From owner-freebsd-net@freebsd.org Mon Sep 21 06:40:56 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E0A553E7983 for ; Mon, 21 Sep 2020 06:40:56 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa2.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "msa2.yoonka.com", Issuer "msa2.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Bvvw76Jzjz3YRV for ; Mon, 21 Sep 2020 06:40:55 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from venus.yoonka.com (venus.yoonka.com [10.70.7.24]) by msa2.yoonka.com (8.15.2/8.15.2) with ESMTPS id 08L6eroF031206 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Mon, 21 Sep 2020 06:40:53 GMT (envelope-from list1@gjunka.com) Subject: Re: sshd on two fibs To: Doug Hardie Cc: freebsd-net@freebsd.org References: <48e3aa5d-3123-45f2-5c46-6851ad90110a@gjunka.com> <4D284B7B-F894-46EF-997E-2446117585B7@mail.sermon-archive.info> From: Grzegorz Junka Message-ID: <4cdc586c-2fc7-e1e2-8b9d-d9ded7e6a417@gjunka.com> Date: Mon, 21 Sep 2020 06:40:53 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <4D284B7B-F894-46EF-997E-2446117585B7@mail.sermon-archive.info> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: 4Bvvw76Jzjz3YRV X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of list1@gjunka.com designates 88.98.225.149 as permitted sender) smtp.mailfrom=list1@gjunka.com X-Spamd-Result: default: False [-2.22 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.992]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:88.98.225.149]; NEURAL_HAM_LONG(-1.04)[-1.040]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gjunka.com]; NEURAL_SPAM_SHORT(0.12)[0.115]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:56478, ipnet:88.98.192.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2020 06:40:56 -0000 On 21/09/2020 00:35, Doug Hardie wrote: >> On 20 September 2020, at 16:20, Grzegorz Junka wrote: >> >> I have two WANs and a server with two interfaces, each interface reaching different WAN. The server is configured with two routing tables, fib0 and fib1, one per the corresponding interface. >> >> I would like sshd to listen on both interfaces but on different fibs, so that returning packets are sent to the proper gateway. Can I do it with one sshd? Do I need to run two separate sshd's? Can I run two separate sshd's on the same box? > > I have sshd running on two interfaces by using pf to handle the situation. /etc/rc.conf contains > sshd_enable="YES" > > > pf.conf contains > ext_if = "em0" > back_if = "em1" > set skip on lo0 > SSH = "nn" > pass in all > pass out all > pass in log on $back_if proto tcp from any to any port $SSH > pass in log on $back_if reply-to ($back_if 192.168.1.254) proto tcp from any to any port $SSH keep state > > > where: > nn is the non-standard port I use for ssh > 192.168.1.254 is the router for the second interface. > > I don't use fibs at all for this, although I do have them setup for when I want to check out the second port connections. Thanks for your response. I don't use fibs to handle this. I have fibs configured for jails and because of that I already have the proper gateways configured there, so I thought I can reuse. The pf solution is of course good but this is not a public facing server and I don't have pf setup on it. Which is not a big problem, just wondering if pf is the right solution to handle this?