-
Notifications
You must be signed in to change notification settings - Fork 4
pingtunnel
PTunnel erlaubt das verlässliche Tunneln von TCP Verbindungen über ICMP Echo-Requests, was auch als ICMP Tunnel bekannt ist. Das mag zwar auf den ersten Blick recht nutzlos aussehen - dafür erweist es sich in manchen Situationen als recht hilfreich. Wenn nämlich nichts anderes weiterhilft, weil eine restriktive Firewall im Wege steht…
Folgendes bei forwardrules der ar7.cfg eintragen um Pings aus dem
Internet zuzulassen:
"icmp 0.0.0.0 0.0.0.0 0 # PTunnel"
Or use AVM-Firewall from revision 6794 to do the same from a web interface.
Capturing packets (libpcap) from interface dsl doesn't work (packets are fragmented), but from interface lan does:
ptunnel -c lan
(Error message if using dsl: "Received fragmented packet - unable to reconstruct! This error usually occurs because pcap is used on devices that are not wlan or ethernet.")
The web interface of pingtunnel (from revision 6792) uses the following options if you don't specify extra options:
-c lan -syslog -x <password>
For maximum flexibility -c lan -syslog is omitted if you specify extra
options.
Be sure to specify enough tunnels when tunneling http traffic with the
-m option.
Pingtunnel is not very secure, because it possible to choose random tunnel endpoints from the client. The best thing that can be done, is using a strong password.
Be sure to use client version 0.71 or higher and the patched 0.71 server version when using passwords!
Also realize that ICMP traffic makes it to the internal net of the box if you configure ICMP forwarding.
It is easily overlooked, but you can tighten security with these option:
-da: Set remote proxy destination address if client
Restrict to only this destination address if server
-dp: Set remote proxy destionation port if client
Restrict to only this destination port if server
You can restrict access to for example [Polipo?] like this:
-da localhost -dp 8123
- Homepage (Englisch)
- Freshmeat Projektseite
- Breaking through firewalls with a ping tunnel (Blog Artikel)