Berkeley CSUA MOTD:Entry 50788
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/05/28 [General] UID:1000 Activity:popular
5/28    

2008/8/5-10 [Computer/Networking] UID:50788 Activity:nil
8/5     It looks like my company has started blocking HTTPS tunneling.
        I used to do this by tunneling SSH through the HTTP/HTTPS proxy
        server, but this seems to have stopped working. Does anyone know
        how the implementation of tunneling detection works, and whether
        there are widely available implementations? We run a bunch of MS
        stuff, so I imagine we're running an MS proxy server or something.
        It seems to me that the most straightforward tunnel detection method
        would be to first check if the requested site actually talks HTTPS,
        and perhaps check whether the SSL cert is valid and all that,
        optionally rejecting self-signed certs. Has anyone encountered the
        same block at work and found a way to circumvent it? Thanks.
        \_ Take a look at stunnel. Thought about using it a while back but
           then the block got removed.
           \_ Thanks, that might conceivably work. Will look into it...
        \_ You can SSH tunnel through any open port so just find one.
           \_ Amen. Try port 25.
           \_ There are no open ports. I'm behind a firewall. The only way
              out that I'm aware of is through the HTTP/HTTPS proxy. Telnet
              used to be open, but not anymore.
              \_ Use nmap or ethereal to look for open ports.
        \- if dns is allowed, there is kind of a crufty way to run ssh
           over dns, but really if there is a business case for this,
           you should lobby for what you need. i've circumvented cafes,
           hotels, WAPs etc and what you need to do depends on doing a
           bunch of diagnosis to reverse engineer what is going on so
           you know what your options are. and in some cases, you have
           to pre-arrange to have some infomation on hand [like ip addresses]
           or pre-arrage some listening servers of some kind on the outside.
           those last two things shouldnt be an issue if you commute to
           and from work everyday and have admin access to an external
           networked box. BTW, you can do some kind of dynamic porotocol
           detection to quash this kind of thing. see e.g.
           http://www.icir.org/robin/papers/usenix06.pdf
           \_ Yes, I've used IP over DNS before, but it's not really something
              I'd want to use on a regular basis, for performance and
              reliability reasons. Thanks for the suggestion, though.
        \_ Maybe work at a company that doesn't block ports?  Do you think
           subverting your company's IT policy is a good idea?
           \_ Maybe later. No, but I'm skeptical that any somewhat nerdy
              person who works at a large company can get by without breaking
              some IT policy or other.
2025/05/28 [General] UID:1000 Activity:popular
5/28    

You may also be interested in these entries...
2009/11/4-17 [Computer/SW/P2P, Computer/Networking, Computer/SW/Security] UID:53495 Activity:nil
11/4    Holy cow, I got a warning from my ISP that they were notified
        by BSA/baytsp.com that I was copying music/video/software.
        Do they do port scan or something? That's a first for me.
        \_ They hang out on P2P networks and track IP addresses.  -tom
           \_ I believe they are paid by content providers to perform this
              monitoring service, so you should only run this risk with content
	...
2008/11/7-13 [Computer/Networking] UID:51876 Activity:low
11/7    Need help on http proxy. After I VPN to work, I'd like to tunnel
        all the traffic to my machine. How do I setup my machine (Linux)
        as a proxy server so that my home computers can route through it?
        I'm asking because the site we're testing on requires that we
        come from the same IP. If I use VPN, the server will reject me
        based on the fact that it's a different IP than my work Linux.
	...
2006/6/16-19 [Computer/Companies/Google] UID:43418 Activity:nil
6/15    Oh dear lord.  It seems SpamCop is blacklisting certain IPs used by
        Gmail.  Gmail does not reveal the sending IP for privacy reasons, so
        when Gmail users send mail to honeypots, Gmail's servers get
        blacklisted.  Has anyone else noticed this?
        \_ SpamCop has long been a bastion of incompetence. --scotsman
        \_ If you're a proxy for spam you should be blocked the same as direct
	...
