Re: IPv6in4 tunnel with only one /64 prefix
Following-up on myself... Of course Steve's suggestion was not what I wanted to hear, as I wanted to do stuff myself :) The take-away is that my plan works. I have a full write up in French at http://tar-jx.bz/notes/tunnels-ipv6.html ; I can translate into English if people are interested. Basically, you need to tell the external interface that it is not in a /64 addres, then you can add the routes you need. There is nothing special to do on the router at the other end of the tunnel, except turning on the DHCPv6 server. I did have to setup an NDP proxy, the (quite trivial) code is at https://gitweb.fperrin.net/?p=ndp6.git. I did hit a bug in ISC dhclient. There is a fix in the Debian bug tracker http://bugs.debian.org/684009 (a similar fix in Network Manager for desktop systems already made itinto their git). Le mercredi 7 à 22:21, Frédéric Perrin a écrit : Hello list, I have a FreeBSD server with native IPv6 connectivity. At home, my ISP provides me with only IPv4 connectivity. In order to get IPv6 to the home, I had the idea of creating a 6in4 tunnel between my home gateway and my FreeBSD server. The part about creating the tunnel, routing between the home and the server works using private addresses (fc00::/8 over gif0). However, I only have one global /64 on the FreeBSD box. What can I do? I have the idea of subnetting the /64 into e.g. /80, route a couple of /80s through gif to the home and use another /80 for the FreeBSD server. However, as the router into which my FreeBSD server is connected will expect the entire /64 to be directly connected, I will have to setup some kind of NDP proxy for the /80 to the home. I will also lose autoconf, but I can live with that. Comments, either on the plan above, or something else I haven't thought of? -- Fred ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IPv6in4 tunnel with only one /64 prefix
Hello list, I have a FreeBSD server with native IPv6 connectivity. At home, my ISP provides me with only IPv4 connectivity. In order to get IPv6 to the home, I had the idea of creating a 6in4 tunnel between my home gateway and my FreeBSD server. The part about creating the tunnel, routing between the home and the server works using private addresses (fc00::/8 over gif0). However, I only have one global /64 on the FreeBSD box. What can I do? I have the idea of subnetting the /64 into e.g. /80, route a couple of /80s through gif to the home and use another /80 for the FreeBSD server. However, as the router into which my FreeBSD server is connected will expect the entire /64 to be directly connected, I will have to setup some kind of NDP proxy for the /80 to the home. I will also lose autoconf, but I can live with that. Comments, either on the plan above, or something else I haven't thought of? -- Fred ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPv6in4 tunnel with only one /64 prefix
On Wed, 07 Nov 2012 22:21:30 +0100 Frédéric Perrin f...@fperrin.net wrote: I have a FreeBSD server with native IPv6 connectivity. At home, my ISP provides me with only IPv4 connectivity. In order to get IPv6 to the home, I had the idea of creating a 6in4 tunnel between my home gateway and my FreeBSD server. The part about creating the tunnel, routing between the home and the server works using private addresses (fc00::/8 over gif0). Why not just get a tunnel from one of the tunnel brokers, at least he.net and gogo6.com are still running free tunnels. -- Steve O'Hara-Smith at...@sohara.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FW: 5.2.11. Tunnel Mode Fragmentation.zip
On 16/05/2012 07:53, Agarwal Rohit-B39617 wrote: Trying to execute IPv6 Ready Logo Phase-2 Interoperability Test Scenario Ipsec test cases 5.2.11 Issue:- FreeBSD 7.4 not sending icmpv6 too big message Please check the updated setup pcap. Your attachments aren't making it through to the list -- the vast majority of non-text attachments are stripped by mailman. Best thing to do is stick your debug output on a site like pastebin and post a link. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
FW: 5.2.11. Tunnel Mode Fragmentation.zip
Hi, Trying to execute IPv6 Ready Logo Phase-2 Interoperability Test Scenario Ipsec test cases 5.2.11 Issue:- FreeBSD 7.4 not sending icmpv6 too big message Please check the updated setup pcap. Regards, Rohit ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FW: Interoperability:-Tunnel mode between two SGWs, ESP=3DES-CBC HMAC-SHA-256
Hi, Following interoperability is failing:- IPv6 Ready Logo, Phase-2 Interoperability Test Scenario Ipsec -Test cases 5.2.12 is failing with FreeBSD. Observation:-Freebsd 7.4 uses HMAC-SHA-256-96 Algorithm and SGW1 are using HMAC-SHA-256-128 Algorithm due to this interoperability is failing. Did Freebsd 7.4 supports HMAC-SHA-256-128 ? Purpose: Interoperability:-Tunnel mode between two SGWs, ESP=3DES-CBC HMAC-SHA-256 Setup:- H1---net0---SGW1---net1--Router---net2---SGW2(freebsd)---net3---H2 Net0 (2001::/64) Net1 (2004::/64) Net2 (2002::/64) Net3 (2003::/64) Please find the attached zip folder. Regards, Rohit ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Can I tunnel TCP over SNMP?
In my hotel WiFi is supposed to work, but something is broken, and only SNMP can pass through. I have my host outside, that replies to SNMP (pings). Maybe this is a crazy question, but is is possible to tunnel TCP over SNMP? I know SNMP ping can carry payload back and forth. I could set up the squid under the tunnel on my outside host and HTTP forwarding here on my laptop. So is such tunneling possible? Yuri ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I tunnel TCP over SNMP?
I've heard of data leaks from bad dudes tunnelling data in DNS type traffic, so I'm sure it can be done. The level of effort is the question... - Original Message - From: owner-freebsd-questi...@freebsd.org owner-freebsd-questi...@freebsd.org To: freebsd-questions@freebsd.org freebsd-questions@freebsd.org Sent: Sat May 15 15:26:36 2010 Subject: Can I tunnel TCP over SNMP? In my hotel WiFi is supposed to work, but something is broken, and only SNMP can pass through. I have my host outside, that replies to SNMP (pings). Maybe this is a crazy question, but is is possible to tunnel TCP over SNMP? I know SNMP ping can carry payload back and forth. I could set up the squid under the tunnel on my outside host and HTTP forwarding here on my laptop. So is such tunneling possible? Yuri ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I tunnel TCP over SNMP?
Yuri == Yuri y...@rawbw.com writes: Yuri In my hotel WiFi is supposed to work, but something is broken, and Yuri only SNMP can pass through. I have my host outside, that replies Yuri to SNMP (pings). Are you confusing ICMP (ping) with SNMP (monitoring)? Your last statement makes no sense. Also, are you sure the ping is going all the way to your machine, and not just being reflected far earlier? -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I tunnel TCP over SNMP?
On Sat, May 15, 2010 at 1:26 PM, Yuri y...@rawbw.com wrote: In my hotel WiFi is supposed to work, but something is broken, and only SNMP can pass through. I have my host outside, that replies to SNMP (pings). Yuri If it's a semi-reputable hotel then they should fix it. I know some hotel's systems are setup that you have to authenticate through HTTP before you get access out of the firewall. Perhaps SNMP is managing to get through before you authenticate? Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
gif ip4 to ip4 tunnel with Dynamic IP
hello list, I have a FreeBSD 8.x setup and I am using the gif device to setup a ip4 to ip4 tunnel (not IPSEC) I have searched google and I am having trouble finding a recipe for /etc/rc.conf that will allow one side of my tunnel to be dynamic. the client if you will is a FreeBSD machine running FreeBSD 8.0 connecting via DSL with a dynamic IP (using mpd5 to dial) the server is FreeBSD 8.0 and always has a static IP. I would have thought this setup would be easy to find a answer to but I haven't found it. Thank you for any help. Sam Fourman Jr. Fourman Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remote ssh tunnel in background or script?
2009/11/9 Kevin Kinsey k...@daleco.biz Svante Kvarnstrom wrote: Hello Have you tried -f (for background) and -N for Do not execute a remote command? See man 1 ssh for more details. Svante Cheers for you! It was -f without -N that produced the error. I'm guessing I got down the manpage about as far as -f and didn't go any further. *beats head on desk* Thanks, Svante! For the archives: SMTP OVER SSH TUNNEL FREEBSD sudo ssh -f -N -L localname:24:remotename:52525 m...@remotename When SMTP is listening on remotename port 52525. sudo is needed to open the tunnel on the localname side on port 24 (a privileged port). You could do this as root on the local side, but shouldn't connect *to* root on the remote computer. On Nov 9, 2009, at 7:30 PM, Kevin Kinsey wrote: Greetings! sudo ssh -L thisbox:24:remotebox:52525 m...@remotebox I've got Sendmail listening there on 52525, and it works fine; the local clients are told to connect to thisbox port 24. The only issue is that I have to run it from a terminal session. When I tried to bg the process (cmdstring ) it doesn't work, exactly. I've gotten an error message at times*, and at other times I apparently get thisbox listening on port 24 but it's not an SMTP daemon that's listening. I have a feeling it's cause I'm in csh, which is notorious for backgrounding issues. ? At any rate, what I'd like to do is have a script set up the connection, or write some daemon that would monitor the connection and fix it if it gets reset. At any rate, if I could get this SSH process to detach from a terminal, it'd be great. Any suggestions? Kevin Kinsey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org if you put it on a port 1024 instead of 24 you wont need to run it as root so can drop the sudo bit ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remote ssh tunnel in background or script?
