Access ssh from a restricted firewall

ArchaiosFiniks · 2012-05-09 02:44:46

Hello all,

I've been wanting to access my computer from a place where the firewall is restricted.
I already tried to bind ssh on port 443, but it still couldn't be accessed.
Port 443 "should" be unblocked though, since I can access SSL websites.
I know my sshd is binded correctly, since I can access it from other places with port 443.

Anyone has a solution for this?

Thank you.

/dev/zero · 2012-05-09 03:33:18

What method did you use to try and get out over 443? Have you managed to get the same method working from behind other firewalls?

It's possible the firewall is configured to only permit access to white-listed sites.

ewaller · 2012-05-09 05:13:36

Is your target computer behind as firewall (such as your router)? If your IP address starts with 192. or 172. or 10., then you are on a private network that cannot be accessed from the Internet. You need to tell the gateway to forward that port to your computer (NAT).

http://en.wikipedia.org/wiki/Network_ad … ranslation
http://en.wikipedia.org/wiki/Private_network

tomk · 2012-05-09 06:12:05

I used httptunnel very successfully in similar circumstances.

ArchaiosFiniks · 2012-05-09 15:53:09

As I've said, I can access from other places (i.e. my phone, my friends' houses, etc.)
It's just in this one particular place that has a firewall that I can't access.
I'm using putty as my ssh client.

I shall do some research about http-tunnel!

bneate · 2012-05-09 16:13:17

I'm currently using shellinabox with a apache server forwarding https requests to overcome firewall filtering. I couldn't get http-tunnel working when I tried it.

/dev/zero · 2012-05-09 20:11:43

ArchaiosFiniks wrote:

As I've said, I can access from other places (i.e. my phone, my friends' houses, etc.)

So your phone and your friends' houses have firewalls? I asked whether you've managed to get it working from behind other firewalls.

ArchaoisFiniks wrote:

It's just in this one particular place that has a firewall that I can't access.

I take this to mean, no, you haven't tried from behind other firewalls, and you have no idea whether your method should work or not.

ArchaiosFiniks wrote:

I'm using putty as my ssh client.

This isn't a method. Also, could you please clarify what OS you're using?

ArchaiosFiniks wrote:

I shall do some research about http-tunnel!

Next time you feel like help-vampiring, please provide some more information, and read any questions people ask you.

Gcool · 2012-05-09 21:24:47

Aside from the things that /dev/zero already mentioned (which are all valid points); if you can't connect out to anywhere on port 443 there's probably a reason for that. Why not simply check with your friendly neighbourhood sysadmin/security engineer?

fukawi2 · 2012-05-10 00:26:51

Also, there may be a transparent proxy in place, although that is tricky with HTTPS traffic.

Gcool wrote:

Aside from the things that /dev/zero already mentioned (which are all valid points); if you can't connect out to anywhere on port 443 there's probably a reason for that. Why not simply check with your friendly neighbourhood sysadmin/security engineer?

+1. Whoever operates the network obviously has their reasons for not allowing SSH. Talk to them about it to find out if there is a specific reason that you can negate and get an exception for... But if they refuse to allow it, then respect them and their network and find another way such as a wifi hotspot on your phone etc.

frette · 2012-05-10 00:52:06

I think you're all kinda barking up the wrong tree (even the anal retentative elitist)

It's not the port that's blocked, it's the packets.
A third generation firewall will actually check each packet, and, in your case, see that it's ssh packets and simply drop them.

The reasoning behind blocking ssh is simple and understandable (and you can easily get into trouble should you be able to circumvent it):
You can do all sorts of nasty stuff with ssh tunnels... you can pretty much turn every firewall you tunnel out of into swiss cheese.

Last edited by frette (2012-05-10 00:52:22)

frette · 2012-05-10 01:19:26

/dev/zero wrote:

ArchaiosFiniks wrote:
As I've said, I can access from other places (i.e. my phone, my friends' houses, etc.)
So your phone and your friends' houses have firewalls? I asked whether you've managed to get it working from behind other firewalls.

ArchaoisFiniks wrote:
It's just in this one particular place that has a firewall that I can't access.
I take this to mean, no, you haven't tried from behind other firewalls, and you have no idea whether your method should work or not.

Totally irrelevant. All the information he provided is sufficient to tell you the server works and this firewall is blocking ssh via packet inspection (ssh works without firewall and port 443 itself is accessible through the firewall).
If it works on another firewall or not doesn't tell you more than if it works without firewall, the firewall might just be set up less restrictive or handle things in another way.

