On 30 Jul 2003, Aleksander Demko wrote: > On Tue, 2003-07-29 at 21:45, Tom Diehl wrote: > > If you can do ssh you can usually do rsync. Just add a "-e ssh" to the > > rsync command line. rsync is a truely wonderful program for mirroring > > stuff. > > Almost. The DMZed machine itself cannot open ANY sockets to the outside > world - only respond to httpd and ssh requests. So what I did is I Wow! That's paranoid! I can understand controlling the sockets it offers, as buffer overwrite attacks on daemons (sometimes even including httpd and sshd:-) are a standard cracker point of egress, but what exactly is the motivation for preventing outgoing connections under the direct control of its systems person, in particular outgoing ssh or outgoing rsync? In double particular outgoing connections that could be made (if you are as paranoid as you appear to be) as a non-root unprivileged user on the server that exists only to own the to-be-mirrored repository, such as "nobody". > ssh'ed INTO it and used -R port:some.proxy:port so the server tunnels > http requests back down my ssh connection and to a proxy, and then to > the rest of the world. If you can ssh into it with the -R trick, then the methodology I used to set up my yum tunnel should work for you to set up an rsync tunnel with no need for a proxy. Recipe: Given a system myhost from which rsync to the repository you wish to mirror works (according to the test Seth mentioned earlier) rsynchost, connect to the insanely paranoid server myserver that regulates outgoing port connections (which could only be made, deliberately, by its systems staff): ssh -l root 873:rsynchost:873 myserver (background it or leave this connection running idle in some window). Then, on myserver: rsync localhost:: is completely equivalent to rsync rsynchost:: from host myhost. Except that the files transferred will end up on myserver, of course. Stir well, cook until done. This works, as I tried it. The one negative thing is that rsync >>requires<< a privileged port to work in anonymous mode (at least, so I grok from experiments and the man page -- you can specify a host:port in just about any modes BUT anonymous mode) you have to run the ssh connection to the server as root on myserver. Alternatively, it has to be bone simple to hack rsync source to connect to e.g. port 33333 or some other unprivileged value for anonymous mode so you could replace the ssh above with just plain ssh 33333:rsynchost:873 myserver and use rsync localhost:: thereafter. I personally think that it makes more sense to just open outgoing connections to 873 in iptables or ipfilters that are currently blocking it, but if this is impossible and you have a user account on myhost outside the firewall and root privileges on myserver inside the firewall, you should be good to go... rgb -- Robert G. Brown http://www.phy.duke.edu/~rgb/ Duke University Dept. of Physics, Box 90305 Durham, N.C. 27708-0305 Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb@xxxxxxxxxxxx
