the original message, but 'rinetd' might help in what you're
looking for.  works for me.

On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote:

 
  I use statements like
  
ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3
 
 ipmasqadm is a potato thingy.  I'm still doing slink.  Do you know how 
 
 Ooops. Sorry. Can't you just upgrade the necessary packages Debian 2.1 level?
 
 I can accomplish this with slink and kernel 2.0.36?  I'm still
 trying stuff out with ipfwadm.  Does this sound feasible?
 
 To the best of my knowledge port forwarding wasn't available in stock 2.0.x 
 kernels. There MIGHT however be a patch to provide port forwarding, but I 
 don't know whether it really exists.
..
[obligatory-useless-waste-of-bits-bit-goes-here] ultra-umbra-magic-crypto
EF D8 33 68 B3 E3 E9 D2  C1 3E 51 22 8A AA 7B 98 supercomputer-AES-xspook

Re: port redirection

1999-07-01 Thread Dan Everton 
On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote:
 On Thu, 01 Jul 1999 01:46:56 -0700, Nate wrote:
 
  I use statements like
  
ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3
 
 ipmasqadm is a potato thingy.  I'm still doing slink.  Do you know how 
 
 Ooops. Sorry. Can't you just upgrade the necessary packages Debian 2.1 level?
 
 I can accomplish this with slink and kernel 2.0.36?  I'm still
 trying stuff out with ipfwadm.  Does this sound feasible?
 
 To the best of my knowledge port forwarding wasn't available in stock 2.0.x 
 kernels. There MIGHT however be a patch to provide port forwarding, but I 
 don't know whether it really exists.

There is a patch available. You can find it here
http://www.ox.compsoc.org.uk/~steve/portforwarding.html

I think it's packaged somewhere in the Debian distribution... *checks
package listing* yes it is. You can find it here:
http://www.debian.org/Packages/stable/net/ipportfw.html

Hope that helps

Dan

Re: port redirection

1999-07-01 Thread ferret 

There is a patch I've used to 2.0.36, and you want to use the ipportfw
package in slink. The patch is included with the documentation, and I
think the 2.0.35 patch worked for me.

I'm completely running 2.2.10/2.3.x now, and haven't had a chance (or a
need anymore) to run port forwarding.

On Thu, 1 Jul 1999, Ralf G. R. Bergs wrote:

 On Thu, 01 Jul 1999 01:46:56 -0700, Nate wrote:
 
  I use statements like
  
ipmasqadm portfw -a -P tcp -L $EXT_IP pop-3 -R $INT_IP pop-3
 
 ipmasqadm is a potato thingy.  I'm still doing slink.  Do you know how 
 
 Ooops. Sorry. Can't you just upgrade the necessary packages Debian 2.1 level?
 
 I can accomplish this with slink and kernel 2.0.36?  I'm still
 trying stuff out with ipfwadm.  Does this sound feasible?
 
 To the best of my knowledge port forwarding wasn't available in stock 2.0.x 
 kernels. There MIGHT however be a patch to provide port forwarding, but I 
 don't know whether it really exists.
 
 
 -- 
 Sign the EU petition against SPAM:  L I N U X   .~.
 http://www.politik-digital.de/spam/The  Choice  /V\
 of a  GNU  /( )\
Generation  ^^-^^
 
 
 
 -- 
 Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED]  /dev/null

Re: port redirection

1998-06-15 Thread Chris 


On Mon, 15 Jun 1998, Terence Kearns wrote:

 Does anyone know where I can get a program to redirect a port from one
 computer to another? I want to redirect port 80 from one of my computers
 to my gateway (which is a 386SX16 with 4mb RAM and 40MB HDD).
 
 

The package redir or redir2 should handle this fine.  Alternatively, I
wrote a perl program to do just this a while back - I can send anyone a
copy if they would like.


Chris


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]