Flutterby™! : Useful trick w/Watch Guard Firewalls

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Useful trick w/Watch Guard Firewalls

2011-12-08 19:15:37.995582+00 by meuon 8 comments

We're trying to securely move files from A to B, with a watchguard firewalll in the way. the Watchguards do not like SCP. It's answer was use FTP and SMB.

Our answer was a version of: ssh root@ -p 99 cat /home/foo/stuff/export.zip >export.zip

Which worked: Almost 100 times in a row. Then the watchguard decided it did not like it. Still a useful trick. If I end up on the other end.. I may install a real firewall (dreaming).

[ related topics: Interactive Drama Cryptography ]

comments in ascending chronological order (reverse):

#Comment Re: made: 2011-12-08 20:31:09.37515+00 by: ebradway

Sounds like you need to route around the firewall. Will tor do it? Maybe you should just put a 3G USB dongle inside the case. Assuming you are in a location with cell coverage...

#Comment Re: made: 2011-12-08 20:52:13.674846+00 by: meuon

Firewall worked around with (well, not exactly, but close:):

On client: curl --insecure -T changes.zip

On server: $request = file_get_contents("php://input"); $now = date("YmdHis"); $bout = fopen("incoming/changes$now.zip", "w"); fputs($bout, $request); fclose($bout);

Bypasses sane SCP method.

#Comment Re: made: 2011-12-08 22:12:35.231768+00 by: Dan Lyke

I am reminded of http://www.nocrew.org/software/httptunnel.html


#Comment Re: made: 2011-12-09 01:31:41.397959+00 by: TheSHAD0W

Nothing wrong with ftp; just encrypt before you transfer.

#Comment Re: made: 2011-12-09 01:44:40.949325+00 by: Dan Lyke

FTP passes the password insecurely...

#Comment Re: made: 2011-12-09 02:08:48.499715+00 by: meuon [edit history]

and the watchguard is set to deny ftp and requires some special module for sftp.

good firewalls make sense. bad firewalls hurt security.

but it allows almost anything via https. cripes.

#Comment Re: made: 2011-12-09 05:27:18.078727+00 by: Dan Lyke

Also, scp/ssh/sftp offer protection against MITM attacks. Https does a little bit towards that (unless you're high enough profile to fall prey to a CA compromise). FTP is one DNS spoof away from compromise.

sftp happens over ssh (2.0), so no surprises there: if ssh doesn't work, neither will sftp.

(and the iPad wants to correct "sftp" to "Afro")

#Comment Re: made: 2011-12-10 06:22:02.125368+00 by: TheSHAD0W

FTP passes the password insecurely...


For download from the server, just put the files out there. If someone *does* intercept the password and log in, they can only download encrypted files.

For upload, set permissions so files can't be overwritten and/or make it so the upload directory contents can't be read. That way an attacker trying to plant a trojan horse can't modify your data or can't figure out what sort of filename you're expecting.

Either way, FTP would work for you.