[Next] [Previous] [Contents] ---------------------------------------------------------------------------- 6. Final notes 6.1 Other settings There are other kinds of firewalls than those that allow for telnet connections. As long as a continuous flow of packets may go through a firewall, and transmit information both ways, it is possible to pierce it; only the price of writing the piercer may be higher or lower. In a very easy case, you can just launch ssh over a pty, and do some pppd in the slave tty. cotty 0.3a should be able to do it, but nobody's modified fwprc to take it into account yet. May be tonight's exercise for you. You may even want to do it without an adverse firewall, just so as to build a secure ``VPN'' (Virtual Private Network). See the VPN mini-HOWTO about this. If you need cross a 7-bit line, you'll want to use SLIP instead of PPP. I never tried, because lines are more or less 8-bit clean these days, but it shouldn't be difficult. Now, if the only way through the firewall is a WWW proxy (usually, a minimum for an internet-connected network), you might want to write a daemon that buffers data in and out, and sends it during in HTTP connections, achieving some telnet-over-HTTP over which to run fwprc. It might be slow and not very responsive, but still good enough to use fetchmail(1), suck(1), and other non-interactive programs. If you want more performance, or if the only thing that goes through unfiltered is some wierder thing even (DNS queries, ICMP packets, whatever), then you're in the very hard case where you'll have to re-hack a wierd IP stack, using (for instance) the Fox project's packet-protocol functors. You'll then achieve some direct IP-over-HTTP, IP-over-DNS, IP-over-ICMP, or such, which requires not only a complex protocol, but also an interface to an OS kernel, both of which are costly to implement. By the way, if you use some Firewall-piercing HTTP daemon, don't forget to have it serve fake pages, so as to mislead suspicious adverse firewall administrators. 6.2 HOWTO maintenance I felt it was necessary to write it, but I don't have that much time for that, so this mini-HOWTO is very rough. So will it stay, until I get enough feedback so as to know what sections to enhance. Feedback welcome. Help welcome. mini-HOWTO maintenance take-over welcome. In any case, the above sections have shown many problems whose solution is just a matter of someone (you?) spending some time (or money, by hiring someone else) to sit down and write it: nothing conceptually complicated, though the details might be burdensome or tricky. Do not hesitate to contribute more problems, and hopefully more solutions, to this mini-HOWTO. 6.3 Extra copy of IMPORTANT DISCLAIMER --- BELIEVE IT!!! I hereby disclaim all responsibility for this hack. If it backfires on you in any way whatsoever, that's the breaks. Not my fault. If you don't understand the risks inherent in doing this, don't do it. If you use this hack and it allows vicious vandals to break into your company's computers and costs you your job and your company millions of dollars, well that's just tough nuggies. Don't come crying to me. ---------------------------------------------------------------------------- [Next] [Previous] [Contents]