[Next] [Previous]  [Contents]

----------------------------------------------------------------------------

6. Final notes

6.1 Other settings

There are other kinds of firewalls than those that allow for telnet
connections. As long as a continuous flow of packets may go through a
firewall, and transmit information both ways, it is possible to pierce it;
only the price of writing the piercer may be higher or lower.

In a very easy case, you can just launch ssh over a pty, and do some pppd in
the slave tty. cotty 0.3a should be able to do it, but nobody's modified
fwprc to take it into account yet. May be tonight's exercise for you. You
may even want to do it without an adverse firewall, just so as to build a
secure ``VPN'' (Virtual Private Network). See the VPN mini-HOWTO about this.

If you need cross a 7-bit line, you'll want to use SLIP instead of PPP. I
never tried, because lines are more or less 8-bit clean these days, but it
shouldn't be difficult.

Now, if the only way through the firewall is a WWW proxy (usually, a minimum
for an internet-connected network), you might want to write a daemon that
buffers data in and out, and sends it during in HTTP connections, achieving
some telnet-over-HTTP over which to run fwprc. It might be slow and not very
responsive, but still good enough to use fetchmail(1), suck(1), and other
non-interactive programs.

If you want more performance, or if the only thing that goes through
unfiltered is some wierder thing even (DNS queries, ICMP packets, whatever),
then you're in the very hard case where you'll have to re-hack a wierd IP
stack, using (for instance) the Fox project's packet-protocol functors.
You'll then achieve some direct IP-over-HTTP, IP-over-DNS, IP-over-ICMP, or
such, which requires not only a complex protocol, but also an interface to
an OS kernel, both of which are costly to implement.

By the way, if you use some Firewall-piercing HTTP daemon, don't forget to
have it serve fake pages, so as to mislead suspicious adverse firewall
administrators.

6.2 HOWTO maintenance

I felt it was necessary to write it, but I don't have that much time for
that, so this mini-HOWTO is very rough. So will it stay, until I get enough
feedback so as to know what sections to enhance. Feedback welcome. Help
welcome. mini-HOWTO maintenance take-over welcome.

In any case, the above sections have shown many problems whose solution is
just a matter of someone (you?) spending some time (or money, by hiring
someone else) to sit down and write it: nothing conceptually complicated,
though the details might be burdensome or tricky.

Do not hesitate to contribute more problems, and hopefully more solutions,
to this mini-HOWTO.

6.3 Extra copy of IMPORTANT DISCLAIMER --- BELIEVE IT!!!

     I hereby disclaim all responsibility for this hack. If it
     backfires on you in any way whatsoever, that's the breaks. Not my
     fault. If you don't understand the risks inherent in doing this,
     don't do it. If you use this hack and it allows vicious vandals to
     break into your company's computers and costs you your job and
     your company millions of dollars, well that's just tough nuggies.
     Don't come crying to me.

----------------------------------------------------------------------------
[Next] [Previous]  [Contents]
