Setting Up Perforce Using Firewalls

How can I access the Perforce server through a firewall?

Info & Tags

Article #:
22
Created:
03/13/07
Modified:
04/08/08

Links

  1. Configuring SSH on Mac OS X
    External Site
  2. Cygwin Web Site
    External Site
  3. OpenSSH for Windows
    External Site
  4. Sun Article on SSH Tunnelling
    External Site, has a good example using Perforce

Attachments

note022-fig1.gif
Size:
1.9 KB
Type:
image/gif
note022-fig2.gif
Size:
2.4 KB
Type:
image/gif
note022-fig3.gif
Size:
3.2 KB
Type:
image/gif

SUMMARY

Instructions on setting up your client machine to connect to the Perforce server through a firewall.

DETAILS

Perforce clients communicate with a Perforce Server using TCP/IP. The server listens for connections at a specific port on the machine it is running on, and clients make connections to that port.

The port number the server listens on is specified when it is run; in this example we'll pick port 3710. The number is arbitrary, except that it must be chosen to not conflict with any other networking services. The port number used on the client machine is dynamically allocated.

The network without a firewall

A firewall is a network element which prevents any packets from outside the local, trusted network from reaching the local network. This is done at a low level in the network protocol - specifically, any packets not coming from a trusted IP address are simply ignored.

In this scenario, the Perforce client is unable to connect to the server since it is from an untrusted part of the network and none of its connection requests reach the machine the server is running on.

The network blocking Perforce with a firewall

The only solution is to establish a connection to the Perforce Server from the untrusted network through  the trusted network. This can be done securely using a secure shell (ssh). Many secure shell implementations exist (but they are not distributed with or by Perforce). Mac OS X and most current Unix distributions have some form of SSH. Windows users might consider installing Cygwin and OpenSSH.

ssh is meant to be a replacement for rsh (remote shell), which means it allows you to log into a remote system and execute commands as if you were locally controlling the machine. The connection is encrypted, so none of the data is visible to the Big, Bad, Untrusted Network. With simple utilities such as rsh, even your password as you type it is visible; not so with ssh.

So, one solution is to use ssh to log into the firewall machine and run the Perforce client there. That is not the optimal solution, however; typically you want your client files right on your local machine.

The best solution takes advantage of ssh's ability to forward arbitrary TCP/IP connections. The Perforce client can appear to be connecting from the firewall machine over the local, trusted network; the link between the firewall machine and the machine running the client is passed through the secure channel set up by ssh.

The network with Perforce tunneled through the firewall

Suppose the Perforce Server is on the machine "perforce.bigco.com" and the firewall machine is called "gateway.bigco.com". We'll choose 4242 for the local port, and note that the Perforce server is listening on port 3710. The ssh invocation to forward the TCP/IP connection is: 

ssh -L 4242:perforce.bigco.com:3710 gateway.bigco.com

You will probably need to provide a password to log into "gateway.bigco.com". Once the connection is established, ssh listens at port 4242 on the local machine, and forwards the connection to "gateway.bigco.com", and then by way of the internal, secure network  to port 3710 on "perforce.bigco.com".

Now configure Perforce client to use port 4242 by setting the environment variable P4PORT to 4242. This would normally mean we are trying to connect to a server running on the same machine listening at port 4242, but now it's not a Perforce Server listening there, it's ssh -- data sent over this port is transparently forwarded to the Perforce Server at "perforce.bigco.com".

Now remove the login session by running: 

ssh -n -L 4242:perforce.bigco.com:3710 gateway.bigco.com sleep 9999999 &

This instructs ssh to run the sleep command on the remote system, preventing the session from timing out. The "-n" flag says to not read from stdin, and the "&" puts the process in the background. 

Note: with a port (4242 in this example) on the local machine now forwarded to a secure server, it is prudent to be certain the local machine is secure! To do this, check your ssh client documentation to determine whether it accepts only local connections, or if it can be configured to prevent remote connections that can compromise your security.