From owner-freebsd-questions@FreeBSD.ORG Thu May 22 01:01:46 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BB9E1065678 for ; Thu, 22 May 2008 01:01:46 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [208.70.104.210]) by mx1.freebsd.org (Postfix) with ESMTP id 473448FC1C for ; Thu, 22 May 2008 01:01:45 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: (qmail 26279 invoked by uid 1002); 22 May 2008 01:01:46 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(208.70.104.100):. Processed in 0.072703 secs); 22 May 2008 01:01:46 -0000 Received: from unknown (HELO ?192.168.30.110?) (steve@ibctech.ca@208.70.104.100) by pearl.ibctech.ca with (DHE-RSA-AES256-SHA encrypted) SMTP; 22 May 2008 01:01:46 -0000 Message-ID: <4834C583.7050606@ibctech.ca> Date: Wed, 21 May 2008 20:59:47 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Doug Hardie References: In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions Subject: Re: Unusual use of ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2008 01:01:46 -0000 > Sure enough, ssh packets are > received by the host. The problem is that it does not respond on the > right interface. The routing table uses a default route through the > T1. Thats where the sshd responses are being sent. If I understand correctly, this is only one box you need a correction for. Read on. > Since I have no a priori knowledge what IPs I would have available when > I need to use this back door, I can't pre-setup the routing table. Fair enough. > I > need sshd to respond on the same interface it receives the packets > from. I don't believe that is possible using IPv4 routing. Not at the layer-3 level directly. To do this dynamically you will need to perform some sort of "policy based routing". > I think > that it is using IPv6 but none of the networks involved support that > yet. Well, that's a topic up for review. Technically, in IPv6, there is no correlation between how a host selects it's source address for an IP packet based on it's destination address. I've been trying to understand and follow the consequences of this for some time: http://www.ietf.org/internet-drafts/draft-ietf-v6ops-addr-select-ps-06.txt ...or: http://tinyurl.com/64l9pn > I don't find any option in sshd to force it to respond on the > right interface either. Is there something I have missed? Most likely, if this is a single machine you are speaking of, a script that will check for connectivity to a remote address periodically (eg every five minutes) and then dynamically change it's default gateway at kernel level (not userland level) prior to SSH incoming may fix your problem. This is a little difficult to do without dynamic routing, but relatively simple if you can put up with manually changing back the route once the T1 comes back up. A script that does: - ping remote addr - if fail, route delete default, route add default (ADSL gw) There was a very good discussion on fbsd-net@ last week regarding progress with multiple routing tables. I didn't get right into it so I don't know if it will help, but your true three options are: - dynamic routing (co-operation with ISP's) - IPFW (or equivalent) policy based routing (source routing) - periodic check via a script Regards, Steve