2006/2/18-23 [Computer/Networking] UID:41923 Activity:low
2/18    My DSL modem's ip address is 192.168.0.1, my internal network
        behind my router is 10.0.0.x. Is there a way I can configure
        the router so I can access the DSL modem from my 10.0.0.x
        network directly without re-wiring? Static routes? I tried it
        but no much luck. I also tried changing my internal network to
        192.168.0.x, but still does not work. Thanks.
	...
2006/1/22-24 [Computer/Networking] UID:41477 Activity:nil
1/21    I am trying to setup a small network for my girlfriend's
        mom's company.  They just bought an accounting package
        which requires windows 2003 server.  And they want internet
        access from each computer.  How should the network be setuped?
        Would it be dumb to use static IP for each computer and a
        computer as internet gateway?
	...
2005/8/29-30 [Computer/Networking] UID:39329 Activity:moderate 54%like:37400
8/29    What's the difference between a hub, a switch and a router?  Thx.
        \_ AFAIK, probably be corrected by someone:
           hub: Allows communication on a LAN with bandwith shared amongs all
                the nodes on the hub and maxing out at the max line speed.
           switch: Allows communication on a LAN with bandwith greater than
                the max line speed (point to point)
	...
2005/6/2-3 [Computer/Networking] UID:37941 Activity:moderate
6/2     I've been to many places and almost every place I go to have
        802.11b/g. However, almost all of them have protected access,
        which I presume they use because they don't want people stealing
        their bandwidth. So here is one idea I think will really
        revolutionize 802.11X... an option in the router that allows you to
        specify the percentage of unprotected bandwidth you are willing to
	...
2005/1/10-11 [Computer/SW/OS/VM] UID:35635 Activity:kinda low
1/10    VMware question for VMware gurus only. I've installed a WinXPsp1
        on top of WinXPsp2. How do you do the followings:
        1) transfer data between the two machines? I've tried mounting
           raw partition from WinXPsp1 but when I disable write, it
           doesn't boot up anymore (WinXP insists on writing)
        2) communicate between the two machines? I can ping WinXPsp1
	...
2004/11/9 [Computer/Companies/Google, Computer/SW/OS/VM] UID:34777 Activity:high
11/9    I have two versions of MSIE 6.0.2800.1106. One is running inside a
        VMWare virtual machine, the other running native on an athlon PC.
        When I run a google query: http://www.google.com/search?q=canada.ca
        They get slightly different results. What's the best way to figure
        out why this would be?  Perhaps a way to capture the request?
        \_ Maybe you're just hitting different google mirrors, and their
	...
2004/9/19-20 [Computer/Networking, Computer/SW/Languages/Misc] UID:33626 Activity:high
9/19    I'm looking for a simple but good load balancing appliance to sit
        in front of two boxes for the purposes of redundancy.  Load Balancing
        isn't really required, I just want the device to send traffic to
        the secondary box iff the first server goes down. Recommendations?
        \_ An OpenBSD 3.5 box running pf + carp can do this. If you don't
           want to use OpenBSD you can try ucarp: http://www.ucarp.org
	...
2004/8/16-17 [Computer/SW/Unix, Computer/SW/Mail] UID:32946 Activity:moderate
8/16    Anybody know of an existing program similar to pop-before-smtp
        but for IMAP. It wou use a current IMAP connection to allow
        SMTP relaying from the same IP addres as that IMAP connection?
        \_ it's the same program, just change the regexp used to search
           for login lines and change the logfile watched
           \_ Nope, That does not work. IMAP connections are persistent and
	...
2004/6/2 [Computer/Networking] UID:30555 Activity:nil
6/2     My new favorite bug.    F5's BigIP 4.5.9:
        "Using the IP address 213.13.118.129:80  (CR31104)
        If you add a pool with a member node with the IP address
        213.13.118.129:80, when the address and port select a virtual server
        on the local system, it causes the BIG-IP system to panic and the
        configuration to be deleted. The issue occurs only when the address
	...