Getting through a restrictive firewall

to play Go

Note

Please note that this page is no longer maintained!
Also I never got the thing described here to really work (because I was sitting behind a tough proxy-firewall combination)!
This page is to give you an idea on how to get through a firewall.

Anyways - I'd like to know what you think about this page. Please drop me a line to let me know.

Here you are, sitting behind a firewall which only let's you ftp or surf the web via http.

No telnetting allowed, let alone using port 6969, 9696 or whatever. After a while you surrendered getting through to play Go on a Go-server.

[If you don't even know what Go is, check out "The Web Go Page Index" to get to know Go.]
[If you just want to get through a firewall and Go is not your business at all, check out the site "GNU httptunnel" .]

But it is not that difficult to get through a firewall. You will still need some technical knowledge to set things up and to be able to judge the risks of what you are doing, though (see disclaimer below).

What to do

Things you really need

First of all you'll need access to a computer outside the firewall.
That computer must have either of the following
1. a permanent connection to the internet
  (it then has a "static IP" which is more comfortable, see below)
2. it can connect using a flatrate.
  After all this is just important for the costs of the connection. You could use any other way to connect to the internet, too.
  You then will have a "dynamic IP" which complicates things a bit (see dynamicIP below).

Software needed

Having both, here is what software you'll need and links to where you can get it:

The program which tunnels through the firewall.
This solution uses "GNU httptunnel" which is capable of tunneling via ftp or http and provides a server and a client. It is free.
It is available as source-code or RPM-package for Linux and as prebuilt binaries for Win32s (Windows 95 and newer).
Furthermore you need a program which forwards your commands to the Go-server. If the remote computer already runs a telnet-server, this will do it.
This solution however uses a small Java application called Relay.
You can get the zipped runnable-jar Relay.zip and the source Relay.java.
As Go-client this solution uses Jago because it already implements the use of the relay mentioned above. It also is a Java application.
(See the troubelshooting on using another Go-client below)

So at least for the remote computer you'll need Java (to run Relay.jar). See the troubleshooting on where to get Java below.

Now you have everything you need to get through a firewall!

Here is a graphic that illustrates the idea. It shows the data-flow for the direction Go-client -> Go-server (arrows) using the default ports (marked red).

Setup

On the remote computer

Start the relay in a console using java:
java -jar Relay.jar
(See the troubleshooting for another way to start java-apps under Windows.)

Start the tunneling-server with
hts -c 20k -F localhost:5000 -D 1.

The underlined part must not be changed since it denotes the port on which the relay listens.

By default the server listens on port 8888. You can change this by appending another port-number at the end of the line. E.g. hts -c 20k -F localhost:5000 -D 1 80 makes it listen on port 80.

Type hts --help to get a list of hts's commandline-options.

You need to know the IP-address of this computer later (for the tunneling-client, see below).

If it has a permanent connection, the IP address will not change (being static) and you need to get it just once. E.g. using Windows just type "winipcfg" into a console. Linux-cracks will know what to do ;-)

If your IP is given dynamically, you'll have to take a more special way in order to get to know the IP of the remote computer which changes on every login. Now an additional programm must run on that computer. Have a look at "IP Publisher" at DaveCentral to get a list of programs that publish the changed IP on a web-page or email it to your account.

That's it for the remote computer!

Now to the computer behind the firewall

Start the tunneling-client with
htc -B 20k -P proxy-address[:port] -c 20k -F 6971 -D 1 IP-address[:Port].

Where IP-address is the one of the remote computer either hardcoded (when static) or changed according to the web-page or email (see dynamic above). The defaul-value for Port is 8888 (see tunneling-server above).

That's it for the tough part.

Testing

Now you can test your settings, by telnetting to the tunneling-client running on the computer behind the firewall:

Open a console and enter telnet localhost 6971. This should bring up a telnet-client or something and you should now already be connected to the remote host via the tunnel. Now check the relay by connecting to an Go-server, e.g. with:

nngs.cosmic.org RETURN
9696 RETURN

Now NNGS's message-of-the-day should scroll through.

Else, you are ready to include your Go-client:

Using "Jago" this is really very simple. Just start it and choose "Action" -> "Use Relay".

Now Jago will connect to localhost on port 6971, just where your tunneling-client listens to. The tunneling-client passes the data sent by Jago on through the firewall to the tunneling-server on the remote computer. The tunneling-server now sents the data to the relay, listening on port 5000, which sents them on to the desired computer/Go-server. (See this graphic again for an overview.)

Jago makes using the relay very simple. (See the troubleshooting for use with another Go-client below)

Disclaimer

I give absolutely no warranty and can not be made responsible for any damage, e.g. security leaks, that occured to computers or security systems due to using this hack.

Troubleshooting

Question:	The remote computer already has a service running on the port I must use because every other port is blocked by the firewall.
Answer:	With Linux you could use the "tcpwrapper"-package to start different services for different IPs (catchwords: inetd, twist).

Question:

I don't want to use "Jago". How can I make use of this solution with my Go-client?

Answer:

You could use scripting if your Go-client supports it.
Then you'd set "localhost" as the target-server and "6971" as port. Now your Go-client uses "htc" as your "Go-server". Using the scripting-capability of your Go-client, you connect to the real Go-Server by typing:
Go-Server-address (e.g. nngs.cosmic.org) [RETURN]
Go-Server-port (e.g. 9699) [RETURN]

Now the message-of-the-day of your Go-Server should scroll through.
You could go on recording the log-in procedure. Then you're done with the script.

Question:	I use a non-permanent connection to the internet. After a while the connection gets hung-up and so I cannot connect from the outside. How can I overcome this?
Answer:	As a solution to this problem, I wrote a very small java-application which "pings" (i.e. sending small packages of data), using your OSes "ping"-command, a server somewhere on the net every 10 minutes. This way the connection will not be closed because it's not used. Here's the zipped runnable jar Pinger.zip and the source Pinger.java.

Question:

Where can I get Java?

Answer:

You can get Java at the following locations:

Sun and
IBM for Windows,
Blackdown for Linux or
Apple for Macintosh.

Question:	I cannot run hts on port 80 on my Linux-box. How does it come?
Answer:	On Linux just "root" is allowed to start servers on ports smaller than 1024. So you will have to log in as root or run hts on another port (8080/8888).

Question:

I am using Windows. Is there a easy way to start java-applications?

Answer:

If you are using Windows and have the Java JDK installed, a java-app should get loaded looking it up with your filemanager and double-clicking it. Since no window will pop-up you should check if Java has started pressing CONTROL + ALT + DEL together. This will bring up the taskmanager. Look for "java" or "javaw".
Don't press these keys too long or more than once together since this will restart your computer!