Useful trick w/Watch Guard Firewalls
2011-12-08 19:15:37.995582+00 by
meuon
8 comments
We're trying to securely move files from A to B, with a watchguard firewalll in the way. the Watchguards do not like SCP. It's answer was use FTP and SMB.
Our answer was a version of:
ssh root@192.168.99.33 -p 99 cat /home/foo/stuff/export.zip >export.zip
Which worked: Almost 100 times in a row. Then the watchguard decided it did not like it. Still a useful trick. If I end up on the other end.. I may install a real firewall (dreaming).
[ related topics:
Interactive Drama Cryptography
]
comments in ascending chronological order (reverse):
#Comment Re: made: 2011-12-08 20:31:09.37515+00 by:
ebradway
Sounds like you need to route around the firewall. Will tor do it? Maybe you
should just put a 3G USB dongle inside the case. Assuming you are in a location
with cell coverage...
#Comment Re: made: 2011-12-08 20:52:13.674846+00 by:
meuon
Firewall worked around with (well, not exactly, but close:):
On client:
curl --insecure -T changes.zip https://192.168.99.33/father.php
On server:
$request = file_get_contents("php://input");
$now = date("YmdHis");
$bout = fopen("incoming/changes$now.zip", "w");
fputs($bout, $request);
fclose($bout);
Bypasses sane SCP method.
#Comment Re: made: 2011-12-08 22:12:35.231768+00 by:
Dan Lyke
I am reminded of http://www.nocrew.org/software/httptunnel.html
Cringe.
#Comment Re: made: 2011-12-09 01:31:41.397959+00 by:
TheSHAD0W
Nothing wrong with ftp; just encrypt before you transfer.
#Comment Re: made: 2011-12-09 01:44:40.949325+00 by:
Dan Lyke
FTP passes the password insecurely...
#Comment Re: made: 2011-12-09 02:08:48.499715+00 by:
meuon
[edit history]
and the watchguard is set to deny ftp and requires some special module for sftp.
good firewalls make sense. bad firewalls hurt security.
but it allows almost anything via https. cripes.
#Comment Re: made: 2011-12-09 05:27:18.078727+00 by:
Dan Lyke
Also, scp/ssh/sftp offer protection against MITM attacks. Https does a little bit towards that (unless you're high
enough profile to fall prey to a CA compromise). FTP is one DNS spoof away from compromise.
sftp happens over ssh (2.0), so no surprises there: if ssh doesn't work, neither will sftp.
(and the iPad wants to correct "sftp" to "Afro")
#Comment Re: made: 2011-12-10 06:22:02.125368+00 by:
TheSHAD0W
FTP passes the password insecurely...
...So?
For download from the server, just put the files out there. If someone *does* intercept the password and log in, they can only download encrypted files.
For upload, set permissions so files can't be overwritten and/or make it so the upload directory contents can't be read. That way an attacker trying to plant a trojan horse can't modify your data or can't figure out what sort of filename you're expecting.
Either way, FTP would work for you.