/dev/zero wrote:

ArchaiosFiniks wrote:
I'm using putty as my ssh client.
This isn't a method. Also, could you please clarify what OS you're using?

Also irrelevant... SSH as a protocol is OS independent. The firewall doesn't care about the client OS anyway.

/dev/zero wrote:

ArchaiosFiniks wrote:
I shall do some research about http-tunnel!
Next time you feel like help-vampiring, please provide some more information, and read any questions people ask you.

Next time you feel like bitching around, make sure you asked questions that were actually relevant and worth being answered. Btw: he didn't answer you, he answered ewaller.
kkthxbye

Last edited by frette (2012-05-10 01:41:31)

/dev/zero · 2012-05-10 01:41:26

frette wrote:

/dev/zero wrote:
I take this to mean, no, you haven't tried from behind other firewalls, and you have no idea whether your method should work or not.
Totally irrelevant. All the information he provided is sufficient to tell you the server works and this firewall is blocking ssh via packet inspection.

Just because you assert something, that does not make it true. I had reasons for asking the questions I did.

frette wrote:

Also irrelevant... SSH as a protocol is OS independent

Speaking of irrelevant ... I'm well aware of what ssh is and is not. Again, I had reason to ask. Namely, I would like to confirm that the OP is actually using Arch Linux and not just trolling the Arch Linux forum for answers about a problem in Windows. Although Putty works in Linux, I've never known anyone to use it outside of Windows.

frette wrote:

Next time you feel like bitching around, make sure you asked questions that were actually relevant and worth being answered. Btw: he didn't answer you, he answered ewaller.
kkthxbye

How would you know who OP was answering?

Speaking of bitching around, please refrain from being quite so rude. Although I'm up for an argument any time, I don't think flame wars are really the order of the day.

frette · 2012-05-10 01:47:23

/dev/zero wrote:

How would you know who OP was answering?

Simple: have a look at ewaller's questions and OP's answers.

/dev/zero wrote:

Although I'm up for an argument any time, I don't think flame wars are really the order of the day.

Then don't start one and watch your own manners before critisizing other's:

/dev/zero wrote:

Next time you feel like help-vampiring, please provide some more information, and read any questions people ask you.

and just as a friendly jab:

/dev/zero wrote:

I had reasons for asking the questions I did.

yeah, the reason being: clutching for straws

Ok, I guess that's enough, we had our fun.
Just to clarify: no hard feelings and nothing personal, I just didn't like that "help-vampiring" remark at all, combined with all the relevant information already being present in OP's first post.

Last edited by frette (2012-05-10 01:54:42)

/dev/zero · 2012-05-10 01:54:17

frette wrote:

/dev/zero wrote:
How would you know who OP was answering?
Simple: have a look at ewaller's questions and OP's answers.

Yes, I can read. I read them. OPs answers could be interpreted various ways. Since OP chose not to use the "Quote" button, I could only guess.

frette wrote:

/dev/zero wrote:
Although I'm up for an argument any time, I don't think flame wars are really the order of the day.
Then don't start one and watch your own manners before critisizing other's:
/dev/zero wrote:
Next time you feel like help-vampiring, please provide some more information, and read any questions people ask you.

If you thought I did something wrong, please use the Report button. I am quite happy for a mod to tell me to pull my head in. The Arch Linux forums are not for flame wars. Note: there is much tolerance of people (like me) telling help vampires to mend their ways, but little tolerance for people (like you) being deliberately insulting.

Last edited by /dev/zero (2012-05-10 01:54:57)

ArchaiosFiniks · 2012-05-10 01:56:26

I am wondering if the entire arch community is so rude, now. Not a good second impression of the arch forums nonethless.
Even with my beginner skills in Linux, I guessed that OS didn't mather while talking about ssh. Of course I am using Arch. And by putty, I meant on the Windows computer I am trying to access my box from.
No, I did not try to access it from behind another port (that I know of. Nowadays, most routers comes with built-in firewalls though), but it should not mather, right?
The place I am trying to access from is my High School, but if it is that much of a bother, forget it guys. Just don't go bashing on everything and everyone, looks bad for the entire community. :l
I am just trying to learn more, and trying to access ssh from my school looked like a nice thing to do to learn a little bit more about Linux.

