Re: [Savannah-help-public] Re: firewalls blocking CVS

[Sylvain Beucler]

On Tue, Jul 10, 2007 at 11:33:44AM +0530, dhruva wrote:
> Hi,
> I went through the complete document and suggested methods (tor did
> not work either). For port 443 approach, the catch is here.
> 
> -- Part of the document from the link you had sent ----
> Note: we implemented that method, without warranty, for project member
> SSH access only - not anonymous access. Anonymous access is available
> via pserver which ought to be available to you, just like HTTP.
> -- Part of the document from the link you had sent ----
> 
> The have enabled 443 as an alternative to 22. Port 22 is used only by
> project members with commit access. It does not really help people
> like me (involved in the emacs project but not part of the core).
> 
> On 7/6/07, Richard Stallman <address@hidden> wrote:
> >Savannah CVS on port 443 was moved to download.savannah.gnu.org,
> >but this wasn't documented.  It is now documented in
> >http://savannah.gnu.org/maintenance/CvsFromBehindFirewall.
> >
> >If this doesn't work for you, please write to address@hidden
> >If they can't or don't help you, please write to me personally.
> 
> Thank you for taking this up seriously. Since it is a policy issue, I
> decided to mail it to this list too.
> 
> -dhruva

Hi Dhruva,


Exactly, why is your access to port 2401 blocked?


We'll need all information leading to such restrictions before to make
a decision.

If your admin also blocked Tor nodes, which is usually the simplest
way to bypass outgoing traffic restrictions, I think (s)he is serious
about not allowing you to use our CVS service, and will probably use
any mean to continue blocking you (IP-based restrictions, checking
that traffic is TLS/SSL traffic and not pserver traffic, rejecting
outgoing traffic on port 443, delegating https encryption to the proxy
etc.), unless (s)he can be convinced that CVS access is an acceptable
use of the network.


RMS wrote:
> Maybe we need to make pserver available on port 443 on some IP.
> Savannah people, is that feasible?

Providing each and every Savannah service on port 443 on a different
IP adress doesn't scale, because:
- we offer many services,
- we don't have that many IP adresses,
- port 443 is usually already taken by https; there can be only one
  https website per IP, which makes that port even more precious,
- additional IP adresses cost money.

One may point that not all services would require such a trick;
services like GNU Arch or Git provide read-only access or fall-back
read-only access via HTTP, so maybe we can make exceptions for
CVS. But write access always require port 22, and yet another IP if we
want access to port 443. So any new service will usually require 1 IP
address for normal access, and 1 or 2 additional IP adresses for
"firewall bypassing" access.

Note that ultimately, nothing forbids you from using a dedicated
virtual server (9USD/mo) or any external machine you control (eg your
computer at home), and perform the redirection from port 443 to
Savannah yourself. Check the documentation again, a spam bot recently
reverted the documentation on that topic, and I also completed it
today. This means you are not dependent on us for bypassing the proxy.



So, once we know why your outgoing traffic to CVS is blocked, we'll
either order a new IP on which we can bind cvs-pserver on port 443, or
find a better way for you to access CVS.

Again, if everything passes through port 443, network admins will
implement other ways to restrict outgoing traffic, if that's what they
want, so in the long run this doesn't sound like a good solution.

We're also open to alternatives :)

-- 
Sylvain