Anybody have suggestions for how to get around a corporate firewall that will not let me SSH on 80 or 443? I tried running hts/htc on the same ports and that won't work either :( raptelan: http://www.jedi.be/blog/2008/11/07/a-few-cases-of-tunnel-piercings-for-firewalls-for-ssh-access/ DaCa: I've tried htc/hts already though...and even that is not working. I know that i'm trying correctly, because using htc when not on their network works. raptelan: I don't have any more suggestions raptelan: food for thought: if the corporate firewall is configured to block SSH, then SSH is probably against the company policy. Which begs the question: Is it really worth risking your job? It raises the question. "Begging the question" means to have a circular argument. ... and that's your pedanticism for the day. in my experience, after having this conversation a thousand times, the whole "the company doesn't allow it but I'll do it anyway" conversation IS a circular argument. Heh. the user never seems to get the fact that it's not their network, and they aren't *entitled* to do whatever they want. and since they never really "get it" they keep up with circular logic to justify it. of course, that same false sense of entitlement is prolific in our society, and is the root cause of a LOT of fights and arguments. jpalmer: I didn't sign any such policy, and if they want to fire me for it (I seriously doubt that would happen even if they knew what I was doing), there's plenty of other jobs in my field. :) jpalmer: my network port was automatically shut down when I ran virtual machines as well, but they added an exception because it's to protect against something nasty going on - developers are allowed to do crap like that ;) oh, and it's easier to ask for forgiveness than permission ;) unless it involves felony charges. :) Hah. anyone else seeing maybe 1-2% packet loss both into ARP and outbound to their ARP gateway (IPv4)? argh. must be my connection again you are not allowed to complain until you reach the 75% packet loss mark. lol I lose 75% of my packets, but just not all in a row. :) I actually showed about 20% after web pages took forever to load :P raptelan: You could install a web based SSH client on a server. There are a few open source ones. how do you find out about packet loss ? ping! DDevine: I thought the problem with that was that they were basically java apps that still needed the ability to ssh from the client computer to the server... DDevine: I haven't looked into the possibility much, though. there might be some AJAX ones available raptelan: you could also ask IT to make an exception in the policy, since you're a developer nd all jpalmer: but then I might get told "no" - then I'd no longer be comfortable working around it ;) I wouldn't be comfortable in the first place. anyone else experiencing connectivity issues? like my connection here seems to go down and I cannot access my vps from .pt rgouveia: I'm IRC'ing from my VPS...haven't seen any issues. me too then again, .pt is a long ways from LA could be any number of things where does the traceroute start to go whacky? Hi RandalSchwartz, seems 67.199.135.102 ahh. packetexchange that's outside anything Garry can help with I don't have any output after that although I am now connected last time I had a connectivity issue it was packetexchange IIRC raptelan: you're in the US too? yeah - I come in via net2ez.com 2.018 ms ping time from my desk and that's 9 hops RandalSchwartz: I wish :-) rgouveia: yes, I'm in New York right now. raptelan: ok, so I'm the only one far away then rgouveia: yeah, I'm close - only about 2500 miles ;) rgouveia: but yes, you're farther. and more water too :-) raptelan: get traceroutes, and send an email to support@ Garry can file a ticket with packetexchange, and have them look into it. jpalmer: my traceroutes are fine, I think you meant that for rgouveia? indeed, sorry jpalmer: hi, thanks I'll do that :-) which is worse: not having a reverse DNS entry for an address, or having an rDNS entry that does not itself resolve? when you say 'having an rDNS entry that does not itself resolve' do you mean that the forward and reverse wouldn't match? dig NAME returns NXDOMAIN for that address type ssh gets picky about some of that yeah, ssh is normally the most annoying with rnds *rdns good point lots of things get picky about that. inredibly so if it's a mailserver. yeah in conclusion: have valid rdns ;) google can deal with mail ;) although i am very disappointed that google can't deliver mail to v6 MX yeah, i've recently been getting angry about that hope they have it ready in time for ipv6 day! i suspect things will start to change after ipv6 day i work for an