Well, let me first tell you that you can indeed run both SSHd servers, both on the FW, and the internal machine.
here is how I've got mine configured, and I admit that it might not be the most efficient, but it works and I haven't had a problem: /etc/network.conf: EXTERN_TCP_PORTS="ip.add.re.ss_ssh" EXTERN_PROTO0="24 ip.add.re.ss/32" INTERN_SSH_SERVER=192.168.3.204 # Internal SSH server to make available EXTERN_SSH_PORT=24 # External port to use for internal SSH access Thats it... Make sure that you configure your internal SSHd server to run on the alternate port, in my case 24. Then you can either connect directly to the firewall IP on port 24, which will forward it to the internal box, or you can connect directly to the firewall IP on port 22 (default) and get only to the firewall, and you could still run ssh as a client into the internal box. Telnet is DEFINATELY not something you want to put onto your FW box. Thats about it, let me know if you have any problems. ----- Original Message ----- From: Earl Wilson <[EMAIL PROTECTED]> Date: Friday, August 19, 2005 8:43 am Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > After reading this, I felt the need to explain further; the WinXP box > that I use to remotely manage both the RH machine carrying the > webserverand the fw itself, is located INSIDE my network. What I'm > now trying to > accomplish is the ability to remotely manage both from both INSIDE and > OUTSIDE my internal network.... > > and also, BTW, I'm using a floppy distro, so space is limited. Though > I'd rather not, it would be nice to add Telnet in place of ssh on the > fw, ssh to it, and then piggyback via telnet to the rh machine, if > whatI'm trying to do is not possible... > > Earl > ----- Original Message ----- > From: "Earl Wilson" <[EMAIL PROTECTED]> > To: <leaf-user@lists.sourceforge.net> > Sent: Friday, August 19, 2005 9:27 AM > Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > > > > Thanks to both of you for your help; well, I did add the "0/0_24" > > comment as suggested, but no luck, HOWEVER, I then REMOVED the > sshd.lrp > > package, and was able to access the inside web server running on the > > redhat machine via ssh. > > > > Now the problem becomes how I manage my fw. Because of a lack of > > monitors, I remotely manage both the fw and the rh web server via > ssh> thru a WinXP box, so removal of the sshd.lrp package makes > managingthe > > fw with out accessing it locally impossible. On the other hand, > when I > > shut down the port forwading of ssh traffic: > > > > #INTERN_SSH_SERVER=192.168.1.200 # Internal SSH server to make > available > > #EXTERN_SSH_PORT=24 # External port to use for > internal> SSH access > > > > I still am unable to ssh directly into the fw; instead, I'm > getting a > > connection time out-message. In an ideal world, I'd like to: > > > > 1. ssh into either the fw or the rh machine remotely; > > 2. ssh into the fw, and "piggyback" -ssh from the fw into the rh > machine > > > > Can anyone at least show me what I'm doing incorrectly to not be > ableto > > remotely ssh into the fw? > > > > BTW, I didn't change the "0/0_22" or "0/0_24" comments from the > > "EXTERN_TCP_PORTS=" line > > > > Earl > > > > ----- Original Message ----- > > From: <[EMAIL PROTECTED]> > > To: "M Lu" <[EMAIL PROTECTED]> > > Cc: "Earl Wilson" <[EMAIL PROTECTED]>; > > <leaf-user@lists.sourceforge.net> > > Sent: Tuesday, August 16, 2005 11:22 AM > > Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > > > > > > > I think you are correct on the EXTERN_TCP_PORTS line, in fact I'm > > quite > > > sure you are correct, however, instead of replacing the 0/0_22 > line,> it > > > might be best to add 0/0_24, unless ssh directly the box is not > > needed, > > > again Earl will need to answer that. > > > > > > Joey > > > > > > ----- Original Message ----- > > > From: M Lu <[EMAIL PROTECTED]> > > > Date: Tuesday, August 16, 2005 8:16 am > > > Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > > > > > > > If Earl wants to use external port 24, then may be he should use > > > > > > > > EXTERN_TCP_PORTS="0/0_21 0/0_80 0/0_24" > > > > > > > > instead of > > > > > > > > >> >> EXTERN_TCP_PORTS="0/0_21 0/0_80 0/0_22" > > > > > > > > Anyway, Earl will