Wednesday, April 3, 2002

Using ssh to pierce corporate firewalls



I work for a company that has firewall that only allow out http, https and most importantly, ssh. While at my desk I want to check mail home IMAP4 mail, VNC to our lab systems on an external network, check in on an IRC chat room or even surf to some sites that I don't want corporate IM to know about. (I'm not talking porn, but the nanny software frequently blocks sites as 'hacker sites' like the nmap site which I do have a business reason to be viewing. Ugh.)

So I use ssh's port redirection to do all this.


ssh -f -C \
-L 1234:mail.myisp.com:143 \
-L 6667:irc.openprojects.net:6667 \
-L 8080:127.0.0.1:3128 \
-l marc homemachine.dslprovider.com sleep 7200


Then I configure my mail client to connect to localhost:1234 for IMAP, chat client to use localhost:6667 and web browsers to use localhost:8080 for proxy. Just so I don't have to go reconfigure all the apps that need to use a proxy (mozilla, netscape, galeon, konqueror, Ximian's red-carpet, Red Hat's up2date, nautilus and various command line apps that use http_proxy like debian's apt-get, etc) they always use 'localhost:8080' for the web proxy. When I want to switch back to using the corporate firewall, I run this instead:


ssh -f -C
-L 1234:mail.myisp.com:143
-L 6667:irc.openprojects.net:6667
-L 8080:proxy.whereIwork.com:8080
-l marc homemachine.dslprovider.com sleep 7200