Kevin Kinsey k...@daleco.biz wrote: Greetings! In order to continue to allow them to connect to an outbound SMTP box on the LAN, I've done this on their server: sudo ssh -L thisbox:24:remotebox:52525 m...@remotebox I wrote a script to get around my home firewall, it doesn't do exactly as you want but that only requires changing the ssh bit. I call it from cron so it stays alive, if it dies it will re-connect otherwise it just checks a lock file. It may be of use David #!/usr/bin/perl ## ## PURPOSE: ## run reverse ssh to work ## ## designed to be run from crontab. creates a lock file so that ## not more than one instance of the process is started ## use strict; use warnings; ## user crontab doesn't have permission in /var for lock file ## or for ports below 1024 my $username='username'; my $hostname=hostname; my $address=$hostname..somewhere.com; my $port=$ARGV[0]; #2022; my $lckfile=/tmp/revssh.${hostname}.pid; sub start_ssh { ## fork process to start ssh defined( my $pid=fork ) or die cannot fork process: $!; ## parent - open lock file with child pid if($pid) { print Starting process: $pid\n; open(LOCKFILE,$lckfile) or die Cannot create lock file: $!; print LOCKFILE ${pid}; close(LOCKFILE); } else { ## child - start ssh process exec(ssh -qnNCX -R ${port}:localhost:22 . ${usernam...@${address}) or die cannot exec process\n; } } ## main if(! -e $lckfile) { start_ssh(); } else { ## get running(?) pid from pid file @ARGV = ($lckfile);my $old_pid = ARGV; my $running = kill 0, $old_pid; ## lock file exists - is process still running? if ( $running == 1 ) { die Process running: $old_pid\n; } else { ## check lockfile was deleted! if(! unlink $lckfile) { die Lockfile not deleted\n; } print Orphan lock file - Lock file deleted\n\t; start_ssh(); } } ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Remote ssh tunnel in background or script?
Greetings! I have a client who recently dropped static IP service in favor of a cheaper solution, so they're now on a DHCP network blocking port 25, etc. In order to continue to allow them to connect to an outbound SMTP box on the LAN, I've done this on their server: sudo ssh -L thisbox:24:remotebox:52525 m...@remotebox I've got Sendmail listening there on 52525, and it works fine; the local clients are told to connect to thisbox port 24. The only issue is that I have to run it from a terminal session. When I tried to bg the process (cmdstring ) it doesn't work, exactly. I've gotten an error message at times*, and at other times I apparently get thisbox listening on port 24 but it's not an SMTP daemon that's listening. I have a feeling it's cause I'm in csh, which is notorious for backgrounding issues. ? At any rate, what I'd like to do is have a script set up the connection, or write some daemon that would monitor the connection and fix it if it gets reset. At any rate, if I could get this SSH process to detach from a terminal, it'd be great. Any suggestions? Kevin Kinsey * I'm sorry, but I can't reproduce the error message this morning. IIRC, something to the effect of I can't do nothing, give me a command please? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remote ssh tunnel in background or script?
Kevin Kinsey a écrit : Greetings! I have a client who recently dropped static IP service in favor of a cheaper solution, so they're now on a DHCP network blocking port 25, etc. In order to continue to allow them to connect to an outbound SMTP box on the LAN, I've done this on their server: sudo ssh -L thisbox:24:remotebox:52525 m...@remotebox I've got Sendmail listening there on 52525, and it works fine; the local clients are told to connect to thisbox port 24. The only issue is that I have to run it from a terminal session. When I tried to bg the process (cmdstring ) it doesn't work, exactly. I've gotten an error message at times*, and at other times I apparently get thisbox listening on port 24 but it's not an SMTP daemon that's listening. I have a feeling it's cause I'm in csh, which is notorious for backgrounding issues. ? At any rate, what I'd like to do is have a script set up the connection, or write some daemon that would monitor the connection and fix it if it gets reset. At any rate, if I could get this SSH process to detach from a terminal, it'd be great. Any suggestions? Kevin Kinsey * I'm sorry, but I can't reproduce the error message this morning. IIRC, something to the effect of I can't do nothing, give me a command please? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Try screen ( /usr/ports/sysutils/screen ) screen -S session_name command to run the session Ctrl-a Ctrl-z to get out of this session and let it run in background screen -r session_name to return in this session. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remote ssh tunnel in background or script?
Check out /usr/ports/security/autossh autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. The original idea and the mechanism were from rstunnel (Reliable SSH Tunnel). With this version the method changes: autossh uses ssh to construct a loop of ssh forwardings (one from local to remote, one from remote to local), and then sends test data that it expects to get back. (The idea is thanks to Terrence Martin.) WWW: http://www.harding.motd.ca/autossh/ Patrick On Mon, Nov 9, 2009 at 10:30 AM, Kevin Kinsey k...@daleco.biz wrote: Greetings! I have a client who recently dropped static IP service in favor of a cheaper solution, so they're now on a DHCP network blocking port 25, etc. In order to continue to allow them to connect to an outbound SMTP box on the LAN, I've done this on their server: sudo ssh -L thisbox:24:remotebox:52525 m...@remotebox I've got Sendmail listening there on 52525, and it works fine; the local clients are told to connect to thisbox port 24. The only issue is that I have to run it from a terminal session. When I tried to bg the process (cmdstring ) it doesn't work, exactly. I've gotten an error message at times*, and at other times I apparently get thisbox listening on port 24 but it's not an SMTP daemon that's listening. I have a feeling it's cause I'm in csh, which is notorious for backgrounding issues. ? At any rate, what I'd like to do is have a script set up the connection, or write some daemon that would monitor the connection and fix it if it gets reset. At any rate, if I could get this SSH process to detach from a terminal, it'd be great. Any suggestions? Kevin Kinsey * I'm sorry, but I can't reproduce the error message this morning. IIRC, something to the effect of I can't do nothing, give me a command please? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remote ssh tunnel in background or script?
On 9 nov 2009, at 20:36, patrick wrote: Check out /usr/ports/security/autossh autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. The original idea and the mechanism were from rstunnel (Reliable SSH Tunnel). With this version the method changes: autossh uses ssh to construct a loop of ssh forwardings (one from local to remote, one from remote to local), and then sends test data that it expects to get back. (The idea is thanks to Terrence Martin.) WWW: http://www.harding.motd.ca/autossh/ You don't need additional software for that: you can easily spawn a ssh session from ttys, which re-establishes itself when it fails: http://old.nabble.com/Re%3A-mysql-connection-through-ssl-tunnel-p20077382.html -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remote ssh tunnel in background or script?
Hello Have you tried -f (for background) and -N for Do not execute a remote command? See man 1 ssh for more details. Svante On Nov 9, 2009, at 7:30 PM, Kevin Kinsey wrote: Greetings! I have a client who recently dropped static IP service in favor of a cheaper solution, so they're now on a DHCP network blocking port 25, etc. In order to continue to allow them to connect to an outbound SMTP box on the LAN, I've done this on their server: sudo ssh -L thisbox:24:remotebox:52525 m...@remotebox I've got Sendmail listening there on 52525, and it works fine; the local clients are told to connect to thisbox port 24. The only issue is that I have to run it from a terminal session. When I tried to bg the process (cmdstring ) it doesn't work, exactly. I've gotten an error message at times*, and at other times I apparently get thisbox listening on port 24 but it's not an SMTP daemon that's listening. I have a feeling it's cause I'm in csh, which is notorious for backgrounding issues. ? At any rate, what I'd like to do is have a script set up the connection, or write some daemon that would monitor the connection and fix it if it gets reset. At any rate, if I could get this SSH process to detach from a terminal, it'd be great. Any suggestions? Kevin Kinsey * I'm sorry, but I can't reproduce the error message this morning. IIRC, something to the effect of I can't do nothing, give me a command please? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Best wishes, Svante J. Kvarnström http://sjk.ankeborg.nu/ Mob.: +46 702 38 34 00 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remote ssh tunnel in background or script?
