From owner-freebsd-questions Mon Mar 10 22:37:42 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A89B837B401 for ; Mon, 10 Mar 2003 22:37:39 -0800 (PST) Received: from sub21-156.member.dsl-only.net (sub21-156.member.dsl-only.net [63.105.21.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE0C843F85 for ; Mon, 10 Mar 2003 22:37:38 -0800 (PST) (envelope-from nkinkade@sub21-156.member.dsl-only.net) Received: from nkinkade by sub21-156.member.dsl-only.net with local (Exim 4.10) id 18sdOL-0005HZ-00; Mon, 10 Mar 2003 22:37:37 -0800 Date: Mon, 10 Mar 2003 22:37:37 -0800 From: Nathan Kinkade To: Ryan Thompson Cc: freebsd-questions@freebsd.org Subject: Re: SSH to a box behind NAT Message-ID: <20030311063737.GC17359@sub21-156.member.dsl-only.net> Reply-To: nkinkade@dsl-only.net Mail-Followup-To: Ryan Thompson , freebsd-questions@freebsd.org References: <20030310224025.L34446-100000@ren.sasknow.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="69pVuxX8awAiJ7fD" Content-Disposition: inline In-Reply-To: <20030310224025.L34446-100000@ren.sasknow.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --69pVuxX8awAiJ7fD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 10, 2003 at 11:32:00PM -0600, Ryan Thompson wrote: >=20 > Hi all, >=20 > I have a FreeBSD server behind NAT (on an RFC1918 address). The NAT > machine is actually an NT box on a network we don't have access to. > (So, it is not possible, for instance, to set up port based NAT for > inbound SSH, which is one of two things I'd normally do). The server > can, however, initiate arbitrary outbound connections. >=20 > So, I'm fishing for a tech workaround to this management problem. :-) >=20 > I need to be able to have an interactive SSH session on the server > (Server) from another host (Manager) on the Internet (for remote > management). That is, I need to connect to Server to do remote > management. >=20 > <--- NAT ---> > [ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ] > 192.168.0.2 192.168.0.1 207.1.1.1 > 24.1.1.1 >=20 > Manager is a highly available FreeBSD server (i.e., static public IP). >=20 > The first thing that comes to mind is some kind of "pull" technique to > have *Server* initiate the connection. Server already initiates cron'd > SSH connections to Manager to do automated backup/rsync tasks, but I > can't think of a way to actually start an interactive login in that > manner. >=20 > So far the best I've come up with is to configure a secure known path > on Manager for batch scripts (so, not really interactive, but close > enough for 90% of tasks) and have Server simply attempt to scp (pull) > the file at regular intervals, and execute its contents. Server can > capture the output and scp (push) that back to Manager. Manager never > actually initiates anything. Obviously, this will be a leading cause > of ass pain in troubleshooting scenarios, and will be a *real* pain > for anything that actually requires an interactive session. >=20 > Unfortunately, that idea has, so far, been the *last* thing to come to > mind. Any *other* ideas? :-) >=20 > Thanks, > - Ryan Could you have Server start an xterm, or similar, and have it send the display to Manager - with something like 'xterm -display Manager:0' from Server? This is assuming that you are running X on Manager. Nathan --=20 GPG Public Key ID: 0x4250A04C gpg --keyserver pgp.mit.edu --recv-keys 4250A04C http://63.105.21.156/gpg_nkinkade_4250A04C.asc --69pVuxX8awAiJ7fD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+bYQxWZYS9EJQoEwRAj4SAKDMaBy4oGkWWRw/HkBgbX13jqc7SQCdE/ew ykoht0DVYG6M6EqVeROa53c= =Oznz -----END PGP SIGNATURE----- --69pVuxX8awAiJ7fD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message