Date: Wed, 28 Jul 1999 22:20:05 -0400 From: "James C. Durham" <durham@w2xo.pgh.pa.us> To: pram512@antisocial.com, freebsd-security@freebsd.org Subject: Re: ssh2 tunneling through firewall Message-ID: <379FBA55.61104FEF@w2xo.pgh.pa.us> References: <19990728210350.22272.rocketmail@web1004.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
ME wrote: > > I'm having similar problems, with much the same > progress as you. If you do get it figured out, would > you please make sure to post your solution to the > list, so the rest of us can benifit? (of course, if I > happen to find a solution, I'll do the same) > Thanks > -miak. Well.. I feel like a real dunce. I usually find out that my problems are something stupid I have overlooked, and this was no exception. Somehow, there were processes listening on the ports involved. I had the services commented out in inetd.conf, and I thought I had done a kill -1 on inetd, but maybe not. Anyhow, there was a storm today and the remote server rebooted, and now it works just fine. I had thought, incorrectly, that it wouldn't forward any port, then I discovered that I could forward ports 8888 and 1558 . I then jumped to the conclusion that it was only priviledged ports that wouldn't forward, ...you see... I kept getting deeper... 8-). Anyhow, it turns out that I must not have done an HUP on inetd and there were listeners on those ports. That was the whole problem. It works fine now. I have sucessfully forwarded web service and telnet through the firewall. The only thing I can say in my defense is that the error message said "permission denied by server". It should have been "listener already listening on port" or something of that sort. I know that FreeBSD will do that if you start a service twice, so the error code exists. Oh well, that's the story. I did some experimenting with varous arguments to the "-R" option in ssh2. I found that "localhost" works just fine. The idea is that you can forward a port anywhere that the local system can connect. You can use any valid address. I guess you could forward your http port to any site on the web! A nice feature of this is that you can assign a machine on your LAN as the "local server" and have it nail up an ssh connection to your "remote server" off-site, then forward the various ports on the remote server to various machines on your LAN. This will work even if they have no public IP addresses because your local server should have their "phoney" IP addresses in it's /etc/hosts file. I tried this by forwarding from my remote server through my local server to "shazam.internal", which is my workstation and not known to the net at all. It worked fine. I'm very pleased at this point. Forwarding the telnet port to a system with tcpwrappers causes an immediate disconnect. I'm not sure why, but I guess it detects the relay. So, what you need to do is: 1. Set up sshd2 on your remote server. 2. Make sure you have all the services listening on any port you want to forward killed dead! 3. Set up ssh2 on your local server. 4. Nail up an ssh connection with: ssh2 -R 23:localhost:23 remote.server.xx (you must be root to forward ports < 1024). Now, when you telnet to remote.server.xx you get the local servers telnet login. If you use ssh2 _r 23:lanmachine1:23 remote.server.xx , then you will see the telnet login of a machine on your LAN. I've certainly got a bloody spot on the wall from banging my head, but I finally got it! Duhhhh... Thanks to all for the input! -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?379FBA55.61104FEF>