Hi all, Could someone give me some pointers to achieving stable cvs and rcp access through a fairly restrictive firewall. I''m using a 2.4.18 kernel which defaults to dropping everthing, then punching holes where needed and SNATting the internal network. Single-socket protocols (http, smtp, pop3) do currently function correctly through the firewall so I''m assuming the cvs and rcp/scp protocols are not single-socket. The ftp and irc protocols also function correctly through the firewall. If something more specific about my configuration is needed, I''ll be happy to oblige. ;-) TIA Cheers, Pete Mee
A. Peter Mee said:> Hi all, > > Could someone give me some pointers to achieving stable cvs and rcp > access through a fairly restrictive firewall. I''m using a 2.4.18 > kernel which defaults to dropping everthing, then punching holes where > needed and SNATting the internal network. Single-socket protocols > (http, smtp, pop3) do currently function correctly through the firewall > so I''m assuming the cvs and rcp/scp protocols are not single-socket. > The ftp and irc protocols also function correctly through the firewall.ssh is a single socket protocol. If you can ssh through your firewall then you can use scp. You can even tunnel other ports over the single ssh connection (e.g. X). CVS isn''t a network protocol. You generally run it using remote shell tools, in the CVS manual it allows you to specifify how with the CVS_RSH evrionment variable. r* tools are bad. Do you need them?> If something more specific about my configuration is needed, I''ll be > happy to oblige. ;-) > > TIA > > Cheers, > > Pete Mee > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/Alex www.bennee.com/~alex/
On Thu, Jul 04, 2002 at 02:01:07PM +0100, Alex Bennee wrote:> A. Peter Mee said: > > Hi all, > > > > Could someone give me some pointers to achieving stable cvs and rcp > > access through a fairly restrictive firewall. I''m using a 2.4.18 > > kernel which defaults to dropping everthing, then punching holes where > > needed and SNATting the internal network. Single-socket protocols > > (http, smtp, pop3) do currently function correctly through the firewall > > so I''m assuming the cvs and rcp/scp protocols are not single-socket. > > The ftp and irc protocols also function correctly through the firewall. > > ssh is a single socket protocol. If you can ssh through your firewall then > you can use scp. You can even tunnel other ports over the single ssh > connection (e.g. X). > > CVS isn''t a network protocol. You generally run it using remote shell tools, > in the CVS manual it allows you to specifify how with the CVS_RSH evrionment > variable.CVS ''pserver'' lives on port 2401. Use netstat -an to see which ports have LISTENing sockets, and open up those ports. Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
bert hubert said:> On Thu, Jul 04, 2002 at 02:01:07PM +0100, Alex Bennee wrote: >> A. Peter Mee said: >> > <snip> >> > Could someone give me some pointers to achieving stable cvs and rcp >> > access through a fairly restrictive firewall. >> > <snip> >> >> CVS isn''t a network protocol. You generally run it using remote shell >> tools, in the CVS manual it allows you to specifify how with the >> CVS_RSH evrionment variable. > > CVS ''pserver'' lives on port 2401. Use netstat -an to see which ports > have LISTENing sockets, and open up those ports.Quite correct of course. There are numerous ways of accessing remote CVS repositries (see http://www.cvshome.org/docs/manual/cvs_2.html#SEC26). CVS over ssh seems to be the preffered method of large development communities (sourceforge and savanah at least). Once you''ve got ssh working you don''t need to do any additional (network level) work to get CVS running. I would generally be wary of just opening up ports that are listening without being aware of the security implications of using that protocol. The CVS documentation suggests Kerboros over pserver for security. ssh works just as well (the documention only refers to rsh which isecure but replaceable by ssh). Alex www.bennee.com/~alex/