From owner-freebsd-questions Mon Mar 10 23: 9:29 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAC9537B405 for ; Mon, 10 Mar 2003 23:09:27 -0800 (PST) Received: from ns.museum.rain.com (gw-ipinc.museum.rain.com [206.29.169.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E8AC43FAF for ; Mon, 10 Mar 2003 23:09:26 -0800 (PST) (envelope-from list@museum.rain.com) Received: from ns.museum.rain.com (localhost [127.0.0.1]) by ns.museum.rain.com (8.12.6/8.12.6) with ESMTP id h2B79MKW053707; Mon, 10 Mar 2003 23:09:22 -0800 (PST) (envelope-from list@ns.museum.rain.com) Received: (from list@localhost) by ns.museum.rain.com (8.12.6/8.12.6/Submit) id h2B79EkY053706; Mon, 10 Mar 2003 23:09:14 -0800 (PST) (envelope-from list) Date: Mon, 10 Mar 2003 23:09:14 -0800 From: James Long To: Ryan Thompson Cc: freebsd-questions@FreeBSD.ORG Subject: Re: SSH to a box behind NAT Message-ID: <20030310230914.A53656@ns.museum.rain.com> Reply-To: james_mapson@museum.rain.com References: <20030310224025.L34446-100000@ren.sasknow.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030310224025.L34446-100000@ren.sasknow.com>; from ryan@sasknow.com on Mon, Mar 10, 2003 at 11:32:00PM -0600 X-Spam-Status: No, hits=-3.0 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 10, 2003 at 11:32:00PM -0600, Ryan Thompson wrote: > > (So, it is not possible, for instance, to set up port based NAT for > inbound SSH, which is one of two things I'd normally do). The server > can, however, initiate arbitrary outbound connections. Then I'd suggest creating a ppp-over-ssh tunnel ala Greg Bond's http://www.itga.com.au/~gnb/vpn/ Have (Server) initiate the tunnel, and let the other end of the tunnel terminate at (Manager). You can then use the tunnel to effectively bypass the NT NAT box. > <--- NAT ---> > [ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ] > 192.168.0.2 192.168.0.1 207.1.1.1 > 24.1.1.1 tun0 tun0 172.16.16.1 <------------------------------------> 172.16.16.2 Once the tunnel comes up, (Manager) should be able to ssh at will into 172.16.16.1 interactively. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message