Sure enough, ssh packets are received by the host. The problem is that it does not respond on the right interface. The routing table uses a default route through the T1. Thats where the sshd responses are being sent.

If I understand correctly, this is only one box you need a correction for. Read on.

Since I have no a priori knowledge what IPs I would have available when I need to use this back door, I can't pre-setup the routing table.

Fair enough.

I need sshd to respond on the same interface it receives the packets from. I don't believe that is possible using IPv4 routing.

Not at the layer-3 level directly. To do this dynamically you will need to perform some sort of "policy based routing".

I think that it is using IPv6 but none of the networks involved support that yet.

Well, that's a topic up for review. Technically, in IPv6, there is no correlation between how a host selects it's source address for an IP packet based on it's destination address. I've been trying to understand and follow the consequences of this for some time:


I don't find any option in sshd to force it to respond on the right interface either. Is there something I have missed?

Most likely, if this is a single machine you are speaking of, a script that will check for connectivity to a remote address periodically (eg every five minutes) and then dynamically change it's default gateway at kernel level (not userland level) prior to SSH incoming may fix your problem.

This is a little difficult to do without dynamic routing, but relatively simple if you can put up with manually changing back the route once the T1 comes back up.

A script that does:

- ping remote addr
- if fail, route delete default, route add default (ADSL gw)

There was a very good discussion on fbsd-net@ last week regarding progress with multiple routing tables. I didn't get right into it so I don't know if it will help, but your true three options are:

- dynamic routing (co-operation with ISP's)
- IPFW (or equivalent) policy based routing (source routing)
- periodic check via a script


_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to