Subject: Re: PROXY SERVERS FOR ALL SURFERS IN S'PORE! From: markh@wimsey.com (Mark C. Henderson) Date: 1996/08/13 Message-Id: <4urkrl$12o@vanbc.wimsey.com> References: <199608120245.TAA14275@jobe.shell.portal.com> <4up3vv$pkq@vanbc.wimsey.com> Organization: Online at Wimsey/iSTAR - Canada Newsgroups: soc.culture.singapore In article <4up3vv$pkq@vanbc.wimsey.com>, Mark C. Henderson wrote: >In article <199608120245.TAA14275@jobe.shell.portal.com>, >Well, it isn't impossible to get around this. > >Consider using SSH, which will tunnel TCP connections via an encrypted link, >together with an ISP shell account in the free world, and an http proxy >server that can run as a daemon (e.g. the latest alpha of the TIS firewall >toolkit httpd) I have about twenty messages in my mailbox asking for some more details. So I'll post an outline of what I am thinking of. Note that I am assuming that they don't break all internet connectivity, but only filter out HTTP traffic at the routers. What this will do is build an encrypted tunnel to a proxy server on an ISP in the free world, so you can use this proxy server instead of the restricted one. Of course, there are many ways to do this sort of thing, this is really just an example. -- assumptions - you have root access to your own UNIX/LINUX host at home (you don't actually need "root" access, but this makes things slightly easier) - you have an account with an ISP with shell access in the free world - blocking of WWW access is done by blocking packets with destination ports 80 and 8080 (in other words, they haven't completely cut you off from TCP connectivity, just traffic that appears to a router to be web traffic) - whenever I refer to ISP below, I'm referring to the ISP in the free world (not the ISP in Singapore) - you have some basic systems administration knowledge. I'm not going to spell out exactly what you have to type Ingredients - ssh (http://http://www.cs.hut.fi/ssh) - the TIS firewall toolkit http proxy (2.0 alpha) with patches ftp://ftp.tis.com/pub/firewalls/toolkit AND ftp://ftp.optimation.co.nz/pub/fwtk/fwtk-2.0alpha-Optimation1.tar.gz There are two versions of this - - in the long version, your link is encrypted so people with ethernet sniffers can't see what you're doing - the short version can be implemented without ssh, but folks with sniffers could observe your traffic. If you want this skip to step 5. 1. build ssh. install it as per instructions on your local UNIX/LINUX host with root access. If you don't have root access you are still OK, but you'll need to modify the installation instructions. 2. build ssh on the ISP's host. Of course you are not root, so you can't install it in the usual way. By way of an installation procedure, something like the following will suffice for basic functionality. mkdir ~/etc ; cd ~/etc ssh-keygen -b 1024 -f ssh_host_key -N '' cat <sshd_config ListenAddress 0.0.0.0 HostKey $PWD/ssh_host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 EOF sshd -f sshd_config -p 8888 3. Now go back to your UNIX/LINUX host and execute something like ssh -p 8888 -x -L 8889:localhost:8889 4. Now you should be logged into your ISP. Fetch and build the TIS http proxy. Be sure to edit firewall.h so that PERMFILE goes to something you control (something in $HOME/etc). 5. install http-gw and the netperm-table (all you need) in your home directory for a netperm-table you can do something like cd ~/etc cat <netperm-table http-gw: permit-hosts * EOF 6.run the proxy on your ISP http-gw -daemon 8889 7. now set your proxy server in Netscape to localhost port 8889 (for the version without ssh, set it to port 8889) 8. browse the web. The link between your ISP in the free world and your UNIX host is encrypted for privacy. Of course, if ports 8888, 8889 don't work for you, you should pick others >= 1024 -- Mark Henderson -- markh@wimsey.bc.ca, henderso@netcom.com, mch@squirrel.com ViaCrypt PGP Key Fingerprint: 21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46 http://www.squirrel.com/squirrel/ - change-sun-hostid, unstrip for Solaris, computer security, TECO, FGMP, Sun NVRAM/hostid FAQ, Wimsey crypto archive