[LARTC] Allowing CVS, RCP & SCP

[LARTC] Allowing CVS, RCP & SCP

[A. Peter Mee]

Hi all,

Could someone give me some pointers to achieving stable cvs and rcp access
through a fairly restrictive firewall.  I'm using a 2.4.18 kernel which
defaults to dropping everthing, then punching holes where needed and
SNATting the internal network.  Single-socket protocols (http, smtp, pop3)
do currently function correctly through the firewall so I'm assuming the cvs
and rcp/scp protocols are not single-socket.  The ftp and irc protocols also
function correctly through the firewall.

If something more specific about my configuration is needed, I'll be happy
to oblige. ;-)

TIA

Cheers,

Pete Mee


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Allowing CVS, RCP & SCP

[Alex Bennee]

A. Peter Mee said:
> Hi all,
>
> Could someone give me some pointers to achieving stable cvs and rcp
> access through a fairly restrictive firewall.  I'm using a 2.4.18
> kernel which defaults to dropping everthing, then punching holes where
> needed and SNATting the internal network.  Single-socket protocols
> (http, smtp, pop3) do currently function correctly through the firewall
> so I'm assuming the cvs and rcp/scp protocols are not single-socket.
> The ftp and irc protocols also function correctly through the firewall.

ssh is a single socket protocol. If you can ssh through your firewall then
you can use scp. You can even tunnel other ports over the single ssh
connection (e.g. X).

CVS isn't a network protocol. You generally run it using remote shell tools,
in the CVS manual it allows you to specifify how with the CVS_RSH evrionment
variable.

r* tools are bad. Do you need them?

> If something more specific about my configuration is needed, I'll be
> happy to oblige. ;-)
>
> TIA
>
> Cheers,
>
> Pete Mee
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


Alex
www.bennee.com/~alex/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Allowing CVS, RCP & SCP

[bert hubert]

On Thu, Jul 04, 2002 at 02:01:07PM +0100, Alex Bennee wrote:
> A. Peter Mee said:
> > Hi all,
> >
> > Could someone give me some pointers to achieving stable cvs and rcp
> > access through a fairly restrictive firewall.  I'm using a 2.4.18
> > kernel which defaults to dropping everthing, then punching holes where
> > needed and SNATting the internal network.  Single-socket protocols
> > (http, smtp, pop3) do currently function correctly through the firewall
> > so I'm assuming the cvs and rcp/scp protocols are not single-socket.
> > The ftp and irc protocols also function correctly through the firewall.
> 
> ssh is a single socket protocol. If you can ssh through your firewall then
> you can use scp. You can even tunnel other ports over the single ssh
> connection (e.g. X).
> 
> CVS isn't a network protocol. You generally run it using remote shell tools,
> in the CVS manual it allows you to specifify how with the CVS_RSH evrionment
> variable.

CVS 'pserver' lives on port 2401. Use netstat -an to see which ports have
LISTENing sockets, and open up those ports.

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Allowing CVS, RCP & SCP

[Alex Bennee]

bert hubert said:
> On Thu, Jul 04, 2002 at 02:01:07PM +0100, Alex Bennee wrote:
>> A. Peter Mee said:
>> > <snip>
>> > Could someone give me some pointers to achieving stable cvs and rcp
>> > access through a fairly restrictive firewall.
>> > <snip>
>>
>> CVS isn't a network protocol. You generally run it using remote shell
>> tools, in the CVS manual it allows you to specifify how with the
>> CVS_RSH evrionment variable.
>
> CVS 'pserver' lives on port 2401. Use netstat -an to see which ports
> have LISTENing sockets, and open up those ports.

Quite correct of course.

There are numerous ways of accessing remote CVS repositries (see
http://www.cvshome.org/docs/manual/cvs_2.html#SEC26). CVS over ssh seems to
be the preffered method of large development communities (sourceforge and
savanah at least). Once you've got ssh working you don't need to do any
additional (network level) work to get CVS running. I would generally be
wary of just opening up ports that are listening without being aware of the
security implications of using that protocol. The CVS documentation suggests
Kerboros over pserver for security. ssh works just as well (the documention
only refers to rsh which isecure but replaceable by ssh).

Alex
www.bennee.com/~alex/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/