4. Detailed Directions

First, from a machine inside the firewall, telnet to a target machine outside the firewall and log in.

Unless you are under linux and will be using the proc filesystem (see below) make sure your shell is an sh style shell. Ie if your default shell is a csh variant, invoke telnet by:

setenv SHELL /bin/sh; telnet machine.outside

After logging in, on the remote (outside) machine invoke the command:

term -r -n off telnet

Now break back to the telnet prompt on the local (inside) machine, using ^] or whatever, and use the telnet shell escape command ! to invoke term:

telnet> ! term -n on telnet >&3 <&3

That's it!

If you have a variant telnet, you might have to use some other file descriptor than 3; easy to check using strace. But three seems to work on all bsd descendent telnet clients I've tried, under both SunOS 4.x and the usual linux distributions.

Some telnet clients do not have the ! shell escape command. Eg the telnet client distributed with Slackware 3.0 is one such client. The sources that the Slackware telnet client is supposedly built from

ftp://ftp.cdrom.com:/pub/linux/slackware-3.0/source/n/tcpip/NetKit-B-0.05.tar.gz

A simple solution is therefore to obtain these sources and recompile them. This unfortunately is a task I have had no luck with. Plus, if you are running from inside a SOCKS firewall, you will need a SOCKSified telnet client anyway. To that end, I was able to compile a SOCKSified telnet client from:

ftp://ftp.nec.com/pub/security/socks.cstc/socks.cstc.4.2.tar.gz

or, if you're outside the USA,

ftp://ftp.nec.com/pub/security/socks.cstc/export.socks.cstc.4.2.tar.gz

Alternatively, under linux kernels up to 1.2.13, you can pause the telnet with ^]^z, figure out its pid, and invoke:

term -n on -v /proc/&,t;telnetpid>/fd/3 telnet

This doesn't work with kernels after 1.3.x, which closed some mysterious security hole by preventing access to these fd's by processes other than the owner process and its children.