[9fans] plan9port behind corporate firewall with no DNS or port access

[9fans] plan9port behind corporate firewall with no DNS or port access

[Jason Catena]

[-- Attachment #1: Type: text/plain, Size: 462 bytes --]

At work I sit behind a corporate firewall which neither knows
sources.cs.bell-labs.com nor would provide me direct access to its ports if
it did.  I can get out through http proxies (eg curl).  Is there any way to
mount sources through this kind of static, or should I resign myself to only
seeing sources from my home computer?

9fs sources
srv: dial tcp!sources.cs.bell-labs.com!9fs: unknown host
sources.cs.bell-labs.com
9fs: exit 1

Jason Catena

[-- Attachment #2: Type: text/html, Size: 669 bytes --]

Re: [9fans] plan9port behind corporate firewall with no DNS or port access

[andrey mirtchovski]

Just checking: have you tried accessing it by IP address
(204.178.31.8) rather than hostname? (this, of course, assumes that
you've ruled out a bad ndb configuration as the reason).

how about trying with a 9p client such as cl.py from your "normal" machine?

$ cl.py none@sources.cs.bell-labs.com
9p> ls
9grid adm contrib dist du extra fastos lsr patch plan9 wiki xen
9p>


On Fri, Jul 24, 2009 at 10:06 PM, Jason Catena<jason.catena@gmail.com> wrote:
> At work I sit behind a corporate firewall which neither
> knows sources.cs.bell-labs.com nor would provide me direct access to its
> ports if it did.  I can get out through http proxies (eg curl).  Is there
> any way to mount sources through this kind of static, or should I resign
> myself to only seeing sources from my home computer?
> 9fs sources
> srv: dial tcp!sources.cs.bell-labs.com!9fs: unknown host
> sources.cs.bell-labs.com
> 9fs: exit 1
> Jason Catena
>
>

Re: [9fans] plan9port behind corporate firewall with no DNS or port access

[Jason Catena]

[-- Attachment #1: Type: text/plain, Size: 673 bytes --]

On Fri, Jul 24, 2009 at 23:35, andrey mirtchovski <mirtchovski@gmail.com>wrote:

> Just checking: have you tried accessing it by IP address
> (204.178.31.8) rather than hostname? (this, of course, assumes that
> you've ruled out a bad ndb configuration as the reason).
>

traceroute can't get to that IP address, so I'm pretty sure the corporate
firewall is doing its job.


> how about trying with a 9p client such as cl.py from your "normal" machine?


Bleh, its python doesn't have 9P.

I think I'd rather spend my time trying to figure out how to get a
sources/contrib dir and mount it on my home Ubuntu machine.  Whom do I ask
very nicely for that?

[-- Attachment #2: Type: text/html, Size: 1127 bytes --]

Re: [9fans] plan9port behind corporate firewall with no DNS or port access

[Steve Simon]

There are several places which have readonly versions of sources available via
http, alternatively there is a socks client or even htfilefs, the former uses
the SOCKS protocol to tunnel through the firewall.

htfilefs mounts a remote ISO image (like the plan9 nightly build iso)
over an http connection and expands it as a hierarchy.

You could probably write some tunneling software to run on your home
machine and work machine using http in between, but your corperate IT
department might not see the funny side of such practices...

-Steve

Re: [9fans] plan9port behind corporate firewall with no DNS or port access

[Uriel]

Why not run inferno (or 9vx) on your home machine, export /net on port
80, mount it from work using inferno again, and you are out.

If your work firewall proxies port 80, then things get trickier, you
could mount sources on the home inferno instance, and then export it
using mjl's httpd as a read-only http 'tree'.

uriel

On Sat, Jul 25, 2009 at 10:12 AM, Steve Simon<steve@quintile.net> wrote:
> There are several places which have readonly versions of sources available via
> http, alternatively there is a socks client or even htfilefs, the former uses
> the SOCKS protocol to tunnel through the firewall.
>
> htfilefs mounts a remote ISO image (like the plan9 nightly build iso)
> over an http connection and expands it as a hierarchy.
>
> You could probably write some tunneling software to run on your home
> machine and work machine using http in between, but your corperate IT
> department might not see the funny side of such practices...
>
> -Steve
>
>

