The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Tuesday, June 24, 2008

Dodging black ICE to do a job …

Yet anther data point for the NAT is eeeeeeeevil meme

Smirk called up and asked if I could set up Cacti for one of our customers. They were having an issue with their local network (broadcast storms) and with Cacti monitoring the network, it would be easy to see the problem box. We already manage their firewall, which is a Linux system using iptables, so it can be easily installed there.

Only in the process of setting up Cacti (not difficult, just tedious as there's several pieces of software that have to be compiled and installed manually) I realized that the firewall wasn't handing the NAT for the customer's network—that was another device behind the firewall. And that means Cacti, running on the firewall, had no way of contacting an individual system on the private network.

Sure, there's port forwarding, but that's one port per box that needs to be configured on the NAT device, and while possible, there's usually a limit to the number of port forwards allowed by such a device.

“Sorry, no can do,” I told Smirk.

About an hour later, he calls back. “They have a Linux server on their network. You can install Cacti there,” he said. “They're port forwarding ssh to their Linux system.”

Okay, so to get to the internal Linux system of our customer, I first have to ssh to my virtual workstation at The Data Center (since The Office no longer exists—we all telecommute), then ssh to their firewall (since the firewall only allows connections from known hosts), then ssh to the NAT system, which forwards the traffic to their Linux system.


So I'm in the process of installing Cacti on this system when I realize that to finish up the install, I have to access a webpage on said Linux server.

Which I can't do, because port 80 isn't being forwarded to said Linux server.


I bring this up to The Weekly Meeting, and the solution is to use ssh to build a rather crazy SOCKS tunnel between my workstation and the Linux server on the customer site, using several intermediary systems to bounce the packets around.


I'm trying to configure a software package, not hack into NORAD or steal confidential corporate material. But, because of NATing, I have to employ some pretty heavy networking to do what should be a simple job.

Obligatory Picture

[“I am NOT a number, I am … a Q-CODE!”]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site:, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.