[YLUG] Tunneling

Harry Mills mail at hjmills.co.uk
Sat Oct 13 13:35:24 BST 2007 

Roger Leigh wrote:
> "Paul Elliott" <omahns.home at gmail.com> writes:
> 
>> Hi Harry,
>>
>> On 11/10/2007, Harry Mills <mail at hjmills.co.uk> wrote:
>>
>>     Does this mean that if my PC has a 144.32 IP address then it will be
>>     available on the net etc if I run a web server etc or does the
>>     university have a firewall stopping all traffic to any IPs in the range
>>     that shouldn't be public?
>>
>> All the traffic is firewalled from external access except where
>> permitted, so no, you will not be able to access your machine from
>> the net.
> 
> If there's a good reason for running services accessible to the
> general public, is it possible to ask the Computing Service for
> permission to allow it through the firewall?
> 
> While the firewall is there for a good reason, there are several
> interesting approaches to getting around it, should you want to try.
> One easy solution is to set up IPv6 networking such that you have a
> globally scoped and routeable IPv6 address.  Then, you can put all the
> public-facing stuff on your IPv6 interface and it goes straight
> through the firewall through six-in-tunnel (SIT) TCP socket connection
> to the tunnel endpoint.  You can even additionally set up a VPN to
> somewhere off campus and then tunnel IPv6 over that if the firewall
> blocks the IPv6 tunnel port (I can verify this works--but I haven't
> tried it at the University, only at home).
> 
> Have a look at SiXXS and AICCU, noc.sixxs.net.  Note the nearest
> endpoint is in Dublin (iedub01).
> 
> One annoying feature of the firewall is how it blocks direct encrypted
> secure shell connections, yet allows insecure plaintext FTP!  SSH
> access to Biology systems would be quite useful for me.  Although I
> don't have access currently, indirect access via ssh.york.ac.uk breaks
> scp, sftp and SVN and GIT over SSH.  All of these would be pretty
> useful, given all my work is stored in GIT repositories!
> 
> 
> Regards,
> Roger
> 

So are you saying they don't block IPv6 traffic so I could have an IPv6 
address that was open to the web with a bit of configuration? If so do 
you know where I could find a guide and can I setup and IPv6 address 
using the DHCP server or does the DHCP server only issue IPv4 addresses? 
I apologize in advance for my lack of knowledge in this area.

Could you get around the sftp etc issues by tunneling the connection 
with something like:
	$ ssh abc123 at ssh.york.ac.uk -L 1234:ssh.example.com:22
Then just sftp to localhost port 1234? I don't know if this works but 
ssh tunneling seems to have worked for me for everything else I have tried.

Harry

More information about the York mailing list