From owner-freebsd-questions Mon Mar 10 21:32: 5 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CAFA37B404 for ; Mon, 10 Mar 2003 21:32:03 -0800 (PST) Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D0B243F85 for ; Mon, 10 Mar 2003 21:32:02 -0800 (PST) (envelope-from ryan@sasknow.com) Received: from earl.sasknow.net (earl.sasknow.net [207.195.92.130]) by ren.sasknow.com (8.12.3/8.12.6) with ESMTP id h2B5W1p4072043 for ; Mon, 10 Mar 2003 23:32:01 -0600 (CST) (envelope-from ryan@sasknow.com) Received: from ren (ren.sasknow.com [207.195.92.131]) by earl.sasknow.net (8.12.3/8.12.6) with ESMTP id h2B5W17D093749 for ; Mon, 10 Mar 2003 23:32:01 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Mon, 10 Mar 2003 23:32:00 -0600 (CST) From: Ryan Thompson To: freebsd-questions@freebsd.org Subject: SSH to a box behind NAT Message-ID: <20030310224025.L34446-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Audit: Email processed by earl.sasknow.com filter Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all, I have a FreeBSD server behind NAT (on an RFC1918 address). The NAT machine is actually an NT box on a network we don't have access to. (So, it is not possible, for instance, to set up port based NAT for inbound SSH, which is one of two things I'd normally do). The server can, however, initiate arbitrary outbound connections. So, I'm fishing for a tech workaround to this management problem. :-) I need to be able to have an interactive SSH session on the server (Server) from another host (Manager) on the Internet (for remote management). That is, I need to connect to Server to do remote management. <--- NAT ---> [ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ] 192.168.0.2 192.168.0.1 207.1.1.1 24.1.1.1 Manager is a highly available FreeBSD server (i.e., static public IP). The first thing that comes to mind is some kind of "pull" technique to have *Server* initiate the connection. Server already initiates cron'd SSH connections to Manager to do automated backup/rsync tasks, but I can't think of a way to actually start an interactive login in that manner. So far the best I've come up with is to configure a secure known path on Manager for batch scripts (so, not really interactive, but close enough for 90% of tasks) and have Server simply attempt to scp (pull) the file at regular intervals, and execute its contents. Server can capture the output and scp (push) that back to Manager. Manager never actually initiates anything. Obviously, this will be a leading cause of ass pain in troubleshooting scenarios, and will be a *real* pain for anything that actually requires an interactive session. Unfortunately, that idea has, so far, been the *last* thing to come to mind. Any *other* ideas? :-) Thanks, - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message