Sure enough, ssh packets are
received by the host. The problem is that it does not respond on the
right interface. The routing table uses a default route through the
T1. Thats where the sshd responses are being sent.
If I understand correctly, this is only one box you need a correction
for. Read on.
Since I have no a priori knowledge what IPs I would have available when
I need to use this back door, I can't pre-setup the routing table.
need sshd to respond on the same interface it receives the packets
from. I don't believe that is possible using IPv4 routing.
Not at the layer-3 level directly. To do this dynamically you will need
to perform some sort of "policy based routing".
that it is using IPv6 but none of the networks involved support that
Well, that's a topic up for review. Technically, in IPv6, there is no
correlation between how a host selects it's source address for an IP
packet based on it's destination address. I've been trying to understand
and follow the consequences of this for some time:
I don't find any option in sshd to force it to respond on the
right interface either. Is there something I have missed?
Most likely, if this is a single machine you are speaking of, a script
that will check for connectivity to a remote address periodically (eg
every five minutes) and then dynamically change it's default gateway at
kernel level (not userland level) prior to SSH incoming may fix your
This is a little difficult to do without dynamic routing, but relatively
simple if you can put up with manually changing back the route once the
T1 comes back up.
A script that does:
- ping remote addr
- if fail, route delete default, route add default (ADSL gw)
There was a very good discussion on fbsd-net@ last week regarding
progress with multiple routing tables. I didn't get right into it so I
don't know if it will help, but your true three options are:
- dynamic routing (co-operation with ISP's)
- IPFW (or equivalent) policy based routing (source routing)
- periodic check via a script
email@example.com mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"