Comments on: What Goes Out Can Come Back In

By: My name

My name — Sun, 06 Jul 2008 11:22:10 +0000

I’m not very comfortable with calling this “bypassing the firewall”. If the firewall allows me only outgoing access on port 80, fine, I’ll use only that. No bypassing. I’m using what I’m allowed to use.

Though yes, I also see the reason behind calling it bypassing.

-a big fan of ssh -D, -L, and -R

By: Aaron

Aaron — Sun, 08 Jun 2008 05:13:17 +0000

@Mike- It’s not whether employees are working or not, but whether or not they can bypass your corporate firewall from home to get access to the internal email or web server. We’re not talking local port forwarding here- the ability to encrypt all TCP connections, so your boss doesn’t know what you’re doing, but remote forwarding- being able to get in the network.

@Someone- As long as I can sniff an outbound port, your firewall is worthless. Application firewalls won’t do anything here, unless of course you block all outbound encrypted traffic, but we all know that’s the draconian. The *only* way to keep me from bypassing your firewall, is to *completely* cut Internet access.

By: Someone

Someone — Sun, 08 Jun 2008 02:14:59 +0000

There are many ways to block this. Application Firewalls (PF for example) or a simple IPS setup. While most people don’t bother it is blockable just like many other methods to punching holes in firewalls.

By: Mike

Mike — Sat, 07 Jun 2008 22:16:43 +0000

For me, if I’m in control of a network and had fire/hire abilities I would just fire irresponsible workers instead of putting asinine rules in place. If people aren’t doing their jobs they should be fired, a question of some sort of measured productivity. It shouldn’t be a question of appearances, what websites people visit during the day, etc.

But of course we all know that’s not how most companies run.

By: Aaron

Aaron — Fri, 06 Jun 2008 02:57:15 +0000

ALL: Of course you should always get system administrator permission first before bypassing a firewall. However, if you didn’t sign any computer usage policies, then you have a lot of give legally. Unfortunately, I’ve worked in too many environments where the IT administrator doesn’t have a clue. Of course, it only takes once to ruin it for everybody. I’m certainly not condoning the use of bypassing firewalls, and getting fired over it. Rather, I’m just showing you what you can do given a set of freely available tools and little effort.

By: David

David — Fri, 06 Jun 2008 01:57:30 +0000

Almost exclusively, I forward ports on demand by type something like “~C-L5901:mybox:5901″ in an SSH session anytime after pressing the return key. Remote ports available that way, too.

By: Jason

Jason — Fri, 06 Jun 2008 00:49:58 +0000

Don’t let the BOFH catch you doing this :).

By: Lonnie Olson

Lonnie Olson — Thu, 05 Jun 2008 18:01:46 +0000

I thought I would voice my opinion as a corporate sysadmin.

There are two main reasons for preventing outside access to mail. Traffic snooping, and external attacks. Your method is nice because it still prevents snooping due to the SSH encryption, and as long as you don’t add any other options (like GatewayPorts and a bind_address) external attacks are still prevented, because the forwarded port only listens on localhost.

If your company sysadmin had a problem with what you are doing, he couldn’t technically block you, but he certainly can get disciplinary action taken against you. Be careful.

The only option your sysadmin has to prevent both attack, and provide access to the outside is a VPN. Most companies will grant VPN access if it is deemed good for business reasons, usually with manager or above approval.

I would suggest you be careful about what you do since you *are* breaking the rules, and corporate sysadmins can be spiteful at times.

By: volksman

volksman — Thu, 05 Jun 2008 17:48:48 +0000

Hahah…Yeah I’ve been using this for years…local and remote. Recently the company I work for decided to stop all access to facebook and youtube. While I don’t facebook I do check out a fair bit of Youtube vids throughout the day (I mean cammon! how am I supposed to get rick rolled at work!).

So I setup a dynamic tunnel to use as a socks proxy and FoxyProxy so FF will only use the proxy with the sites I tell it (IE the sites my employer blocks):

ssh -D myinternalipathome:8080 -fN home.mymachine.com

Tell foxyproxy to use socks proxy on port 8080 (localhost) and presto; Firewall restrictions removed.

My boss caught me on Youtube once and told me I could get fired for breaking the rules. I told him if I didn’t know how to circumvent any firewall policy they put in place then I shouldn’t have my job. He laughed and turned away and I’ve never heard about it since.

Happy firewall avoidance!

By: oliver

oliver — Thu, 05 Jun 2008 16:52:12 +0000

Neat, but: what would the admins say if they knew you made your home PC (not under corporate supervision, maybe malware-infested, on a LAN with other malware-infected systems, whatever) connect to the non-public mail server, probably violating company rules… Uh-oh…

Seriously, I think there’s a limit to how far one should go. When we had an internet-visible web mail access here, I sometimes used it, effectively working in my spare time. But when it was decided that the web interface must be shut down, it seemed weird to me to hack around these limitations.

By: Asa

Asa — Thu, 05 Jun 2008 15:43:53 +0000

SSH is a nice way to get VNC access to your computer at home too. You probably have a router/firewall and you’ve opened port 22 for ssh. If you enable Remote Desktop in Ubuntu you can run “ssh -L 5910:localhost:5900 -fN ssh.home.com” from work to create a “forward connection” then you can run vnc and connect to “localhost:10″, it will be forwarded over the SSH and connect to your desktop at home. I wrote some instructions for a friend of mine to do this from Windows or Linux. http://docs.google.com/Doc?id=ddv9rsfd_34dcs84p5d