Thank you.

frette · 2012-05-10 01:56:41

/dev/zero wrote:

but little tolerance for people (like you) being deliberately insulting.

yeah, show me one point where I was actually insulting you

/dev/zero · 2012-05-10 02:06:53

frette wrote:

/dev/zero wrote:
but little tolerance for people (like you) being deliberately insulting.
yeah, show me one point where I was actually insulting you

This was clearly referring to someone in this thread:

frette wrote:

anal retentive elitist

So if you weren't talking about me, please clarify who you were insulting.

Also, while "bitching around" and "kthxbye" aren't really in the category of deliberate insults, still, you know, it's quite a higher order of inflamatory rudeness than calling someone a help vampire. Warnings about help vampires, after all, are written right into the Forum Guidelines. If you have some kind of brain-tick every time you see the words "help" and "vampire" together, you're not really going to enjoy it much around here.

frette · 2012-05-10 02:07:38

ArchaiosFiniks wrote:

I am wondering if the entire arch community is so rude, now. Not a good second impression of the arch forums nonethless.
Even with my beginner skills in Linux, I guessed that OS didn't mather while talking about ssh. Of course I am using Arch. And by putty, I meant on the Windows computer I am trying to access my box from.
No, I did not try to access it from behind another port (that I know of. Nowadays, most routers comes with built-in firewalls though), but it should not mather, right?
The place I am trying to access from is my High School, but if it is that much of a bother, forget it guys. Just don't go bashing on everything and everyone, looks bad for the entire community. :l
I am just trying to learn more, and trying to access ssh from my school looked like a nice thing to do to learn a little bit more about Linux.
Thank you.

There was actually an answer to your question buried in there, sorry about that

have a look at post #10

frette · 2012-05-10 02:11:12

/dev/zero wrote:

If you have some kind of brain-tick every time you see the words "help" and "vampire" together, you're not really going to enjoy it much around here.

Yeah, I kinda notice that, seems to be pretty elitist-centric here. And anal retentive didn't come from nowhere either.
Well, cya, have fun belittling OPs because they don't answer your irrelevant questions within seconds.
Nice community.

/dev/zero · 2012-05-10 02:14:57

ArchaiosFiniks wrote:

if it is that much of a bother, forget it guys. Just don't go bashing on everything and everyone, looks bad for the entire community. :l
I am just trying to learn more

It is not too much bother to try and help. I was hoping I could help. I've tunnelled out from behind firewalls myself in the past. But, it is hard to help without complete information. When faced with requests for help but not much information, some people try and guess the answer. That seems like a good way to get everyone frustrated.

To get better results in the future, you may wish to re-familiarise yourself with the parts of the Forum Guidelines about "Life is a Two-Way Street" and "How To Post". Follow the links in those sections. If you do this bit of reading, you will then know how to ask questions the smart way, and you will know how to avoid seeming like a help vampire.

Last edited by /dev/zero (2012-05-10 02:16:16)

ArchaiosFiniks · 2012-05-10 02:28:40

/dev/zero wrote:

ArchaiosFiniks wrote:
if it is that much of a bother, forget it guys. Just don't go bashing on everything and everyone, looks bad for the entire community. :l
I am just trying to learn more
It is not too much bother to try and help. I was hoping I could help. I've tunnelled out from behind firewalls myself in the past. But, it is hard to help without complete information. When faced with requests for help but not much information, some people try and guess the answer. That seems like a good way to get everyone frustrated.
To get better results in the future, you may wish to re-familiarise yourself with the parts of the Forum Guidelines about "Life is a Two-Way Street" and "How To Post". Follow the links in those sections. If you do this bit of reading, you will then know how to ask questions the smart way, and you will know how to avoid seeming like a help vampire.

Alrighty. Ask away. As far as I know, I have answered everything in the past posts.

And as far as I know, a help vampire ask on the forum for every single question he has. Look at my number of posts, then substract the posts here. It's like 5-6.
I have set up an arch linux with awesome, conky, ncmpcpp, an IM, etc. and customized a couple of stuff for my liking. 5-6 posts for that is not a lot in my opinion.

Thank you.

adamrehard · 2012-05-10 02:38:05

As to help vampires:
http://slash7.com/2006/12/22/vampires/

As /dev/zero has said, we don't mind helping, we just prefer that you look up what you can before you post. If you don't you'll either get questions or a curt response. It's to your
benefit to do your own research before posting here. Doing your own research is the best way to learn.