isp; we've only just v6'd our core network however it was *much* easier than we expected xlhost delayed me on v6 address allocation for 2 months now i have v6 everywhere :D they finally did do it though bob^^: me too! :D have you tried disabling your v4 stack? bob^^: did you guys get your own v6 allocation, or are you getting it from your provider? jpalmer: own alloc from RIPE i ran one of my arpnetworks instances without v4 for a good while it's amazing how few web sites are v6 ready :( yeah a vps with no v4 i going to be essentially useless :P i have an apple airport dishing a hurricane electric tunnel to my home LAN as well. pretty idiot-proof i'm just desperate to go all v6 now nice :) jpalmer: how's that? i noticed those options on my airport too, very smart i have a netscreen at home though so it's tunneling to HE too :) bob^^: i was floored by how well it works I did it as a test a while back, to see if FreeBSD and CentOS could get full updates, patches, ports and other administrative necessities.. and suprisingly, both worked well. ubuntu updates over v6 fine too it seems the more technical parts of the web are very much v6 ready just the big sites that are trailing their heels openbsd mirror at isc.org is v6 AND close to arpnetworks ;) even the BBC over here don't have *any* v6 presence yet, which is pretty annoying :( did you hear about microsoft buying nortel's v4 allocations? yeah, i don't like that that is nuts i didn't think it was allowed tbh i know over here with RIPE that's pretty much totally against the rules right getting IPs here is a nightmare anyway i wonder if they pre-cleared it with them or something we recently got a /16 it was *not* easy to get (a v4 /16) wow. as an ISP, did RIPE give you a /32 or a /48 a /32 cool yeah :) i was under the impression that that was nearly impossible outside the US nowadays i still can't quite believe how big it is you can ennumerate all the visible stars in the sky then :) yeah, amazing unmber of addresses :) I have 5 or 6 /48's already it still feels quite wasteful though pushing a /64 down to our office network for example consider, a /32 is like *one* address from v4 well back in the 90's when every community college was getting a v4 /16 i'm sure nob0ody thought about running out... you use a /64 for each segment yup the autoconfig stuff is pretty smart i must say i'm really liking some of the stuff about v6 agreed. yet to investigate the encryption stuff but that sounds handy as i suspect we could start to do away with VPNs me too at least i get 10/10 on v6 and v4 tests from test-ipv6.com now anyway ;) the stuff at ipv6.he.net is quite helpful yeah yeah, HE are fantastic we actually use them as a primary transit provider here too great network (and exceptionally cheap for transit) mind you we're getting bulk rates for buying 10gbit/s from them ;) I got my T-shirt! Did you? I got mine! actually, last month. i need to finish off the tests on there :) it wanted me to v6 enable my mailserver which is not particularly easy given i use google apps for my email :/ going to create a test zone inside my domain and throw up exim over the weekend on v6 :) bob^^: i was running a v6 MTA for about 10 minutes just for that test ;) hehe, that's exactly what i intend to do :) me too actually - it was the webserver that I just tunnelled using socat :) I made it so port 80 on v6 resent to port 80 on v4 bob^^: you can setup exim, and just set a temporary AAAA record for the test. set your DNS TTL's to like 60 seconds. do the test and remove the AAAA. the chances of you getting any mail other than the test delivered over it, almost non-existant. the ipv4 mail will look up the A records for your MX. the test mail will lookup the AAAA records, which would be pointed to your exim install. no need for a subdomain ot whatever. cheaters ;) it's not cheating. you are legitimately accepting the mail over IPv6, which is the purpose of the test, to prove your knowledge. it doesn't say you have to KEEP accepting it. cheating (to me, anyway) would be doing something like.. claiming you were the he.net domain, or arpnetworks.com domain, where all of this is already setup. and then just breezing through the tests without doing anything to demonstrate actual knowledge. oooh - I never thought of that :) except that you have to add something to a web page, I think yeah, I think so. I was just using that as an example of what I'd consider cheating ;) hi is something broken? LOL he waited the allocated 75 seconds for a response and decided it must just be on his end i guess haha pew pew. bob^^: what's your v6 allocation? just curious from which prefix RIPE allocates MS bought nortel's v4 allocations? wtf