figure the port usage. > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: <[EMAIL PROTECTED]> > > > > To: "M Lu" <[EMAIL PROTECTED]> > > > > Cc: "Earl Wilson" <[EMAIL PROTECTED]>; > > > > <leaf-user@lists.sourceforge.net> > > > > Sent: Tuesday, August 16, 2005 9:04 AM > > > > Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > > > > > > > > > > > > > This allows an individual to SSH directly to the external IP > > > > address,> using port 24, and Dachstein has an explicit rule to > > > > forward port 24 > > > > > (ssh traffic only) to the internal_ssh_server ... actually > works> > > quite> nicely, and is essentially the same thing as the > DNAT under > > > > Shorewall,> except that you don't have to change the SSHd server > on > > > > the internal box > > > > > to 24, you leave it as 22 (if I recall correctly). > > > > > > > > > > Sorry to throw in my 2 cents into the thread... > > > > > > > > > > joey > > > > > > > > > > ----- Original Message ----- > > > > > From: M Lu <[EMAIL PROTECTED]> > > > > > Date: Tuesday, August 16, 2005 7:30 am > > > > > Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > > > > > > > > > >> I do not remember Dachstein very well but just wonder why you > > have > > > > >> > > > > >> >> EXTERN_SSH_PORT=24? > > > > >> > > > > >> Also I have seen some ISPs rejecting SSH traffic so consider > that > > > > >> possibility too. You can test that by temporary > portforwarding> some > > > > >> other > > > > >> port (e.g. 80 as you know for sure 80 is allowed) to 22 and > test > > > > >> SSH client > > > > >> with port 80. > > > > >> > > > > >> > > > > >> > > > > >> ----- Original Message ----- > > > > >> From: "Earl Wilson" <[EMAIL PROTECTED]> > > > > >> To: <leaf-user@lists.sourceforge.net> > > > > >> Sent: Monday, August 15, 2005 11:04 PM > > > > >> Subject: Fw: [leaf-user] Port-forwarding ssh thru Dachstein > > > > >> > > > > >> > > > > >> .. > > > > >> >> TCP services open to outside world > > > > >> >> # Space seperated list: srcip/mask_dstport > > > > >> >> EXTERN_TCP_PORTS="0/0_21 0/0_80 0/0_22" > > > > >> >> > > > > >> >> > > > > >> >> (next 2 lines show open ports that are working w/no > issues)> > > >> >> > > > > >> >> INTERN_FTP_SERVER=192.168.1.4 # Internal FTP server to > make> > > >> available>> INTERN_WWW_SERVER=192.168.1.200 # Internal > WWWserver > > > > >> to make > > > > >> > available > > > > >> >> > > > > >> >> > > > > >> >> INTERN_SSH_SERVER=192.168.1.200 # Internal SSH server to > make > > > > >> > available > > > > >> >> EXTERN_SSH_PORT=24 # External port to use for > > > > internal>> > SSH > > > > >> >> access > > > > >> >> > > > > > > > > > > > > > ------------------------------------------------------- > > > SF.Net email is Sponsored by the Better Software Conference & EXPO > > > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > > Practices > > > Agile & Plan-Driven Development * Managing Projects & Teams * > Testing > > & QA > > > Security * Process Improvement & Measurement * > > http://www.sqe.com/bsce5sf > > > > ------------------------------------------------------------------ > ---- > > -- > > > leaf-user mailing list: leaf-user@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > Support Request -- http://leaf-project.org/ > > > > > > > > > > > > > ------------------------------------------------------- > > SF.Net email is Sponsored by the Better Software Conference & EXPO > > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > > Agile & Plan-Driven Development * Managing Projects & Teams * > Testing& QA > > Security * Process Improvement & Measurement * > http://www.sqe.com/bsce5sf > > ------------------------------------------------------------------ > ---- > -- > > leaf-user mailing list: leaf-user@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > Support Request -- http://leaf-project.org/ > > > > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > PracticesAgile & Plan-Driven Development * Managing Projects & > Teams * Testing & QA > Security * Process Improvement & Measurement * > http://www.sqe.com/bsce5sf------------------------------------------ > ------------------------------ > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ > ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
