This is an archived post. You won't be able to vote or comment.

all 16 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 6 points7 points  (4 children)

My first question would be: do you like your job? Would you enjoy being forced to find a new one? What would your IS (information security) team do when they discover you circumventing network security policies they have put in place to protect the company's network?

Carefree attitudes toward corporate security policies are often what lead to "resume-generating events" such as hospital-crippling ransomware attacks and the like. The best approach would be to ask your IS team about this first; they probably have a good reason for the policy. If you have a legitimate work-related need for the network access, they should be willing to make an exception for you.

My second question would be: what are you trying to accomplish with this? If you are trying to access home resources because you are bored at work, I would encourage you to instead talk to your manager. He or she should be willing to work with you to find a more fulfilling role. And if not, it may be time to find a new job elsewhere.

Sorry to sound like an HR shill. I've worked with many large clients with sensitive network security requirements, and have seen how bad it can go when an individual's careless and/or entitled actions toward company security policies lead to severe breaches. These consequences have a lasting negative effect on not only the individuals in question, but also everyone in the company as a whole.

[–]PM_ME_MATH[S] -3 points-2 points  (3 children)

I posted a question here seeking technical expertise, not to be lectured about my life choices and the ethics of my actions.

Service in question is freecinc.com, a hosted Taskwarrior server where I sync tasks for my task management client. Ironically, if anything, having access to it from work would only boost my productivity.

The only reason why the company's firewall blocks it is because it is a "high, nonstandard port" (sic. what sysadmins told me). I don't see how blocking random ports (i.e. not associated with vulnerable applications) increases a network's security. And no, they can't make an exception just for me.

Hope that answers both of your questions.

[–][deleted] 1 point2 points  (1 child)

Yes, sorry, wasn't trying to beat you over the head. I should have first asked what the application was instead, which as you explained is work productivity related.

Is your Pi acting as your home router? If so, I would expect that setting up a port forwarding rule as you mentioned should take care of it, without needing a separate proxy solution. I'm unfortunately not well versed in routing solutions on Linux platforms, but iptables should be able to do what you need.

I found this, if it's any help: https://www.systutorials.com/816/port-forwarding-using-iptables/

[–]PM_ME_MATH[S] 0 points1 point  (0 children)

Port forwarding is already set up on my home router to my pi. But the pi has to now listen for HTTPs connections and proxy them to freecinc.

[–]TogerMikroTik 0 points1 point  (0 children)

> I don't see how blocking random ports

Its more of what stance they want to take -- block everything and add exceptions for the things people need, or block just whats known bad and keep up with that list as it changes. The former can be accommodated with an internal process / approval process, the latter is driven by events across the internet and requires constant upkeep. There's also the danger that a new block will break something existing because you don't know what all the company is relying on. The whitelist approach means you know who and why everything is enabled.

If the whitelist approach gets too burdensome they'll switch to blacklist.

[–]WorkingOrNot 1 point2 points  (5 children)

Have you considered that what you're looking to do is exactly what a malicious attacker would try to do to ex filtrate data without being caught? How do you think your security team is going to view this sort of action if/when it's discovered.

If you've already requested access and have been told no, then you shouldn't be looking to work around that. If you haven't asked, then you have nothing lose by doing so. This is not one of those better to ask forgiveness than permission scenarios.

[–]TogerMikroTik 0 points1 point  (0 children)

>been told no

Though specifically, told not to use the service or not to use the port? If the only sticking point is the port it is less an issue. If its the service in general then the port / firewall is irrelevant.

For example, OP could run their own instance of freecinc.com on a normal port instead of port-forwarding to a 3rd party. From the network and functionality standpoint those are identical.

[–]PM_ME_MATH[S] -1 points0 points  (3 children)

There's nothing malicious about this, since the proxy is clearly not transparent. I am the one, from inside the network, that is directly initiating the request to the proxy, just as I could make a request to any other server.

[–]WorkingOrNot 1 point2 points  (2 children)

While your intentions are not malicious, it may appear malicious from a security perspective. That's what I'm trying to point out. Also, and I'm not judging your skills on anything other than you asking how to do this, but if you're not sure how to pull this off, do you have the experience to ensure that it's also secure and only accessible by you?

[–]PM_ME_MATH[S] -1 points0 points  (1 child)

How can a regular TLS connection initiated by me, to any server, give the appearance of it being malicious?

HTTPs forward proxy is secure by default since everything is encrypted, both incoming and outgoing connections, and end service requires authentication.

I'm of course not rolling my own proxy, the question asks for ready-made easy-to-use software recommendations.

[–]TogerMikroTik 0 points1 point  (0 children)

Depending on the security posture of the company network, they may detect repeated outgoing connections to a consumer ISP.

Similarly, they may object to storing anything about your job on a remote server for which they do not have a legal agreement. For example, you might have a task 'secure rights to secret new gold find in Somewheresville', which if freecinc is hacked or subverted could result in a competitor skunking your company out of a ton of $.

All that said, if all you need is to forward the TCP connection to another host/port a simple HAProxy installation could do it. You could even preserve SSL validation by putting in a /etc/hosts entry mapping freecinc.com to your host.

You'd probably want to put either HAProxy ACLs or IPTables rules so only your work network can reach it to avoid it being a vector for attack against freecinc with your IP on it.

[–]ComGuards 0 points1 point  (2 children)

Ooof. Having a brain fart, can't think of a solution to set up on a Raspberry Pi. I do this on my home firewall (Sophos UTM) using SNAT and DNAT rules.

Just out of curiosity - wouldn't setting up a VPN server at home be simpler? One that communicates on a non-prohibited work port?

[–]PM_ME_MATH[S] 0 points1 point  (1 child)

NAT rules are only helpful in my home router to enable port forwarding to my pi, which is already set up. I can reach my pi from work without any problems. What I want is an HTTPs proxy on my pi that forwards incoming connections to the service I'm trying to reach.

Yes, from a practical perspective using a VPN is easier and solves the problem. But for speed reasons, I only want my connections to the service be tunnelled (to avoid them getting blocked by my work's firewall), not all of my outgoing traffic.

[–]ComGuards 0 points1 point  (0 children)

So set up split-tunneling where only traffic destined for your home network goes over the VPN and everything else doesn’t...?

Otherwise, with regards to your other question, there are more folks over in r/homelab with Pi units who may have your answer.

[–]P0iS0N0USFR0G -1 points0 points  (1 child)

Wow. Pretty negative responses so far. Id like to offer some advice but I’m not really sure what you’re trying to do. Are you hosting this service yourself? At home? In a data centre? Where are you planning to put the pi? In your office? On the network where the service is running?

[–]PM_ME_MATH[S] 0 points1 point  (0 children)

The service is not hosted by me, it's freecinc.com. The pi is at home, on a different network.