Svante Kvarnstrom wrote: Hello Have you tried -f (for background) and -N for Do not execute a remote command? See man 1 ssh for more details. Svante Cheers for you! It was -f without -N that produced the error. I'm guessing I got down the manpage about as far as -f and didn't go any further. *beats head on desk* Thanks, Svante! For the archives: SMTP OVER SSH TUNNEL FREEBSD sudo ssh -f -N -L localname:24:remotename:52525 m...@remotename When SMTP is listening on remotename port 52525. sudo is needed to open the tunnel on the localname side on port 24 (a privileged port). You could do this as root on the local side, but shouldn't connect *to* root on the remote computer. On Nov 9, 2009, at 7:30 PM, Kevin Kinsey wrote: Greetings! sudo ssh -L thisbox:24:remotebox:52525 m...@remotebox I've got Sendmail listening there on 52525, and it works fine; the local clients are told to connect to thisbox port 24. The only issue is that I have to run it from a terminal session. When I tried to bg the process (cmdstring ) it doesn't work, exactly. I've gotten an error message at times*, and at other times I apparently get thisbox listening on port 24 but it's not an SMTP daemon that's listening. I have a feeling it's cause I'm in csh, which is notorious for backgrounding issues. ? At any rate, what I'd like to do is have a script set up the connection, or write some daemon that would monitor the connection and fix it if it gets reset. At any rate, if I could get this SSH process to detach from a terminal, it'd be great. Any suggestions? Kevin Kinsey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
I/O Serial Tunnel over Ethernet - Cellular - WiFi
This is a message in multipart MIME format. Your mail client should not be displaying this. Consider upgrading your mail client to view this message correctly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: running shell command through ssh tunnel
Noah adm...@enabled.com writes: I am trying to run a shell command to the host at the far end of an ssh tunnel. Here is how I structured access. Is there any way to do this more compactly on one line? ssh -L 12345:192.168.1.20:22 n...@domain.com ssh -p 12345 localhost 'chown -R noah:noah /shares/internal/Music/' Put something like the following in your ~/.ssh/config: Host otherhost HostKeyAlias otherhost ProxyCommand ssh n...@domain.com nc 192.168.1.20 22 Then you can simply run: ssh otherhost 'chown -R noah:noah /shares/internal/Music/' Reading the ssh_config man page might reveal a number of other nice features ssh has to offer. -- Christian Laursen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: running shell command through ssh tunnel
Noah adm...@enabled.com writes: I am trying to run a shell command to the host at the far end of an ssh tunnel. Here is how I structured access. Is there any way to do this more compactly on one line? ssh -L 12345:192.168.1.20:22 n...@domain.com ssh -p 12345 localhost 'chown -R noah:noah /shares/internal/Music/' Maybe I haven't had enough coffee yet, but wouldn't that just be ssh n...@192.168.1.20 'chown -R noah:noah /shares/internal/Music/' ? You might even want to use '-n' as an option to the ssh command. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: running shell command through ssh tunnel
Lowell Gilbert wrote: Noah adm...@enabled.com writes: I am trying to run a shell command to the host at the far end of an ssh tunnel. Here is how I structured access. Is there any way to do this more compactly on one line? ssh -L 12345:192.168.1.20:22 n...@domain.com ssh -p 12345 localhost 'chown -R noah:noah /shares/internal/Music/' Maybe I haven't had enough coffee yet, but wouldn't that just be ssh n...@192.168.1.20 'chown -R noah:noah /shares/internal/Music/' ? You might even want to use '-n' as an option to the ssh command. ENOCOFFEE. Your equivalence is only the case if you're already logged into 'domain.com' This is a fairly standard idiom for tunnelling a network connection in through a NAT gateway or a firewall from an external Internet site to a protected RFC 1918 internal back-end, although the forwarded protocol is usually other than SSH. Given that the OP is wanting to tunnel SSH through SSH, a one-liner to achieve his desired effect might be something like: ssh n...@domain.com ssh n...@192.168.1.20 chown -R noah:noah /shares/internal/Music/ Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: running shell command through ssh tunnel
Christian Laursen wrote: Noah adm...@enabled.com writes: I am trying to run a shell command to the host at the far end of an ssh tunnel. Here is how I structured access. Is there any way to do this more compactly on one line? ssh -L 12345:192.168.1.20:22 n...@domain.com ssh -p 12345 localhost 'chown -R noah:noah /shares/internal/Music/' Put something like the following in your ~/.ssh/config: Host otherhost HostKeyAlias otherhost ProxyCommand ssh n...@domain.com nc 192.168.1.20 22 Then you can simply run: ssh otherhost 'chown -R noah:noah /shares/internal/Music/' I cant do this since I need to reach a publicly addressable host before reaching the server at 192.168.1.20 Reading the ssh_config man page might reveal a number of other nice features ssh has to offer. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: running shell command through ssh tunnel
Lowell Gilbert wrote: Noah adm...@enabled.com writes: I am trying to run a shell command to the host at the far end of an ssh tunnel. Here is how I structured access. Is there any way to do this more compactly on one line? ssh -L 12345:192.168.1.20:22 n...@domain.com ssh -p 12345 localhost 'chown -R noah:noah /shares/internal/Music/' Maybe I haven't had enough coffee yet, but wouldn't that just be ssh n...@192.168.1.20 'chown -R noah:noah /shares/internal/Music/' ? You might even want to use '-n' as an option to the ssh command. I cant do this since I need to reach a publicly addressable host before reaching the server at 192.168.1.20 . Therefore I am under the impression I need to tunnel through the publicly addressed host first then I can ssh to 192.168.1.20 . ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: running shell command through ssh tunnel
Matthew Seaman wrote: Lowell Gilbert wrote: Noah adm...@enabled.com writes: I am trying to run a shell command to the host at the far end of an ssh tunnel. Here is how I structured access. Is there any way to do this more compactly on one line? ssh -L 12345:192.168.1.20:22 n...@domain.com ssh -p 12345 localhost 'chown -R noah:noah /shares/internal/Music/' Maybe I haven't had enough coffee yet, but wouldn't that just be ssh n...@192.168.1.20 'chown -R noah:noah /shares/internal/Music/' ? You might even want to use '-n' as an option to the ssh command. ENOCOFFEE. Your equivalence is only the case if you're already logged into 'domain.com' This is a fairly standard idiom for tunnelling a network connection in through a NAT gateway or a firewall from an external Internet site to a protected RFC 1918 internal back-end, although the forwarded protocol is usually other than SSH. Given that the OP is wanting to tunnel SSH through SSH, a one-liner to achieve his desired effect might be something like: ssh n...@domain.com ssh n...@192.168.1.20 chown -R noah:noah /shares/internal/Music/ you will the prize. please retrieve it on the way out. :) Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: running shell command through ssh tunnel
Noah adm...@enabled.com writes: Christian Laursen wrote: Noah adm...@enabled.com writes: I am trying to run a shell command to the host at the far end of an ssh tunnel. Here is how I structured access. Is there any way to do this more compactly on one line? ssh -L 12345:192.168.1.20:22 n...@domain.com ssh -p 12345 localhost 'chown -R noah:noah /shares/internal/Music/' Put something like the following in your ~/.ssh/config: Host otherhost HostKeyAlias otherhost ProxyCommand ssh n...@domain.com nc 192.168.1.20 22 Then you can simply run: ssh otherhost 'chown -R noah:noah /shares/internal/Music/' I cant do this since I need to reach a publicly addressable host before reaching the server at 192.168.1.20 Yes, that's exactly what it does. Try reading the mail one more time and look up how ProxyCommand works... -- Christian Laursen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
running shell command through ssh tunnel
Hi there, I am trying to run a shell command to the host at the far end of an ssh tunnel. Here is how I structured access. Is there any way to do this more compactly on one line? ssh -L 12345:192.168.1.20:22 n...@domain.com ssh -p 12345 localhost 'chown -R noah:noah /shares/internal/Music/' Cheers, Noah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Unix domain socket tunnel to TCP on other machine
For mimedefang/clamav purposes, I'm trying to setup a Unix domain socket that tunnels to a TCP port on another machine. For example, if I telnet -u /var/spool/mysock on machine X, I want it to be just like doing telnet Y 25. I've poked around with stunnel and ssh's port forwarding/ControlMaster stuff, but I can't quite get this working. -- We're just a Bunch Of Regular Guys, a collective group that's trying to understand and assimilate technology. We feel that resistance to new ideas and technology is unwise and ultimately futile. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipsec tunnel with racoon / phase1 failure with invalid length of payload
