[mythtv-users] Accessing MythWeb through firewall
Stephen Boddy
stephen.boddy at btinternet.com
Mon Oct 30 11:31:40 UTC 2006
On Monday 30 October 2006 06:41, Phill Edwards wrote:
> I have MythWeb installed and running on a server which sits behind my
> firewall at home. There is no direct access to it from the internet
> except through my linux gateway which sits between it and the
> internet. The gateway box is another linux server which is running an
> IP Tables firewall and has a port forwarding rule to direct traffic on
> a particular port (12000) to port 80 on my MythWeb box. This works a
> treat.
>
> But...where I'm working now has most outgoing ports blocked except for
> 80, 443 etc, which means I can't access port 12000 on my gateway
> machine so it can't forward that to my MythWeb machine.
>
> I was wondering what suggestions people had for resolving this. I was
> thinking that I could use a mod_rewrite rule on my gateway machine's
> Apache config - eg if URL=http://<gateway.on.internet>/mythtv then
> redirect to real MythWeb box. But when I had a quick look at this I
> got the impression it wouldn't work because it sends a redirect
> command back to the client.
>
> Any suggestions, anyone (apart from getting a hole punched in my
> company's firewall!)
Because your company limits outbound ports and your ISP limits 80 (+others?)
inbound, the simplest way to do this is set up an ssh tunnel. Your ISP is
very unlikely to block port 22 (the ssh service), and there's a very good
chance that your company allows 22 outbound. It's a huge hole that a lot of
companies don't bother closing, probably because the managers don't
understand the power, and the techs like the convenience :-) There is a
possibility though that they tie it down using a "gateway" system and
restrict outbound ssh to that machine only, and you're unlikely to get an
account for this without a good justification. Even then, port forwarding can
be blocked in the config.
If not, set up ssh server on your firewall and/or mythweb box and just do:
ssh -L8080:<localhost|mythweb server>:80 <user>@<your home IP>
from work. This has the added benefit that if you slip up with the password
access, Google don't come along and kindly delete all your recordings :-) It
is also good practice to use pub/priv keys which helps prevent dictionary
attacks from skript kiddies.
Then just point your work browser to http://localhost:8080/mythweb
Finally, a word to the wise. Doing this kind of stuff may be possible. What is
also possible is that your company will consider it as circumvention of
security measures, and will take a very dim view of these kinds of
activities.
--
Steve Boddy
More information about the mythtv-users
mailing list