Comments on: What Goes Out Can Come Back In https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/ Linux. GNU. Freedom. Wed, 13 Dec 2017 19:29:15 +0000 hourly 1 https://wordpress.org/?v=5.0-alpha-42199 By: Saul https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-110718 Mon, 22 Feb 2010 19:06:46 +0000 http://pthree.org/?p=592#comment-110718 In response to point (9), even application firewalls have limitations and are easily circumvented - the use of a tool such as proxytunnel (http://proxytunnel.sourceforge.net/ & http://dag.wieers.com/howto/ssh-http-tunneling/) allows your SSH tunnels to be SSL-wrapped and become indistinguishable from normal HTTPS traffic no matter how well it is inspected (after all HTTPS is by design inpenetrable).

As an admin unless you're going to block access to all external sites by default and operate a whitelist to define exactly what users can gain access to your firewall is completely irrelevant to anyone who knows what they're doing. Even with a policy as hard-nosed as this, it's a trviality for someone with a bit of web server knowledge to setup a site on their home/VPS system which looks like a work-related help site and have it added to the allowable sites and you're back to square one - what goes out can come back in. I know because I've done it.

Personally I feel that effective education as to how much you'll tolerate users bending the rules is far better than draconian measures like restricting site access etc. I've pen-tested secuity in companies and exploited things like this and priv escalation to get root access on prod servers from outside of their firewall in less time than it'd take them to process a real user access request. Sad but true.

]]>
By: numerodix https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-110090 Sat, 15 Aug 2009 11:23:23 +0000 http://pthree.org/?p=592#comment-110090 This is soooo cool! I never knew you could do this with ssh.

]]>
By: Mindstab.net » Blog Archive » Backup around firewalls with ssh and rsync to encrypted destinations https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-110089 Fri, 14 Aug 2009 20:09:22 +0000 http://pthree.org/?p=592#comment-110089 [...] What Goes Out Can Come Back In -- SSH tricks [...]

]]>
By: My name https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-104045 Sun, 06 Jul 2008 11:22:10 +0000 http://pthree.org/?p=592#comment-104045 I'm not very comfortable with calling this "bypassing the firewall". If the firewall allows me only outgoing access on port 80, fine, I'll use only that. No bypassing. I'm using what I'm allowed to use.

Though yes, I also see the reason behind calling it bypassing. 🙂

-a big fan of ssh -D, -L, and -R

]]>
By: Aaron https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102192 Sun, 08 Jun 2008 05:13:17 +0000 http://pthree.org/?p=592#comment-102192 @Mike- It's not whether employees are working or not, but whether or not they can bypass your corporate firewall from home to get access to the internal email or web server. We're not talking local port forwarding here- the ability to encrypt all TCP connections, so your boss doesn't know what you're doing, but remote forwarding- being able to get in the network.

@Someone- As long as I can sniff an outbound port, your firewall is worthless. Application firewalls won't do anything here, unless of course you block all outbound encrypted traffic, but we all know that's the draconian. The *only* way to keep me from bypassing your firewall, is to *completely* cut Internet access.

]]>
By: Someone https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102184 Sun, 08 Jun 2008 02:14:59 +0000 http://pthree.org/?p=592#comment-102184 There are many ways to block this. Application Firewalls (PF for example) or a simple IPS setup. While most people don't bother it is blockable just like many other methods to punching holes in firewalls.

]]>
By: Mike https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102177 Sat, 07 Jun 2008 22:16:43 +0000 http://pthree.org/?p=592#comment-102177 For me, if I'm in control of a network and had fire/hire abilities I would just fire irresponsible workers instead of putting asinine rules in place. If people aren't doing their jobs they should be fired, a question of some sort of measured productivity. It shouldn't be a question of appearances, what websites people visit during the day, etc.

But of course we all know that's not how most companies run.