hello, wonder people could shed some light how to debug more when configuring ipsec tunnel with racoon that it seems to fail on the phase1 negotiation with racoon log info listed in the following. i tried aes as encryption algorithm, but it failed the same way. not sure the invalid length of payload is caused by what. 2008-11-26 09:22:05: DEBUG: encryption(3des) 2008-11-26 09:22:05: DEBUG: with key: 2008-11-26 09:22:05: DEBUG: 1239dfa9 caa1798f 212cd994 7802292b 3ef473f3 3188868a 2008-11-26 09:22:05: DEBUG: decrypted payload by IV: 2008-11-26 09:22:05: DEBUG: bbd836ac 319a1ebe 2008-11-26 09:22:05: DEBUG: decrypted payload, but not trimed. 2008-11-26 09:22:05: DEBUG: 8450f134 99116727 73c7f68c 3f0a65c2 68a9afe6 2c0a6ce1 41708fbb 3f0c7511 c5fdeaad 804a2277 2008-11-26 09:22:05: DEBUG: padding len=119 2008-11-26 09:22:05: DEBUG: skip to trim padding. 2008-11-26 09:22:05: DEBUG: decrypted. 2008-11-26 09:22:05: DEBUG: d1d9962c 6004bf7b 0c317531 9c85bb06 05100201 0044 8450f134 99116727 73c7f68c 3f0a65c2 68a9afe6 2c0a6ce1 41708fbb 3f0c7511 c5fdeaad 804a2277 2008-11-26 09:22:05: DEBUG: begin. 2008-11-26 09:22:05: DEBUG: seen nptype=5(id) 2008-11-26 09:22:05: DEBUG: invalid length of payload racoon.conf path include /usr/local/etc/racoon; path pre_shared_key /usr/local/etc/racoon/psk.txt; log notify; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative port for racoonctl. #strict_address;# requires that all addresses must be bound. } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec;# maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 30 sec; phase2 15 sec; } remote 192.168.0.101 { exchange_mode main,aggressive; nonce_size 16; initial_contact on; proposal_check strict; # obey, strict, or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
Now I just need to figure out how to start it on reboot, but that is something I've been meaning to learn, anyway, so I don't mind. I hope you guys will bear with me just a little more... I have spent the day trying to figure out how to create an rc script for autossh. Very cool, and not as hard as I'd anticipated. It is attached below. The script works perfectly *iff* I run it from the command line as a non-root user, like so: /usr/local/etc/rc.d/autossh start However, it does NOT work when executed by root. Instead, I get the following error message in /var/log/messages messages:Oct 21 19:01:38 on autossh[89267]: ssh exited prematurely with status 255; autossh exiting So (my understanding), autossh is starting, and tries to create the tunnel, but the tunnel creation fails with the unhelpful 255 error message. But only when executed by root. That's the puzzling part. I don't allow root logins on this server, but don't see how that could cause this problem I'm stumped. Any hints, much appreciated. -- John -- #!/bin/sh # PROVIDE: autossh # REQUIRE: LOGIN # KEYWORD: shutdown . /etc/rc.subr name=autossh rcvar=`set_rcvar` start_cmd=${name}_start stop_cmd=: load_rc_config $name eval ${rcvar}=\${${rcvar}:='NO'} command=/usr/local/bin/autossh command_args=-M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] #pidfile=/var/run/autossh.pid #AUTOSSH_PIDFILE=$pidfile; export AUTOSSH_PIDFILE autossh_start() { ${command} ${command_args} echo started autossh } run_rc_command $1 Answering my own question (probably the best way)... I solved this problem by figuring out how to execute the command inside the rc script as a non-root user. Like so: autossh_start() { echo ${command} ${command_args} su admin -c ${command} ${command_args} echo started autossh } This works beautifully, so I almost hesitate to ask, but is there anything wrong with this approach? -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: Now I just need to figure out how to start it on reboot, but that is something I've been meaning to learn, anyway, so I don't mind. I hope you guys will bear with me just a little more... I have spent the day trying to figure out how to create an rc script for autossh. Very cool, and not as hard as I'd anticipated. It is attached below. The script works perfectly *iff* I run it from the command line as a non-root user, like so: /usr/local/etc/rc.d/autossh start However, it does NOT work when executed by root. Instead, I get the following error message in /var/log/messages messages:Oct 21 19:01:38 on autossh[89267]: ssh exited prematurely with status 255; autossh exiting So (my understanding), autossh is starting, and tries to create the tunnel, but the tunnel creation fails with the unhelpful 255 error message. But only when executed by root. That's the puzzling part. I don't allow root logins on this server, but don't see how that could cause this problem I'm stumped. Any hints, much appreciated. -- John -- #!/bin/sh # PROVIDE: autossh # REQUIRE: LOGIN # KEYWORD: shutdown . /etc/rc.subr name=autossh rcvar=`set_rcvar` start_cmd=${name}_start stop_cmd=: load_rc_config $name eval ${rcvar}=\${${rcvar}:='NO'} command=/usr/local/bin/autossh command_args=-M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] #pidfile=/var/run/autossh.pid #AUTOSSH_PIDFILE=$pidfile; export AUTOSSH_PIDFILE autossh_start() { ${command} ${command_args} echo started autossh } run_rc_command $1 Answering my own question (probably the best way)... I solved this problem by figuring out how to execute the command inside the rc script as a non-root user. Like so: autossh_start() { echo ${command} ${command_args} su admin -c ${command} ${command_args} echo started autossh } This works beautifully, so I almost hesitate to ask, but is there anything wrong with this approach? Nothing, except you're re-inventing the wheel. rc.subr already has a mechanism for running commands as another user. Instead of defining a new start() function, simply add something like: : ${autossh_user:='admin'} towards the top of the script. (This also means you can override the setting by defining 'autossh_user=someoneelse' in /etc/rc.conf in the usual way) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: mysql connection through ssl tunnel
Answering my own question (probably the best way)... I solved this problem by figuring out how to execute the command inside the rc script as a non-root user. Like so: autossh_start() { echo ${command} ${command_args} su admin -c ${command} ${command_args} echo started autossh } This works beautifully, so I almost hesitate to ask, but is there anything wrong with this approach? Nothing, except you're re-inventing the wheel. rc.subr already has a mechanism for running commands as another user. Instead of defining a new start() function, simply add something like: : ${autossh_user:='admin'} towards the top of the script. (This also means you can override the setting by defining 'autossh_user=someoneelse' in /etc/rc.conf in the usual way) Ah, fascinating. Now that I know what I'm looking for, I can see that in the rc.subr man page. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: I do know that Mysql supports SSL... somehow this got discounted early in the discussion, perhaps mistakenly? I believe the thinking was that although MySQL claims to support SSL, it does in fact make a pretty bodge of it, and a more effective approach is to pipe MySQL traffic through an encrypted tunnel. Personally I just use IPSec for this, but people might also like to consider stunnel (http://www.stunnel.org/) or OpenVPN (http://openvpn.net/) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: mysql connection through ssl tunnel
On Oct 20, 2008, at 11:09 PM, Peter Boosten wrote: John Almberg wrote: I tried this, and not surprisingly, it didn't work. Now I'm trying to debug it... Maybe some mixup in the keys? In my example ssh tries to read the private key of root on the connecting server, so the server where the database is located, because init is run as root. If you need another key, then you need to specify this with the -i parameter. Ah... that makes sense. I had set up the keys for 'admin', but of course init is run by root. Duh. That raises another issue... I don't allow root logins on either server, for security reasons... Peter, I appreciate your ideas and help, but I think I will stick with autossh, probably by finally learning how to create an rc.d script (not sure the actual name for these, but you know what I mean.) I've actually got autossh working, and think it's a simpler solution for me. Thanks. Brgds: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Oct 21, 2008, at 3:44 AM, Matthew Seaman wrote: John Almberg wrote: I do know that Mysql supports SSL... somehow this got discounted early in the discussion, perhaps mistakenly? I believe the thinking was that although MySQL claims to support SSL, it does in fact make a pretty bodge of it, and a more effective approach is to pipe MySQL traffic through an encrypted tunnel. Personally I just use IPSec for this, but people might also like to consider stunnel (http://www.stunnel.org/) or OpenVPN (http:// openvpn.net/) Stunnel and OpenVPN are on my list, in case autossh has unexpected problems, but I figured I'd try the simplest approach first. Other than figuring out what holes to poke in the firewalls, autossh was pretty simple to set up. Now I just need to figure out how to start it on reboot, but that is something I've been meaning to learn, anyway, so I don't mind. I appreciate your help. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
Now I just need to figure out how to start it on reboot, but that is something I've been meaning to learn, anyway, so I don't mind. I hope you guys will bear with me just a little more... I have spent the day trying to figure out how to create an rc script for autossh. Very cool, and not as hard as I'd anticipated. It is attached below. The script works perfectly *iff* I run it from the command line as a non-root user, like so: /usr/local/etc/rc.d/autossh start However, it does NOT work when executed by root. Instead, I get the following error message in /var/log/messages messages:Oct 21 19:01:38 on autossh[89267]: ssh exited prematurely with status 255; autossh exiting So (my understanding), autossh is starting, and tries to create the tunnel, but the tunnel creation fails with the unhelpful 255 error message. But only when executed by root. That's the puzzling part. I don't allow root logins on this server, but don't see how that could cause this problem I'm stumped. Any hints, much appreciated. -- John -- #!/bin/sh # PROVIDE: autossh # REQUIRE: LOGIN # KEYWORD: shutdown . /etc/rc.subr name=autossh rcvar=`set_rcvar` start_cmd=${name}_start stop_cmd=: load_rc_config $name eval ${rcvar}=\${${rcvar}:='NO'} command=/usr/local/bin/autossh command_args=-M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] #pidfile=/var/run/autossh.pid #AUTOSSH_PIDFILE=$pidfile; export AUTOSSH_PIDFILE autossh_start() { ${command} ${command_args} echo started autossh } run_rc_command $1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg said the following on 2008-09-23 15:54: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Maybe this can bee of interest. http://www.stunnel.org/examples/mysql.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Thanks: John A very basic ssh tunnel is a simple as ssh -L3306:127.0.0.1:3306 [EMAIL PROTECTED] This will forward any connections to localhost on port 3306 through the ssh connection to remote.host then on to localhost at that end on port 3306. if you have mysql running on the app server as well then change -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an unused tcp port on the application server. If you do use an ssh tunnel you may want to use security/autossh which will monitor the tunnel and re-establish it if it loses connection for some reason. After a few hours of work today, I have all this working perfectly. I'm using autossh to automatically create and monitor the ssh tunnel, and I can make mysql connections through the tunnel with no problems. Very cool. And that's through PF firewalls on both machines, which added flavor to the exercise ;-) One question... and maybe this is a general, philosophical question... If autossh watches over my ssh tunnel, who or what watches over autossh? As a related question, how can I make autossh start automatically after a reboot? At the moment, I start autossh from the command line, like so: autossh -M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] There doesn't seem to be an rc.d file for autossh... Do I have to figure out how to make one? Not that this machine gets rebooted more than once a year, but so far, everything running on this machine start automatically, and I'd like to keep it that way. Any tips much appreciated. Thanks: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Thanks: John A very basic ssh tunnel is a simple as ssh -L3306:127.0.0.1:3306 [EMAIL PROTECTED] This will forward any connections to localhost on port 3306 through the ssh connection to remote.host then on to localhost at that end on port 3306. if you have mysql running on the app server as well then change -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an unused tcp port on the application server. If you do use an ssh tunnel you may want to use security/autossh which will monitor the tunnel and re-establish it if it loses connection for some reason. After a few hours of work today, I have all this working perfectly. I'm using autossh to automatically create and monitor the ssh tunnel, and I can make mysql connections through the tunnel with no problems. Very cool. And that's through PF firewalls on both machines, which added flavor to the exercise ;-) One question... and maybe this is a general, philosophical question... If autossh watches over my ssh tunnel, who or what watches over autossh? As a related question, how can I make autossh start automatically after a reboot? At the moment, I start autossh from the command line, like so: autossh -M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] There doesn't seem to be an rc.d file for autossh... Do I have to figure out how to make one? You can do this all by not using autossh at all: let init watch and re-establish your ssh tunnel: This is in my /etc/ttys (wrapped for readability): ttyv8 /usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306 remote.domain.tld /dev/null 21unknown on I let my central machine control the tunnel, not the sending one. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fwd: mysql connection through ssl tunnel
After a few hours of work today, I have all this working perfectly. I'm using autossh to automatically create and monitor the ssh tunnel, and I can make mysql connections through the tunnel with no problems. Very cool. And that's through PF firewalls on both machines, which added flavor to the exercise ;-) One question... and maybe this is a general, philosophical question... If autossh watches over my ssh tunnel, who or what watches over autossh? As a related question, how can I make autossh start automatically after a reboot? At the moment, I start autossh from the command line, like so: autossh -M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] There doesn't seem to be an rc.d file for autossh... Do I have to figure out how to make one? You can do this all by not using autossh at all: let init watch and re-establish your ssh tunnel: This is in my /etc/ttys (wrapped for readability): ttyv8 /usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306 remote.domain.tld /dev/null 21unknown on I let my central machine control the tunnel, not the sending one. H'mmm... This is new territory for me. I've just read some of the man pages and a few pages in Absolute BSD, and I guess I sort of understand what this does. I'm trying to grasp the connection between virtual terminals and this SSH tunnel... I guess my main question is, if I start the tunnel with this method, will I be able to access mysql in 'the usual way'? The following works with my autossh tunnel: mysql -h127.0.0.1 -P33006 -uuser -ppassword db So, if using the /etc/ttys file is equivalent, and I make the connection on the database server, rather than the client server, then I guess my ttys file should look like this (my ttyv8 is already used... I am guessing I should use the next one down): ttyv7 /usr/bin/ssh -l admin -nNTx -R 3306:127.0.0.1:33006 example.com /dev/null 21unknown on Where 'admin' is the user I am logging into on the remote machine, and 'example.com' is the hostname of the remote machine. I guess equivalent to the following? ttyv7 /usr/bin/ssh -nNTx -R 3306:127.0.0.1:33006 [EMAIL PROTECTED] /dev/null 21unknown on Port 33006 is not a typo. There are databases running on both machines, so I need to use a different port for the tunnel. And as far as I can tell, I reload /etc/ttys with 'kill -1 1'. This looks dangerous... -- John Websites and Marketing for On-line Collectible Dealers Identry, LLC John Almberg (631) 546-5079 [EMAIL PROTECTED] www.identry.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Oct 20, 2008, at 4:50 PM, John Almberg wrote: After a few hours of work today, I have all this working perfectly. I'm using autossh to automatically create and monitor the ssh tunnel, and I can make mysql connections through the tunnel with no problems. Very cool. And that's through PF firewalls on both machines, which added flavor to the exercise ;-) One question... and maybe this is a general, philosophical question... If autossh watches over my ssh tunnel, who or what watches over autossh? As a related question, how can I make autossh start automatically after a reboot? At the moment, I start autossh from the command line, like so: autossh -M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] There doesn't seem to be an rc.d file for autossh... Do I have to figure out how to make one? You can do this all by not using autossh at all: let init watch and re-establish your ssh tunnel: This is in my /etc/ttys (wrapped for readability): ttyv8 /usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306 remote.domain.tld /dev/null 21unknown on I let my central machine control the tunnel, not the sending one. H'mmm... This is new territory for me. I've just read some of the man pages and a few pages in Absolute BSD, and I guess I sort of understand what this does. I'm trying to grasp the connection between virtual terminals and this SSH tunnel... I guess my main question is, if I start the tunnel with this method, will I be able to access mysql in 'the usual way'? The following works with my autossh tunnel: mysql -h127.0.0.1 -P33006 -uuser -ppassword db So, if using the /etc/ttys file is equivalent, and I make the connection on the database server, rather than the client server, then I guess my ttys file should look like this (my ttyv8 is already used... I am guessing I should use the next one down): ttyv7 /usr/bin/ssh -l admin -nNTx -R 3306:127.0.0.1:33006 example.com /dev/null 21unknown on Where 'admin' is the user I am logging into on the remote machine, and 'example.com' is the hostname of the remote machine. I guess equivalent to the following? ttyv7 /usr/bin/ssh -nNTx -R 3306:127.0.0.1:33006 [EMAIL PROTECTED] /dev/null 21unknown on Port 33006 is not a typo. There are databases running on both machines, so I need to use a different port for the tunnel. And as far as I can tell, I reload /etc/ttys with 'kill -1 1'. This looks dangerous... -- John I tried this, and not surprisingly, it didn't work. Now I'm trying to debug it... Question... if I want to ssh from the database server to the application server (in the direction show -R), I need to use port 48444 (not the actual port, but something high). In other words, I need to do something like: ssh [EMAIL PROTECTED] -p 48444 Does this ssh port have anything to do with trying to start this ssh tunnel? In other words, do I need to add a '-p 48420' to the ttyv7 command? -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Mon, Oct 20, 2008 at 03:25:23PM -0400, John Almberg wrote: On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. I'm somewhat amazed at the fact that everyone so far has gone completely wild with SSH to solve this problem. Has anyone made the OP aware that MySQL *does* in fact support SSL natively, and that it can be used between client and server, as well as between master and slave (for replication)? The SSH tunnelling idea is fine if you want to access a MySQL server behind a firewall or on a private network, but I'm a bit confused as to why everyone's going to great lengths to use SSH to accomplish something MySQL has support for natively. Please clue me in. :-) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Oct 20, 2008, at 5:21 PM, Jeremy Chadwick wrote: On Mon, Oct 20, 2008 at 03:25:23PM -0400, John Almberg wrote: On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. I'm somewhat amazed at the fact that everyone so far has gone completely wild with SSH to solve this problem. Has anyone made the OP aware that MySQL *does* in fact support SSL natively, and that it can be used between client and server, as well as between master and slave (for replication)? The SSH tunnelling idea is fine if you want to access a MySQL server behind a firewall or on a private network, but I'm a bit confused as to why everyone's going to great lengths to use SSH to accomplish something MySQL has support for natively. Please clue me in. :-) Hi Jeremy, There are two PF firewalls in the mix, one at each end. The two machines are in different data centers. Actually, that is motivation behind this exercise. The client wants the database in his own data center, since it contains information he needs to have physical control over. I do know that Mysql supports SSL... somehow this got discounted early in the discussion, perhaps mistakenly? Anyway, the autossh option works perfectly, so I think I will stick with that unless there's a good reason not to. I have Monit running on the remote server, so I can probably monitor/restart autossh with that (with another few hours reading, of course :-) -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: I tried this, and not surprisingly, it didn't work. Now I'm trying to debug it... Maybe some mixup in the keys? In my example ssh tries to read the private key of root on the connecting server, so the server where the database is located, because init is run as root. If you need another key, then you need to specify this with the -i parameter. Question... if I want to ssh from the database server to the application server (in the direction show -R), I need to use port 48444 (not the actual port, but something high). In other words, I need to do something like: ssh [EMAIL PROTECTED] -p 48444 Does this ssh port have anything to do with trying to start this ssh tunnel? In other words, do I need to add a '-p 48420' to the ttyv7 command? The command given shows a connection between the two ports (in my case 3306). One of them would then be 48420 (the first one). thus: ttyv7 /usr/bin/ssh -l admin -nNTx -R 48420:local.domain.tld:3306 remote.domain.tld /dev/null 21unknown on This works by allocating a socket to listen to 48420 on the remote side, and whenever a connection is made to this port, the connec tion is forwarded over the secure channel, and a connection is made to local.domain.tld port 3306 from the local machine. Obviously you would have to change local.domain.tld and remote.domain.tld with actual FQDN or IP addresses. Furthermore, since this connection is been made by root (which normally isn't) you need to verify the host key of the remote server (by either putting it in known_hosts of root by hand, or make the connection once from the prompt and answer 'y', or putting the key in /etc/ssh/ssh_known_hosts. The connection on the remote host indeed is made with mysql -h 127.0.0.1 -P 48420 -u user -p password db regards Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
Peter Boosten wrote: John Almberg wrote: I tried this, and not surprisingly, it didn't work. Now I'm trying to debug it... Maybe some mixup in the keys? In my example ssh tries to read the private key of root on the connecting server, so the server where the database is located, because init is run as root. If you need another key, then you need to specify this with the -i parameter. Question... if I want to ssh from the database server to the application server (in the direction show -R), I need to use port 48444 (not the actual port, but something high). In other words, I need to do something like: ssh [EMAIL PROTECTED] -p 48444 Does this ssh port have anything to do with trying to start this ssh tunnel? In other words, do I need to add a '-p 48420' to the ttyv7 command? I now see where you're going: you would have in case you ran sshd on another port than 22. regards Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fwd: mysql connection through ssl tunnel
John Almberg wrote: Where 'admin' is the user I am logging into on the remote machine, and 'example.com' is the hostname of the remote machine. I guess equivalent to the following? ttyv7 /usr/bin/ssh -nNTx -R 3306:127.0.0.1:33006 [EMAIL PROTECTED] /dev/null 21unknown on Port 33006 is not a typo. There are databases running on both machines, so I need to use a different port for the tunnel. I don't think this will work because of 127.0.0.1 not being a FQDN, but I could be mistaken. And as far as I can tell, I reload /etc/ttys with 'kill -1 1'. This looks dangerous... You can safely HUP it... Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Sep 23, 2008, at 1:16 PM, Mel wrote: On Tuesday 23 September 2008 15:54:10 John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Any recommendations, much appreciated. You can use Vince's suggestion, or simply use SSL connections to the mysql server. Each have their own pros and cons. Thanks Vince Mel for your responses. I guess I will try the simple SSL approach first and see if that does the trick. I appreciate the advice! Brgds: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
mysql connection through ssl tunnel
I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Thanks: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Thanks: John A very basic ssh tunnel is a simple as ssh -L3306:127.0.0.1:3306 [EMAIL PROTECTED] This will forward any connections to localhost on port 3306 through the ssh connection to remote.host then on to localhost at that end on port 3306. if you have mysql running on the app server as well then change -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an unused tcp port on the application server. If you do use an ssh tunnel you may want to use security/autossh which will monitor the tunnel and re-establish it if it loses connection for some reason. You could also look at using stunnel to use a ssl tunnel rather than an ssh tunnel (see http://www.stunnel.org/examples/mysql.html for a basic example) I havent used this on FreeBSD (never needed it) so the port may install an easier way of setting up persistant tunnels. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Tuesday 23 September 2008 15:54:10 John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Any recommendations, much appreciated. You can use Vince's suggestion, or simply use SSL connections to the mysql server. Each have their own pros and cons. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X11 tunnel over ssh and then rsh
Hello Nikos. Thank you for your reply. See my comments below. Nikos Vassiliadis wrote: On Thursday 21 August 2008 09:54:29 Roberto Nunnari wrote: Anybody on this, please? Roberto Nunnari wrote: Hello list. I have this scenario 1) host A with X server 2) host B with ssh server but without X server 3) host C with rsh server and X client programs but without X server (on host C there's also an ssh server, but in our case, users have to use rsh) Why rsh? Isn't ssh a drop-in replacement for rsh? The reason for using rsh instead of ssh is that it's a computing cluster. Host B is the master node and access point to the cluster, and host C is any one of the computing nodes. The cluster resources are managed by the Sun Grid Engine (SGE) and so users obtain the computing resources using the SGE interface. SGE under the cover uses rsh. I could search and see if it would possible to configure SGE so that it uses ssh instead of rsh, but then, you should take in accounting the cpu overhead of using ssh (encryption/decryption), so unnecessarily using cpu time, as the cluster is all in a private network. now, I need to connect from host A to host B with: A$ ssh -Y B (-Y or -X, to create a X tunnel) and then from host B to host C with: B$ rsh C and on host C I need to run an X client like: C$ xterm Now, I would like the users not to have to set the DISPLAY env var on host C, as they tend to forget and also some user's X server don't accept plain X connections.. Is there a way that I could configure host B to somehow expose to host C the X tunnel to host A? Automatically? No. You can however use ssh to create generic TCP tunnels, using -R and -L. But this is much more complicated than remembering a DISPLAY variable. Right. Also, it requires users to specify a port on host B, and then the chosen port could already be taken, so returning an error.. Too much hassle.. From host B I have access to the users' homes on host C and I could place there some script to set the DISPLAY env var on user login. B$ echo $DISPLAY on host B gives back something like localhost:16.0, but if on host C I enter: C$ export DISPLAY=B:16.0 C$ xterm it doesn't work.. probably host C doesn't expose a network socket but maybe a unix socket for the X tunnel.. This is probably because the listener (which proxies X11 to host A) is bound to localhost(127.0.0.1) and not B(12.23.34.45). You can overcome this, using manual forwarding(-R -L). HOST_A# ssh -R '*:6010:127.0.0.1:6000' HOST_B # create a listener on HOST_B listening on all interfaces and TCP port 6010 and tunnel everything from there to HOST_A's 127.0.0.1 6000 This is a possible solution, but as stated above, it requires the user to specify the port number (6010 in the example above).. Also, it requires GatewayPorts = yes in sshd_config.. Humm.. it's a pity that ssh -Y or -X will only listen on the loopback interface, but for sure there are good reasons it is done that way. Thank you again and best regards. Robi Then every host which can connect to HOST_B can connect to HOST_A X11 server. Using generic TCP port forwarding through ssh to forward X11 has an other minus. You have to handle yourself the X11 authorization(xauth, XAUTHORITY and friends) You can of course use a second ssh session from HOST_B to HOST_C to expose HOST_B's 127.0.0.1:6010 to HOST_C's 127.0.0.1:6010. So, connecting from HOST_C to 127.0.0.1:6010 will be tunneled to HOST_B's 127.0.0.1:6010, which will be tunneled to HOST_A's 127.0.0.1:6000 were your X11 display lives. It's rather complicated, though... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X11 tunnel over ssh and then rsh
Roberto Nunnari wrote: Hello Nikos. Thank you for your reply. See my comments below. Nikos Vassiliadis wrote: On Thursday 21 August 2008 09:54:29 Roberto Nunnari wrote: Anybody on this, please? Roberto Nunnari wrote: Hello list. I have this scenario 1) host A with X server 2) host B with ssh server but without X server 3) host C with rsh server and X client programs but without X server (on host C there's also an ssh server, but in our case, users have to use rsh) Why rsh? Isn't ssh a drop-in replacement for rsh? The reason for using rsh instead of ssh is that it's a computing cluster. Host B is the master node and access point to the cluster, and host C is any one of the computing nodes. The cluster resources are managed by the Sun Grid Engine (SGE) and so users obtain the computing resources using the SGE interface. SGE under the cover uses rsh. I could search and see if it would possible to configure SGE so that it uses ssh instead of rsh, but then, you should take in accounting the cpu overhead of using ssh (encryption/decryption), so unnecessarily using cpu time, as the cluster is all in a private network. now, I need to connect from host A to host B with: A$ ssh -Y B (-Y or -X, to create a X tunnel) and then from host B to host C with: B$ rsh C and on host C I need to run an X client like: C$ xterm Now, I would like the users not to have to set the DISPLAY env var on host C, as they tend to forget and also some user's X server don't accept plain X connections.. Is there a way that I could configure host B to somehow expose to host C the X tunnel to host A? Automatically? No. You can however use ssh to create generic TCP tunnels, using -R and -L. But this is much more complicated than remembering a DISPLAY variable. Wait! I found a possible workaround.. it seams that setting X11UseLocalhost = no on sshd_config tell sshd to bind the X11 forwarding server to the wildcard address.. Right. Also, it requires users to specify a port on host B, and then the chosen port could already be taken, so returning an error.. Too much hassle.. From host B I have access to the users' homes on host C and I could place there some script to set the DISPLAY env var on user login. B$ echo $DISPLAY on host B gives back something like localhost:16.0, but if on host C I enter: C$ export DISPLAY=B:16.0 C$ xterm it doesn't work.. probably host C doesn't expose a network socket but maybe a unix socket for the X tunnel.. This is probably because the listener (which proxies X11 to host A) is bound to localhost(127.0.0.1) and not B(12.23.34.45). You can overcome this, using manual forwarding(-R -L). HOST_A# ssh -R '*:6010:127.0.0.1:6000' HOST_B # create a listener on HOST_B listening on all interfaces and TCP port 6010 and tunnel everything from there to HOST_A's 127.0.0.1 6000 This is a possible solution, but as stated above, it requires the user to specify the port number (6010 in the example above).. Also, it requires GatewayPorts = yes in sshd_config.. Humm.. it's a pity that ssh -Y or -X will only listen on the loopback interface, but for sure there are good reasons it is done that way. Thank you again and best regards. Robi Then every host which can connect to HOST_B can connect to HOST_A X11 server. Using generic TCP port forwarding through ssh to forward X11 has an other minus. You have to handle yourself the X11 authorization(xauth, XAUTHORITY and friends) You can of course use a second ssh session from HOST_B to HOST_C to expose HOST_B's 127.0.0.1:6010 to HOST_C's 127.0.0.1:6010. So, connecting from HOST_C to 127.0.0.1:6010 will be tunneled to HOST_B's 127.0.0.1:6010, which will be tunneled to HOST_A's 127.0.0.1:6000 were your X11 display lives. It's rather complicated, though... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X11 tunnel over ssh and then rsh
On Friday 22 August 2008 12:58:24 Roberto Nunnari wrote: Humm.. it's a pity that ssh -Y or -X will only listen on the loopback interface, but for sure there are good reasons it is done that way. I guess -X achieves a particular goal, that is being able to login to a remote box, run X11 apps and make them use your local X11 display. Everything else is beyond its scope... You can however use your favorite NAT to translate requests for, let's say: 192.168.0.1:6000 to 127.0.0.1:6000 and have the 127.0.0.1 bound socket exposed to the network... Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X11 tunnel over ssh and then rsh
On Friday 22 August 2008 13:10:29 Roberto Nunnari wrote: Automatically? No. You can however use ssh to create generic TCP tunnels, using -R and -L. But this is much more complicated than remembering a DISPLAY variable. Wait! I found a possible workaround.. it seams that setting X11UseLocalhost = no on sshd_config tell sshd to bind the X11 forwarding server to the wildcard address.. Aha that seems to do the job. Oddly enough OpenSSH supports selffootshooting :) Didn't expect it to... Cheers, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X11 tunnel over ssh and then rsh
Roberto Nunnari wrote: Wait! I found a possible workaround.. it seams that setting X11UseLocalhost = no on sshd_config tell sshd to bind the X11 forwarding server to the wildcard address.. You will still have to forward the X11 authentication to the client machine with xauth(1) or xhost(1), I think. Using xhost(1) is much easier, but it's insecure. On the other hand you're using rsh and a public network socket to connect to, so everything you do is insecure anyway. I hope you're going to make your users aware of that. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd If Java had true garbage collection, most programs would delete themselves upon execution. -- Robert Sewell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X11 tunnel over ssh and then rsh
Anybody on this, please? Roberto Nunnari wrote: Hello list. I have this scenario 1) host A with X server 2) host B with ssh server but without X server 3) host C with rsh server and X client programs but without X server (on host C there's also an ssh server, but in our case, users have to use rsh) now, I need to connect from host A to host B with: A$ ssh -Y B (-Y or -X, to create a X tunnel) and then from host B to host C with: B$ rsh C and on host C I need to run an X client like: C$ xterm Now, I would like the users not to have to set the DISPLAY env var on host C, as they tend to forget and also some user's X server don't accept plain X connections.. Is there a way that I could configure host B to somehow expose to host C the X tunnel to host A? From host B I have access to the users' homes on host C and I could place there some script to set the DISPLAY env var on user login. B$ echo $DISPLAY on host B gives back something like localhost:16.0, but if on host C I enter: C$ export DISPLAY=B:16.0 C$ xterm it doesn't work.. probably host C doesn't expose a network socket but maybe a unix socket for the X tunnel.. Any help/hint greatly appreciated. Best regards. Robi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X11 tunnel over ssh and then rsh
Roberto Nunnari wrote: 1) host A with X server 2) host B with ssh server but without X server 3) host C with rsh server and X client programs but without X server (on host C there's also an ssh server, but in our case, users have to use rsh) now, I need to connect from host A to host B with: A$ ssh -Y B (-Y or -X, to create a X tunnel) and then from host B to host C with: B$ rsh C and on host C I need to run an X client like: C$ xterm Now, I would like the users not to have to set the DISPLAY env var on host C, as they tend to forget and also some user's X server don't accept plain X connections.. Is there a way that I could configure host B to somehow expose to host C the X tunnel to host A? From host B I have access to the users' homes on host C and I could place there some script to set the DISPLAY env var on user login. B$ echo $DISPLAY on host B gives back something like localhost:16.0, but if on host C I enter: C$ export DISPLAY=B:16.0 C$ xterm it doesn't work.. probably host C doesn't expose a network socket but maybe a unix socket for the X tunnel.. There are several problems. First, rsh does not support connection forwarding. Second, for security reasons, the X forwarding feature of ssh binds only to localhost on the client side (B), so you can't use it from C. The easiest solution would be to allow users to use ssh to connect to C (what's the reason for not allowing it?). Then you can use the X forwarding feature of ssh. Other solutions require much more work. For example, you can use ssh's generic connection forwarding feature which allows using a remote network socket (not just localhost). That is, on host A type something like this: ssh -R 6001:localhost:6000 B then on host B simply type rsh C, and on host C you have to set the DISPLAY environment variable to B:1.0. You also have to use xauth(1) or xhost(1) to allow X clients to access the server (ssh's X forwarding feature does that automatically, but when using the generic connection forwarding you have to do it yourself). WARNING: The X connection between hosts B and C will be unencrypted. Everybody who has access to the network will be able to sniff the connection and be able to watch everything you do, including every character you type (passwords etc.), and even intercept, modify and take over the connection. Furthermore, since the X connection socket on host B listens on the network (not just localhost), everybody can connect to it from other machines and access your X server, provided it can authenticate with it (which is trivial, especially if you use xhost(1)). I'm curious, why can't you use ssh between hosts B and C? Using ssh would solve all of the problems at once. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd Python tricks is a tough one, cuz the language is so clean. E.g., C makes an art of confusing pointers with arrays and strings, which leads to lotsa neat pointer tricks; APL mistakes everything for an array, leading to neat one-liners; and Perl confuses everything period, making each line a joyous adventure wink. -- Tim Peters ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X11 tunnel over ssh and then rsh
