Site Navigation

Date:      Wed, 3 Jun 2009 10:32:02 +0300
From:      Valentin Bud <valentin.bud@gmail.com>
To:        =?ISO-8859-1?Q?Saj=F3_Zsolt_Attila?= <sajozsattila@citromail.hu>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: sshd in jail
Message-ID:  <139b44430906030032o7bb798e1rcbcf80fc9b26e46@mail.gmail.com>
In-Reply-To: <20090603071925.22294.qmail@server14.citromail.hu>
References:  <20090603071925.22294.qmail@server14.citromail.hu>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

2009/6/3 Saj=F3 Zsolt Attila <sajozsattila@citromail.hu>

> Hi!
>
> I would like use the sshd in jail, but the port forwarding doesn't work i=
n
> the pf firewall. My jail ip: 10.0.0.40. If I use the ssh -l user 10.0.0.4=
0
> command it's well, but when I use the "ssh -p 5859 -vv -l user
> luk1814.no-ip.org" command I get this error:
> OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to luk1814.no-ip.org [84.3.27.205] port 5859.
> debug1: connect to address 84.3.27.205 port 5859: Connection refused
> ssh: connect to host luk1814.no-ip.org port 5859: Connection refused
>
>
> The "pfctr -sn" command output's:
> nat on vr0 inet from 10.0.0.20 to any -&gt; (vr0) round-robin
> nat on vr0 inet from 10.0.0.40 to any -&gt; (vr0) round-robin
> rdr on vr0 inet proto tcp from any to any port =3D 5859 -&gt; 10.0.0.40 p=
ort
> 22
>
>
> My pf.conf:
> Ext =3D "vr0" # output interface
> Loop =3D "lo0" # Loopback interface
> IntNet1=3D"10.0.0.20" # Jail 1
> IntNet2=3D"10.0.0.40" # Jail 2 this is running the sshd
> NoRoute =3D "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
> 255.255.255.255/32 }"
> InServicesTCP =3D "{ ssh, http, https }"
> OutServicesTCP =3D "{ http, https, whois, domain, ssh, ftp, ftp-data, nnt=
p,
> 1863, 8880 }"
> OutServicesUDP =3D "{ ntp, domain }"
> NowDeny =3D "{ 445, 67, 68 }"
> X11 =3D "{ 6010, 5900}"
> Timeserver =3D "{ 148.6.0.1 }"
> CVSupServers =3D "{ 212.19.57.134 }"
> CVSupPorts =3D "{ 5999 }"
> DynDNSServer =3D "{ 63.208.196.94 }"
> DynDNSPorts =3D "{ 8245 }"
> scrub in on $Ext all
> altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
> queue q_pri priority 7
> queue q_def priority 1 priq(default)
> nat on $Ext from $IntNet1 to any -&gt; ($Ext)
> nat on $Ext from $IntNet2 to any -&gt; ($Ext)
> rdr on $Ext proto tcp from any to any port 5859 -&gt; $IntNet2 port 22
> block in quick on $Ext proto { tcp, udp} from any to any port $NowDeny
> block out log on $Ext all
> block in log on $Ext all
> block return-rst out log on $Ext proto tcp all
> block return-rst in log on $Ext proto tcp all
> block return-icmp out log on $Ext proto udp all
> block return-icmp in log on $Ext proto udp all
> block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
> block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
> block in log quick on $Ext inet proto tcp from any to any flags /SFRA
> block in log quick on $Ext from $NoRoute to any
> block out log quick on $Ext from any to $NoRoute
> block in quick on $Ext from any to 255.255.255.255
> pass in quick on $Ext proto tcp from any to $IntNet2 port 8022 keep state



>
> pass in quick on $Loop all
> pass out quick on $Loop all

This two could be changed to
'set skip on lo0' in the pf OPTIONS section.

>
> pass out quick on $Ext inet proto tcp from any to any port &gt; 1024 flag=
s
> S/SA keep state
> pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
> pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep sta=
te
> pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP
> flags S/SA keep state
> pass out quick on $Ext inet proto udp from any to any port $OutServicesUD=
P
> keep state
> pass out quick on $Ext inet proto tcp from any to any port $OutServicesTC=
P
> flags S/SA modulate state
> pass out quick on $Ext inet proto tcp from any to $CVSupServers port
> $CVSupPorts flags S/SA modulate state
> pass out quick on $Ext inet proto tcp from any to $Timeserver port time
> flags S/SA modulate state
> pass out quick on $Ext inet proto tcp from any to any port {
> 6880&gt;&lt;6889, 6969 } flags S/SAFR keep state
> pass in quick on $Ext inet proto tcp from any to any port 6880&gt;&lt;688=
9
> flags S/SAFR keep state
> anchor passin
>
>
> Somebody knows why doesn't work the rdr?
>

You don't have a pass rule for the 5859 port. You can, however, accomplish
what you want in a couple of ways.

1. use the pass keyword in rdr
rdr *pass* on vr0 inet proto tcp from any to any port =3D 5859 -&gt; 10.0.0=
.40
port 22

2. a separate pass in rule
pass in quick on $Ext inet proto tcp from any to any port 5859 flags S/SA
keep state.

3. simply add 5859 port to $InServicesTCP macro.

a great day,
v

>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>



--=20
network warrior since 2005

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?139b44430906030032o7bb798e1rcbcf80fc9b26e46>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact