Re: port redirection
On Sun, Jul 04, 1999 at 12:49:49AM -0400, Jonathan Lupa wrote:
> On Sun, Jul 04, 1999 at 09:49:53AM +1000, Dan Everton wrote:
> > One thing I can think of is (and this is based on a very hazy grasp of
> > what ipmasq and ipportfw are actually doing) is that that the cvspserver is
> > trying to create another connection channel back to the originating server and
> > that isn't working for some reason. Anybody know if cvspserver does that (like
> > the control and data ports in ftp)?
OK, well, after finally getting this to work, I figured I'd post up what I found for
posterities sake. Hope it helps someone.
Problem: CVS server is behind a masquerading firewall, Have a Win9x client, want secure
access to CVS server.
Step 1. For 2.0 kernels, patch ipportfw support in to your firewall box's kernel.
See http://www.ox.compsoc.org.uk/~steve/portforwarding.html. For 2.2 kernels
masqueraded forwarding is built in...man ipmasqadm.
Step 2. Add port forwarding lines to your firewall box.
I put ipportfw -A -tXXX.XXX.XXX.XXX/2401 -R 192.168.YYY.YYY/2401. In this
example, the XXX's are my ppp0 interface and the YYY's refer to my internal
CVS server. Use your appropriate IPs.
I found that I could redirect to different ports on my firewall successfully,
but that my windows CVS client didn't like that. YMMV.
btw, if you saw my earlier posts where I said that I tried this and it wasn't
working- well, that was the crack talking. I tried again and it was fine. =)
Step 3. Telnet in to check that the portforward worked. Caveat: don't try the telnet
from the firewall itself, it got confused for me and failed. I used a remote system
to telnet directly to port 2401 of the ppp0 IP address, and hit return after it
connected. It should give you some tripe about bad authentification. (rightfully)
Step 4. While it might seem like a good idea to use the "ext" method in your CVSROOT
variable and set your external connection type to your ssh program, I couldn't
find any windows ssh implementations that used stdin/stdout methods. They all
wanted to use that new fangled GUI that you've read so much about. (Besides,
we just went to all that work to get the pserver punched through the firewall.)
SO! I setup my ssh client to do a secure port redirection from localhost:2401
to my ppp0's IP:2401. Note: The windows CVS software didn't like it when I
told it my IP (127.0.0.1). That CVSROOT line wants to do a getHostByName()
or some such, so use localhost, and cross your fingers. If it can't find
localhost, try copying C:\windows\hosts.sam to c:\windows\hosts.
If you were going to skip the ssh layer and use the pserver method to go
right to your firewall, follow your heart, but unless I missed it, passwords
default to system passwords and are sent in clear text.
Step 5. Enjoy working on your palm applicataions (or whatever) from work AND home! =)
There are various notes about this scattered through netnews, and a search on www.deja.com
for "cvs ssh" should yeild all you need, it just takes a whole load of digging.
ps. apologies for typos... I hand copied lines and spell terribly. =(