Site Navigation

Date:      Wed, 03 Jun 2009 10:13:04 +0200
From:      "=?ISO-8859-2?Q?Saj=F3_Zsolt_Attila?=" <sajozsattila@citromail.hu>
To:        FreeBSD questions <freebsd-questions@freebsd.org>
Subject:   Re: sshd in jail
Message-ID:  <20090603081304.28276.qmail@server14.citromail.hu>
In-Reply-To: <139b44430906030032o7bb798e1rcbcf80fc9b26e46@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Thank you the help, but it doesn't work yet.
I prefer the "rdr pass on $Ext inet proto tcp from any to any port 5859 -&g=
t; 10.0.0.40 port 22", but I tried all ways, but absolutely nothing's chang=
ed.=20

-- Eredeti =FCzenet --
Felad=F3: Valentin Bud <valentin.bud@gmail.com>
C=EDmzett: Saj=F3 Zsolt Attila<sajozsattila@citromail.hu>
Elk=FCldve: 09:33
T=E9ma: Re: sshd in jail

2009/6/3 Saj=F3 Zsolt Attila  luk1814.no-ip.org" command I get this error:

> OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007

> debug1: Reading configuration data /etc/ssh/ssh_config

> debug2: ssh_connect: needpriv 0

> debug1: Connecting to luk1814.no-ip.org [84.3.27.205] port 5859.

> debug1: connect to address 84.3.27.205 port 5859: Connection refused

> ssh: connect to host luk1814.no-ip.org port 5859: Connection refused

>

>

> The "pfctr -sn" command output's:

> nat on vr0 inet from 10.0.0.20 to any -> (vr0) round-robin

> nat on vr0 inet from 10.0.0.40 to any -> (vr0) round-robin

> rdr on vr0 inet proto tcp from any to any port =3D 5859 -> 10.0.0.4=
0 port

> 22

>

>

> My pf.conf:

> Ext =3D "vr0" # output interface

> Loop =3D "lo0" # Loopback interface

> IntNet1=3D"10.0.0.20" # Jail 1

> IntNet2=3D"10.0.0.40" # Jail 2 this is running the sshd

> NoRoute =3D "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,

> 255.255.255.255/32 }"

> InServicesTCP =3D "{ ssh, http, https }"

> OutServicesTCP =3D "{ http, https, whois, domain, ssh, ftp, ftp-data, =
nntp,

> 1863, 8880 }"

> OutServicesUDP =3D "{ ntp, domain }"

> NowDeny =3D "{ 445, 67, 68 }"

> X11 =3D "{ 6010, 5900}"

> Timeserver =3D "{ 148.6.0.1 }"

> CVSupServers =3D "{ 212.19.57.134 }"

> CVSupPorts =3D "{ 5999 }"

> DynDNSServer =3D "{ 63.208.196.94 }"

> DynDNSPorts =3D "{ 8245 }"

> scrub in on $Ext all

> altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }

> queue q_pri priority 7

> queue q_def priority 1 priq(default)

> nat on $Ext from $IntNet1 to any -> ($Ext)

> nat on $Ext from $IntNet2 to any -> ($Ext)

> rdr on $Ext proto tcp from any to any port 5859 -> $IntNet2 port 22

> block in quick on $Ext proto { tcp, udp} from any to any port $NowDeny

> block out log on $Ext all

> block in log on $Ext all

> block return-rst out log on $Ext proto tcp all

> block return-rst in log on $Ext proto tcp all

> block return-icmp out log on $Ext proto udp all

> block return-icmp in log on $Ext proto udp all

> block in log quick on $Ext inet proto tcp from any to any flags FUP/FU=
P

> block in log quick on $Ext inet proto tcp from any to any flags SF/SFR=
A

> block in log quick on $Ext inet proto tcp from any to any flags /SFRA

> block in log quick on $Ext from $NoRoute to any

> block out log quick on $Ext from any to $NoRoute

> block in quick on $Ext from any to 255.255.255.255

> pass in quick on $Ext proto tcp from any to $IntNet2 port 8022 keep st=
ate







>

> pass in quick on $Loop all

> pass out quick on $Loop all



This two could be changed to

'set skip on lo0' in the pf OPTIONS section.



>

> pass out quick on $Ext inet proto tcp from any to any port > 1024 f=
lags

> S/SA keep state

> pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep sta=
te

> pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep =
state

> pass in quick on $Ext inet proto tcp from any to any port $InServicesT=
CP

> flags S/SA keep state

> pass out quick on $Ext inet proto udp from any to any port $OutService=
sUDP

> keep state

> pass out quick on $Ext inet proto tcp from any to any port $OutService=
sTCP

> flags S/SA modulate state

> pass out quick on $Ext inet proto tcp from any to $CVSupServers port

> $CVSupPorts flags S/SA modulate state

> pass out quick on $Ext inet proto tcp from any to $Timeserver port tim=
e

> flags S/SA modulate state

> pass out quick on $Ext inet proto tcp from any to any port {

> 6880> pass in quick on $Ext inet proto tcp from any to any port 688=
0> flags S/SAFR keep state

> anchor passin

>

>

> Somebody knows why doesn't work the rdr?

>



You don't have a pass rule for the 5859 port. You can, however, accomplish

what you want in a couple of ways.



1. use the pass keyword in rdr

rdr *pass* on vr0 inet proto tcp from any to any port =3D 5859 -> 10.0.0=
 .40

port 22



2. a separate pass in rule

pass in quick on $Ext inet proto tcp from any to any port 5859 flags S/SA

keep state.



3. simply add 5859 port to $InServicesTCP macro.



a great day,

v



>

>

> _______________________________________________

> freebsd-questions@freebsd.org mailing list

> http://lists.freebsd.org/mailman/listinfo/freebsd-questions

> To unsubscribe, send any mail to "

> freebsd-questions-unsubscribe@freebsd.org"

>







--=20

network warrior since 2005

_______________________________________________

freebsd-questions@freebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-questions

To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org=
"

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090603081304.28276.qmail>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact