Date: Wed, 03 Jun 2009 09:19:25 +0200 From: "=?ISO-8859-2?Q?Saj=F3_Zsolt_Attila?=" <sajozsattila@citromail.hu> To: <freebsd-questions@freebsd.org> Subject: sshd in jail Message-ID: <20090603071925.22294.qmail@server14.citromail.hu>
next in thread | raw e-mail | index | archive | help
Hi!
I would like use the sshd in jail, but the port forwarding doesn't work in =
the pf firewall. My jail ip: 10.0.0.40. If I use the ssh -l user 10.0.0.40 =
command it's well, but when I use the "ssh -p 5859 -vv -l user luk1814.no-i=
p.org" command I get this error:
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to luk1814.no-ip.org [84.3.27.205] port 5859.
debug1: connect to address 84.3.27.205 port 5859: Connection refused
ssh: connect to host luk1814.no-ip.org port 5859: Connection refused
The "pfctr -sn" command output's:
nat on vr0 inet from 10.0.0.20 to any -> (vr0) round-robin
nat on vr0 inet from 10.0.0.40 to any -> (vr0) round-robin
rdr on vr0 inet proto tcp from any to any port =3D 5859 -> 10.0.0.40 por=
t 22
My pf.conf:
Ext =3D "vr0" # output interface
Loop =3D "lo0" # Loopback interface
IntNet1=3D"10.0.0.20" # Jail 1
IntNet2=3D"10.0.0.40" # Jail 2 this is running the sshd
NoRoute =3D "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.=
255.255.255/32 }"
InServicesTCP =3D "{ ssh, http, https }"
OutServicesTCP =3D "{ http, https, whois, domain, ssh, ftp, ftp-data, nntp,=
1863, 8880 }"
OutServicesUDP =3D "{ ntp, domain }"
NowDeny =3D "{ 445, 67, 68 }"
X11 =3D "{ 6010, 5900}"
Timeserver =3D "{ 148.6.0.1 }"
CVSupServers =3D "{ 212.19.57.134 }"
CVSupPorts =3D "{ 5999 }"
DynDNSServer =3D "{ 63.208.196.94 }"
DynDNSPorts =3D "{ 8245 }"
scrub in on $Ext all
altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
nat on $Ext from $IntNet1 to any -> ($Ext)
nat on $Ext from $IntNet2 to any -> ($Ext)
rdr on $Ext proto tcp from any to any port 5859 -> $IntNet2 port 22
block in quick on $Ext proto { tcp, udp} from any to any port $NowDeny
block out log on $Ext all
block in log on $Ext all
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute
block in quick on $Ext from any to 255.255.255.255
pass in quick on $Ext proto tcp from any to $IntNet2 port 8022 keep state
pass in quick on $Loop all
pass out quick on $Loop all
pass out quick on $Ext inet proto tcp from any to any port > 1024 flags =
S/SA keep state
pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP fl=
ags S/SA keep state
pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP =
keep state
pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP =
flags S/SA modulate state
pass out quick on $Ext inet proto tcp from any to $CVSupServers port $CVSup=
Ports flags S/SA modulate state
pass out quick on $Ext inet proto tcp from any to $Timeserver port time fla=
gs S/SA modulate state
pass out quick on $Ext inet proto tcp from any to any port { 6880><68=
89, 6969 } flags S/SAFR keep state
pass in quick on $Ext inet proto tcp from any to any port 6880><6889 =
flags S/SAFR keep state
anchor passin
Somebody knows why doesn't work the rdr?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090603071925.22294.qmail>