Geophysical Fluid
Dynamics Laboratory

Skip to: [content] [navigation]
If you are using Navigator 4.x or Internet Explorer 4.x or Omni Web 4.x , this site will not render correctly!

gfdl homepage > people > v. balaji's homepage > this page

Connecting to GFDL from outside the firewall.

You may find many pages linked from my homepage that point to GFDL internal pages, that are held on the cobweb server within the GFDL firewall. (If you cannot get to the cobweb link above, you don't have access).

If you do have access permissions (via a GFDL-issued cryptocard), here's how to set up your home machine for access to internal webpages on a browser. This also works for shell access to internal workstations, provided you're on a unix-like environment at home.

You must have an ssh client available. These instructions are for openssh on a unix-like OS. For this environment, its config file is stored in ~/.ssh/config. Configure your ssh client to tunnel through the GFDL firewall machine daisy. The tunnel as show provides shell access to an internal machine of choice ( in the example) and also to the web proxy. The web proxy will allow you access to cobweb, as well as any paid-for journals and sites to which GFDL has a site subscription.


Here are the lines in ~/.ssh/config:

Host daisy
  User vb
  LocalForward 1322
# web proxy: use automatic
  LocalForward 3128
Host public
# requires daisy to be forwarding a local port
  Hostname localhost
  Port 1322
  User vb
  StrictHostKeyChecking no
Host *
  ForwardX11 yes

Change vb to your userID.

Login to daisy

With these lines, you can open up a new shell, and type ssh daisy (see? no need to type your username or the full hostname...) to get a window where you can type in cryptocard password to be authenticated, on the GFDL firewall. What those lines say is that the host alias daisy will connect to using username vb. The "local ports" 1322 and 3128 are forwarded to the respective "remote ports". The remote machines are "listening" on those ports for incoming traffic of a specific type: e.g public will accept ssh traffic on its port 22.

Shell access

Don't use the daisy shell prompt to get to an internal machine! That one session will allow you to pop open as many internal tunnels as you wish. Open another shell and type ssh public. That will log you in to public. You won't even get prompted for a password if you've set up ssh keypairs correctly.

For keypair-based access, generate a key with ssh-keygen -t dsa, copy the public key (usually ~/.ssh/, by default) over to your target machine (e.g public) and append it to the file ~/.ssh/authorized_keys.

You will find you can open as many windows as you want, and the whole thing goes much faster than VNC, which appears to be GFDL's recommended solution for home access to behind the firewall.

The port number (1322) for the shell in the example is any number you like... though of course it must match what you define for public below. If you want to open up ports to different machines inside the firewall, pick a different number for each. I pick xx22 usually, since 22 is the standard ssh port.

Browser access

Configure your browser to use the automatic proxy Unlike the shell access port, which you set to whatever you like, this number must be set to 3128... that's where mayflower is listening.

Emacs over the tunnel

You can edit files in emacs over the tunnel as well, if the emacs package tramp is present. With tramp loaded, you can M-x find-file /public:/home/vb/.emacs, and you'll find yourself editing my file /home/vb/.emacs in your emacs window at home. More on emacs here.

Mirroring your home directories between home machine and GFDL

I essentially maintain a mirror of my /home/vb directory on my home machine. rsync is a very useful tool for maintaining mirrors across two systems, and will also work over the ssh tunnel (rsync -e ssh). It has a bewildering array of options, and I've written a small wrapper called ssync for doing the most obvious things in maintaining a home machine in sync with your /home directory. Ask me for a copy of ssync.

Getting on the GFDL guest wireless network

The GFDL guest wireless network is secured using WPA, or Wi-Fi Protected Access. The encryption used is WPA-PSK/TKIP, whatever that may mean.

To connect, you need the ID of the access point (the SSID) and a passphrase.

The GFDL wireless access point SSID is GFDL Secure WLAN and the passphrase is 50 years and counting!.

To use WPA on the GNU/linux platform, you need a tool called wpa_supplicant. Most GNU/linux distributions either bundle it nowadays, or make it easy to find in a yum or apt repository. Here are the relevant lines in the config file wpa_supplicant.conf:


	ssid="GFDL Secure WLAN"
	psk="50 years and counting!"

Typically, you load up all the networks you might possibly connect to in your wpa_supplicant.conf file, and run it as a daemon, using a command line something like:

wpa_supplicant -i eth1 -D wext -B -c /etc/wpa/wpa_supplicant.conf

wpa_supplicant will connect to any SSID that is matched in this file, using the specified authentication

Once your connection is established (run iwconfig to make sure you are on the right wireless network, and ifconfig to see if you've been assigned an IP address) you need to bring up a browser and log into the network. This automatically brings up the GFDL wireless guest network login page. Here you use your NEMS ID if tou have a GFDL account, otherwise you need to get a guest account from Ops.

emacs-muse-mode created by v. balaji ( in emacs using the emacs-muse mode.
last modified: 18 January 2010