peppepolpo wrote:
> >Probably using ssh port forwarding through whatever ports are allowed by
> the firewalls (80?).
>
> as far as I know all calls originated from outside the firewalls are
> blocked
>
> >Do you have any control over the firewalls?
>
> no
Well, that would seem to eliminate any tunnels or ssh using a port that
is "shared" with any other protocols. You could try making a tunnel
"around/through" the FWs, but those admins will not like it (even if
they know about it) and you can never know when/how it might get
broken. I take it powers-that-be and you are comfortable allowing port
80 SYNs out and the response back in.
> >If not, do you care that you might (lose your job|be expelled from your school) for circumventing those firewalls?
>
> no such a danger. I have full support of the "authorities in charge".
This is how I understand your possible/allowed setup (fixed font
ascii):
+------------------------------------------------+
| |
| INTERNET |
| |
+------------------------------------------------+
| |
| |
| |
FW1-----DMZ FW2
| | |
| DEDICATED LINUX |
| (HTTP SERVER?) |
LAN1 LAN2
| |
| |
PC1 PC2
Thus both FW1 and FW2 will allow connections out (SYN) on port 80 and
will allow the response back in to the requesting host.
The Linux box with a static (public?) IP will act as an http "courier"
by storing PUTs from either PC1 or PC2 and allowing GETs from PC1 and
PC2 (only?). You probably don't want to rely on in-memory storage, so
PUTs will write to disk. GETs will fetch from disk.
Sounds like you just need a light weight http server on a minimal,
hardened and access contolled (firewalled) Linux box. You could
implement further acls within the http server and use SSL/TLS if the
data needs to be encrypted. Software is handy, well understood by
everyone, and setup will only deviate from a standard one if you need
to impose acls. Probably requires no change on FWs except a
route/forwarding entry on FW1 to Linux box. A switch in front of FW1
would even eliminate that if Linux box has a public IP.
It's clunky and certainly not transparent from either PC1 or PC2 --
ie., all "shared" communications will go through Linux server and will
be quite obvious. Without contol of the firewalls I don't see how you
can readily get around this. May be useful to be explicit anyway
(hopefully) as there is less chance that it holds surprises for anyone.
This can be a pretty bare bones http server or you could use something
like Zope (just the basic setup without any add-ons) if you need
something more sophisticated. Even Apache with all it's bells and
whistles is overkill for something like this. Zope is too, but is
pretty easy to set up for such a basic purpose and adds fine grained
acls, server side code, and db storage of data rather than numerous
files lying about.
In any case, I would be inclined to use an http server on the dedicated
Linux box.
Will something like this suit your needs or were you hoping for
something more "transparent"?
cheers,
prg
|
Similar Threads
Linear Mode