Last edited by adamrehard (2012-05-10 02:38:20)

/dev/zero · 2012-05-10 02:39:19

ArchaiosFiniks wrote:

Alrighty. Ask away. As far as I know, I have answered everything in the past posts.

Haha, well, now I have enough information to know that my experience is not relevant to your problem. I was going from Linux box to Linux box, not Windows to Linux. If I just gave my answer straight away, this would have been a bit annoying for you, wouldn't it?

Still, it might help others help you if you specify exactly what you're doing with putty. You mention binding it on 443. Do you mean you just told it to connect to port 443, or did you put in some kind of tunnelling? Were you following any particular instructions?

(As many questions like this as possible should be pre-empted in a thread's opening post. Always give references and explain exactly what you're doing.)

adamrehard · 2012-05-10 02:41:40

frette, I'm not going to provide commentary. I will however point you to this:
https://wiki.archlinux.org/index.php/Forum_Etiquette

'Nuff said. (by me at least)

Last edited by adamrehard (2012-05-10 02:41:53)

ewaller · 2012-05-10 02:57:03

Wow, I spend a few hours in meetings, and this topic has a complete meltdown in my absence.

ArchaiosFiniks wrote:

As I've said, I can access from other places

Missed that last line. You are right, that makes my observations and suggestions irrelevant (at least in this case). I think that fukawi2 is absolutely correct. As always, I respect his even temper and knowledge.

<Moderator Mode>
dev/zero: You can tend to be a bit abrasive. I think you where uncharacteristically so in this case.
frette: You have good insight in to the technical issues. No, the forum is not that elitist. We do however, have a well earned reputation for insisting that people research the problem prior to posting -- generally with the hope to foster that behavior. In this case, I believe it is unwarranted. I am surprised you rose to the bait.

This thread has generated a flurry of well deserved reports to the moderators. I look back through this thread and I see a collection of members, all of whom seem technically adept. Unfortunately, the technical ability of the OP is sometimes hard to judge; therefore I tend to start with the basics. I learned a bit about 3rd generation firewalls along the way. As the technical depth increased, so did the depth of something else... I really am not sure how that happened.

I ask you all to take a breather and give it a break. I really don't want to have to start using my moderator rights here. Please.

</Moderator Mode>

Arch Linux

#1 2012-05-09 02:44:46

Access ssh from a restricted firewall

#2 2012-05-09 03:33:18

Re: Access ssh from a restricted firewall

#3 2012-05-09 05:13:36

Re: Access ssh from a restricted firewall

#4 2012-05-09 06:12:05

Re: Access ssh from a restricted firewall

#5 2012-05-09 15:53:09

Re: Access ssh from a restricted firewall

#6 2012-05-09 16:13:17

Re: Access ssh from a restricted firewall

#7 2012-05-09 20:11:43

Re: Access ssh from a restricted firewall

#8 2012-05-09 21:24:47

Re: Access ssh from a restricted firewall

#9 2012-05-10 00:26:51

Re: Access ssh from a restricted firewall

#10 2012-05-10 00:52:06

Re: Access ssh from a restricted firewall

#11 2012-05-10 01:19:26

Re: Access ssh from a restricted firewall

#12 2012-05-10 01:41:26

Re: Access ssh from a restricted firewall

#13 2012-05-10 01:47:23

Re: Access ssh from a restricted firewall

#14 2012-05-10 01:54:17

Re: Access ssh from a restricted firewall

#15 2012-05-10 01:56:26

Re: Access ssh from a restricted firewall

#16 2012-05-10 01:56:41

Re: Access ssh from a restricted firewall

#17 2012-05-10 02:06:53

Re: Access ssh from a restricted firewall

#18 2012-05-10 02:07:38

Re: Access ssh from a restricted firewall

#19 2012-05-10 02:11:12

Re: Access ssh from a restricted firewall

#20 2012-05-10 02:14:57

Re: Access ssh from a restricted firewall

#21 2012-05-10 02:28:40

Re: Access ssh from a restricted firewall

#22 2012-05-10 02:38:05

Re: Access ssh from a restricted firewall

#23 2012-05-10 02:39:19

Re: Access ssh from a restricted firewall

#24 2012-05-10 02:41:40

Re: Access ssh from a restricted firewall

#25 2012-05-10 02:57:03

Re: Access ssh from a restricted firewall

Board footer