]]>
By: Aaron https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102084 Fri, 06 Jun 2008 02:57:15 +0000 http://pthree.org/?p=592#comment-102084 ALL: Of course you should always get system administrator permission first before bypassing a firewall. However, if you didn't sign any computer usage policies, then you have a lot of give legally. Unfortunately, I've worked in too many environments where the IT administrator doesn't have a clue. Of course, it only takes once to ruin it for everybody. I'm certainly not condoning the use of bypassing firewalls, and getting fired over it. Rather, I'm just showing you what you can do given a set of freely available tools and little effort.

]]>
By: David https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102083 Fri, 06 Jun 2008 01:57:30 +0000 http://pthree.org/?p=592#comment-102083 Almost exclusively, I forward ports on demand by type something like "~C-L5901:mybox:5901" in an SSH session anytime after pressing the return key. Remote ports available that way, too.

]]>
By: Jason https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102081 Fri, 06 Jun 2008 00:49:58 +0000 http://pthree.org/?p=592#comment-102081 Don't let the BOFH catch you doing this :).

]]>
By: Lonnie Olson https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102060 Thu, 05 Jun 2008 18:01:46 +0000 http://pthree.org/?p=592#comment-102060 I thought I would voice my opinion as a corporate sysadmin.

There are two main reasons for preventing outside access to mail. Traffic snooping, and external attacks. Your method is nice because it still prevents snooping due to the SSH encryption, and as long as you don't add any other options (like GatewayPorts and a bind_address) external attacks are still prevented, because the forwarded port only listens on localhost.

If your company sysadmin had a problem with what you are doing, he couldn't technically block you, but he certainly can get disciplinary action taken against you. Be careful.

The only option your sysadmin has to prevent both attack, and provide access to the outside is a VPN. Most companies will grant VPN access if it is deemed good for business reasons, usually with manager or above approval.

I would suggest you be careful about what you do since you *are* breaking the rules, and corporate sysadmins can be spiteful at times. 🙂

]]>
By: volksman https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102057 Thu, 05 Jun 2008 17:48:48 +0000 http://pthree.org/?p=592#comment-102057 Hahah...Yeah I've been using this for years...local and remote. Recently the company I work for decided to stop all access to facebook and youtube. While I don't facebook I do check out a fair bit of Youtube vids throughout the day (I mean cammon! how am I supposed to get rick rolled at work!).

So I setup a dynamic tunnel to use as a socks proxy and FoxyProxy so FF will only use the proxy with the sites I tell it (IE the sites my employer blocks):

ssh -D myinternalipathome:8080 -fN home.mymachine.com

Tell foxyproxy to use socks proxy on port 8080 (localhost) and presto; Firewall restrictions removed.

My boss caught me on Youtube once and told me I could get fired for breaking the rules. I told him if I didn't know how to circumvent any firewall policy they put in place then I shouldn't have my job. He laughed and turned away and I've never heard about it since. 😉

Happy firewall avoidance!

]]>
By: oliver https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102053 Thu, 05 Jun 2008 16:52:12 +0000 http://pthree.org/?p=592#comment-102053 Neat, but: what would the admins say if they knew you made your home PC (not under corporate supervision, maybe malware-infested, on a LAN with other malware-infected systems, whatever) connect to the non-public mail server, probably violating company rules... Uh-oh...

Seriously, I think there's a limit to how far one should go. When we had an internet-visible web mail access here, I sometimes used it, effectively working in my spare time. But when it was decided that the web interface must be shut down, it seemed weird to me to hack around these limitations.

]]>
By: Asa https://pthree.org/2008/06/05/what-goes-out-can-come-back-in/#comment-102048 Thu, 05 Jun 2008 15:43:53 +0000 http://pthree.org/?p=592#comment-102048 SSH is a nice way to get VNC access to your computer at home too. You probably have a router/firewall and you've opened port 22 for ssh. If you enable Remote Desktop in Ubuntu you can run "ssh -L 5910:localhost:5900 -fN ssh.home.com" from work to create a "forward connection" then you can run vnc and connect to "localhost:10", it will be forwarded over the SSH and connect to your desktop at home. I wrote some instructions for a friend of mine to do this from Windows or Linux. http://docs.google.com/Doc?id=ddv9rsfd_34dcs84p5d

]]>