BenV's notes

Especially force, that’s what we need.
Because somehow Opera still hasn’t bothered to implement SOCKS proxy support. And if you would like to use… oh I don’t know… tor… or maybe simple ssh proxying support to test stuff from an external IP instead of from inside your local network, or for whatever your reason might be (working around your corperate firewall? ;))…. you have to use Firefox. Because they DO have SOCKS support. Strange. A case to bash Opera 🙂 (continue reading…)

So yesterday at work I ran into the famous ssh MAC failure like this:

wouter@wouter-laptop:~:0> rsync -varP ./vmware/ wouter@192.168.1.2:/archive/archive2/programs/vmware/
Password:
sending incremental file list
./
Keys
116 100% 0.00kB/s 0:00:00 (xfer#1, to-check=8/10)
linux/
linux/VMware-server-2.0.1-156745.i386.tar.gz
32768 0% 800.00kB/s 0:10:11 Received disconnect from 192.168.1.2: 2: Corrupted MAC on input.

rsync: writefd_unbuffered failed to write 4 bytes to socket [sender]: Broken pipe (32)
rsync: connection unexpectedly closed (53 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.6]


No, that has nothing to do with Apple/Mac computers or Media Access Control, it’s
part of the SSH protocol (and others) called Messenge Authentication Code. This blog has a nice explanation: Jan Pechanec on SSH messages.

Funny thing, my brother also had this exact issue with the same kind of laptop. Well…. in his case it was putty failing his connection from a windows machine to this laptop.
The reason? Same as ever, checksum offloading.
You can check if your card does this with the ethtool program:

wouter@wouter-laptop:~:0> sudo ethtool -k eth0
Offload parameters for eth0:
Cannot get device flags: Operation not supported
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off


And the fix for this:

wouter@wouter-laptop:~:85> sudo ethtool -K eth0 tx off

Fixed.

” Wait, what does Pokemon OS have to do with this?”
Well, isn’t that obvious? It’s supposed to magically work, and it doesn’t! 😉
Probably more a kernel thing though… oh well.

This is trivial stuff, but nice to know.

Do they have a cute little firewall at your work that only allows outgoing traffic on a certain port? Does some site have retarded IP restrictions? Does the piratebay block you from home?
Have no fear, ssh is slow as a bear. (huh?)

Anyway, you could use an anonymous proxy to get around all of this, but they are often slow and hard to find. Not only that, they often require you to use a specific port.
So the simple solution for all this: use ssh. Of course this requires you to have ssh access on a machine outside of the network that you’re trying to get out of.
But if you don’t even have that, you probably suck anyway. (get lost with your micro~s fail piece of cardboard).

Solution #1, for simple TCP port forwards. For instance when you’re trying to access a remote snmp server that has the irc port (6667 by default) firewalled:

idiot@yourmachine$ ssh -L 1234:127.0.0.1:6667 ip.of.irc.machine
*username and password stuff*

After a successful login you can now connect an IRC program to localhost on port 1234 and it will act as if you were connecting to the remote machine directly. (bypassing the firewall).
Woei. Too bad this fails for UDP though. You also need to keep the ssh connection open, but that’s pretty obvious.

Solution #2, for a real proxy solution. When you’re trying to access a remote web server it becomes more annoying to use a simple port forward, since your browser will not pass the correct
information to the remote server. (It will say Host: 127.0.0.1 for where it was supposed to be Host: www.piratebay.org for example).
To make this work we simply turn ssh into a socks proxy like this:

moron@yourmom$ ssh -D 1234 ip.remote.shell.machine
*username and password stuff*

Now you can enter localhost and port 1234 in your browser’s proxy configuration in the SOCKS proxy section. Magic, you can now go to any site and it will be tunneled through the nicely encrypted ssh session. (although it might be a bit slower).

Well, so much for the obvious stuff today.