Re: [9fans] plan9port behind corporate firewall with no DNS or port access

[erik quanstrom]

> traceroute can't get to that IP address, so I'm pretty sure the corporate
> firewall is doing its job.

traceroute failure just means that someone is not passing icmp
traffic.  the only thing you know is icmp traffic won't pass.
here's a dirty trick you can do with plan 9 traceroute:

; ip/traceroute /net/tcp!minooka.coraid.com
trying /net/tcp!12.51.113.6!32767

                       round trip times in µs
                        low      avg     high
                     --------------------------
192.168.0.64            175      243      376
192.168.1.254           320      386      509
65.14.248.28          19621    20117    20711
74.253.143.53         21151    22002    22685
205.152.99.98         21649    22016    22468
65.83.238.74          21693    22098    22641
65.83.238.194         22661    23113    23896
12.122.140.198        23143    23939    24520 cr2.attga.ip.att.net
12.122.140.45        169904   201516   222315 gar19.attga.ip.att.net
12.87.45.86           26855    27417    28069
12.51.113.6           26376    26949    27493

by the way, plan 9 dns query tends to do poorly
with rfc2672-style reverse ips.  it tends to quit on
the cname.

- erik

Re: [9fans] plan9port behind corporate firewall with no DNS or port access

[Salman Aljammaz]

Uriel wrote:
> If your work firewall proxies port 80, then things get trickier, you
> could mount sources on the home inferno instance, and then export it
> using mjl's httpd as a read-only http 'tree'.

assuming you've got openssh, one trick i used to do back in school was
run sshd on on port 443.

you can then forward specific ports (-L) or even run socks (-D) on ssh.

salman

Re: [9fans] plan9port behind corporate firewall with no DNS or port access

[John Floren]

On Sat, Jul 25, 2009 at 9:39 AM, Salman Aljammaz<sio@finiteless.net> wrote:
> Uriel wrote:
>> If your work firewall proxies port 80, then things get trickier, you
>> could mount sources on the home inferno instance, and then export it
>> using mjl's httpd as a read-only http 'tree'.
>
> assuming you've got openssh, one trick i used to do back in school was
> run sshd on on port 443.
>
> you can then forward specific ports (-L) or even run socks (-D) on ssh.
>
> salman
>
>
>

If you have even one single port open outgoing, all you need is to get
a remote Plan 9/Inferno exporting /net on that port. I did it on port
22 while I was waiting for the import port to be opened.

#on the outside box
aux/listen1 -t 'tcp!*!22' /bin/exportfs

#from the inside
import -A tcp!remote!22 /net

You're using p9p so your mileage may vary... but the basic concept is
sound and allows you to completely avoid the firewall, assuming you
can actually use a remote /net on p9p. If not, well, you should run a
real Plan 9 :)

John
--
"I've tried programming Ruby on Rails, following TechCrunch in my RSS
reader, and drinking absinthe. It doesn't work. I'm going back to C,
Hunter S. Thompson, and cheap whiskey." -- Ted Dziuba

Re: [9fans] plan9port behind corporate firewall with no DNS or port access

[Iruata Souza]

On Sat, Jul 25, 2009 at 1:39 PM, Salman Aljammaz<sio@finiteless.net> wrote:
> Uriel wrote:
>> If your work firewall proxies port 80, then things get trickier, you
>> could mount sources on the home inferno instance, and then export it
>> using mjl's httpd as a read-only http 'tree'.
>
> assuming you've got openssh, one trick i used to do back in school was
> run sshd on on port 443.
>
> you can then forward specific ports (-L) or even run socks (-D) on ssh.
>
> salman
>
>
>

on unix:
% cat .ssh/config
Host xxx
ProtocolKeepAlives 30
ProxyCommand /path/to/proxytunnel/proxytunnel -p proxyhost:proxyport
-P proxyuser:proxypass -d xxx.org

% ssh -D localproxyport
-Llocaladdress:localport:sources.cs.bell-labs.com:564 user@xxx.org


on Plan 9:
% srv -nq tcp!localaddress!localport sources /n/sources


and there you have it. only tested it for non-authenticated connections.

iru