On Thursday 21 August 2008 09:54:29 Roberto Nunnari wrote: Anybody on this, please? Roberto Nunnari wrote: Hello list. I have this scenario 1) host A with X server 2) host B with ssh server but without X server 3) host C with rsh server and X client programs but without X server (on host C there's also an ssh server, but in our case, users have to use rsh) Why rsh? Isn't ssh a drop-in replacement for rsh? now, I need to connect from host A to host B with: A$ ssh -Y B (-Y or -X, to create a X tunnel) and then from host B to host C with: B$ rsh C and on host C I need to run an X client like: C$ xterm Now, I would like the users not to have to set the DISPLAY env var on host C, as they tend to forget and also some user's X server don't accept plain X connections.. Is there a way that I could configure host B to somehow expose to host C the X tunnel to host A? Automatically? No. You can however use ssh to create generic TCP tunnels, using -R and -L. But this is much more complicated than remembering a DISPLAY variable. From host B I have access to the users' homes on host C and I could place there some script to set the DISPLAY env var on user login. B$ echo $DISPLAY on host B gives back something like localhost:16.0, but if on host C I enter: C$ export DISPLAY=B:16.0 C$ xterm it doesn't work.. probably host C doesn't expose a network socket but maybe a unix socket for the X tunnel.. This is probably because the listener (which proxies X11 to host A) is bound to localhost(127.0.0.1) and not B(12.23.34.45). You can overcome this, using manual forwarding(-R -L). HOST_A# ssh -R '*:6010:127.0.0.1:6000' HOST_B # create a listener on HOST_B listening on all interfaces and TCP port 6010 and tunnel everything from there to HOST_A's 127.0.0.1 6000 Then every host which can connect to HOST_B can connect to HOST_A X11 server. Using generic TCP port forwarding through ssh to forward X11 has an other minus. You have to handle yourself the X11 authorization(xauth, XAUTHORITY and friends) You can of course use a second ssh session from HOST_B to HOST_C to expose HOST_B's 127.0.0.1:6010 to HOST_C's 127.0.0.1:6010. So, connecting from HOST_C to 127.0.0.1:6010 will be tunneled to HOST_B's 127.0.0.1:6010, which will be tunneled to HOST_A's 127.0.0.1:6000 were your X11 display lives. It's rather complicated, though... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: X11 tunnel over ssh and then rsh
Hi Oliver. The reason for using rsh instead of ssh is that it's a computing cluster. Host B is the master node and access point to the cluster, and host C is any one of the computing nodes. The cluster resources are managed by the Sun Grid Engine (SGE) and so users obtain the computing resources using the SGE interface. SGE under the cover uses rsh. I could search and see if it would possible to configure SGE so that it uses ssh instead of rsh, but then, you should take in accounting the cpu overhead of using ssh (encryption/decryption), so unnecessarily using cpu time, as the cluster is all in a private network. Thanks for the suggestion. I'll try that right away. Robi Oliver Fromme wrote: Roberto Nunnari wrote: 1) host A with X server 2) host B with ssh server but without X server 3) host C with rsh server and X client programs but without X server (on host C there's also an ssh server, but in our case, users have to use rsh) now, I need to connect from host A to host B with: A$ ssh -Y B (-Y or -X, to create a X tunnel) and then from host B to host C with: B$ rsh C and on host C I need to run an X client like: C$ xterm Now, I would like the users not to have to set the DISPLAY env var on host C, as they tend to forget and also some user's X server don't accept plain X connections.. Is there a way that I could configure host B to somehow expose to host C the X tunnel to host A? From host B I have access to the users' homes on host C and I could place there some script to set the DISPLAY env var on user login. B$ echo $DISPLAY on host B gives back something like localhost:16.0, but if on host C I enter: C$ export DISPLAY=B:16.0 C$ xterm it doesn't work.. probably host C doesn't expose a network socket but maybe a unix socket for the X tunnel.. There are several problems. First, rsh does not support connection forwarding. Second, for security reasons, the X forwarding feature of ssh binds only to localhost on the client side (B), so you can't use it from C. The easiest solution would be to allow users to use ssh to connect to C (what's the reason for not allowing it?). Then you can use the X forwarding feature of ssh. Other solutions require much more work. For example, you can use ssh's generic connection forwarding feature which allows using a remote network socket (not just localhost). That is, on host A type something like this: ssh -R 6001:localhost:6000 B then on host B simply type rsh C, and on host C you have to set the DISPLAY environment variable to B:1.0. You also have to use xauth(1) or xhost(1) to allow X clients to access the server (ssh's X forwarding feature does that automatically, but when using the generic connection forwarding you have to do it yourself). WARNING: The X connection between hosts B and C will be unencrypted. Everybody who has access to the network will be able to sniff the connection and be able to watch everything you do, including every character you type (passwords etc.), and even intercept, modify and take over the connection. Furthermore, since the X connection socket on host B listens on the network (not just localhost), everybody can connect to it from other machines and access your X server, provided it can authenticate with it (which is trivial, especially if you use xhost(1)). I'm curious, why can't you use ssh between hosts B and C? Using ssh would solve all of the problems at once. Best regards Oliver -- Roberto Nunnari Servizi Informatici SUPSI-DTI SUPSI-DTI - Via Cantonale - 6928 Manno - Switzerland email: mailto:[EMAIL PROTECTED] tel: +41-58-561 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
X11 tunnel over ssh and then rsh
Hello list. I have this scenario 1) host A with X server 2) host B with ssh server but without X server 3) host C with rsh server and X client programs but without X server (on host C there's also an ssh server, but in our case, users have to use rsh) now, I need to connect from host A to host B with: A$ ssh -Y B (-Y or -X, to create a X tunnel) and then from host B to host C with: B$ rsh C and on host C I need to run an X client like: C$ xterm Now, I would like the users not to have to set the DISPLAY env var on host C, as they tend to forget and also some user's X server don't accept plain X connections.. Is there a way that I could configure host B to somehow expose to host C the X tunnel to host A? From host B I have access to the users' homes on host C and I could place there some script to set the DISPLAY env var on user login. B$ echo $DISPLAY on host B gives back something like localhost:16.0, but if on host C I enter: C$ export DISPLAY=B:16.0 C$ xterm it doesn't work.. probably host C doesn't expose a network socket but maybe a unix socket for the X tunnel.. Any help/hint greatly appreciated. Best regards. Robi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
config as an exit of IPv6 over IPv4 tunnel
Can I configure FreeBSD as an exit of IPv6 over IPv4 tunnel? Let me explain it in detail. Both hostA and hostB have global IPv4 address. And hostA has global IPv6 address. I have installed FreeBSD 7.0 on both hostA and hostB. Then, I want to config IPv6 over IPv4 tunnel from hostB to hostA. Is it possible? -- Hashimoto Kouki [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: config as an exit of IPv6 over IPv4 tunnel
Let me explain it in detail. Both hostA and hostB have global IPv4 address. And hostA has global IPv6 address. I have installed FreeBSD 7.0 on both hostA and hostB. Then, I want to config IPv6 over IPv4 tunnel from hostB to hostA. Is it possible? i don't understand why you need single directional tunnel. you need bidirectional transmission of IP packets. man gif ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: config as an exit of IPv6 over IPv4 tunnel
Hashimoto wrote: Can I configure FreeBSD as an exit of IPv6 over IPv4 tunnel? Let me explain it in detail. Both hostA and hostB have global IPv4 address. And hostA has global IPv6 address. I have installed FreeBSD 7.0 on both hostA and hostB. Then, I want to config IPv6 over IPv4 tunnel from hostB to hostA. Is it possible? Yes, absolutely. I have a similar configuration for my IPv6 connectivity. There are some alternatives (stf(4), faith(4)), but this is based I what I have. This is mostly in terms of what you'ld add to /etc/rc.conf on HostB -- HostA will be similar, but addresses will be reversed in the obvious places. i) Create a gif(4) interface and configure the endpoints: gif_interfaces=gif0 gifconfig_gif0=hostB-ipv4-number hostA-ipv4-number ii) Enable IPv6 on HostB -- I'm assuming you've assigned a /64 net block to HostB (perhaps a tad excessive, but pretty much the default for an allocation of a chunk of IPv6 address space.) Adjust the prefixlen to suit. ipv6_enable=YES ipv6_defaultrouter=-interface gif0 ipv6_default_interface=gif0 ipv6_ifconfig_gif0=1234:5678:9abc:def0::1 prefixlen 64 iii) Settings on HostA are slightly different -- HostA has to be a router, and it only wants to route the HostB block via the gif(4) tunnel: ipv6_enable=YES ipv6_defaultrouter=hostA-ipv6-gateway-address ipv6_gateway_enable=YES ipv6_static_routes=hostB ipv6_route_hostB=1234:5678:9abc:def0:: -prefixlen 64 -interface gif0 iv) That should be everything you need to get point to point connectivity working. Note: it's pretty easy now to make HostB an IPv6 router and assign IPv6 addresses to anything on the same local subnet as HostB. In fact, you can use rtadvd(8) on HostB to make that automatic: ipv6_network_interfaces=auto ipv6_prefix_em0=1234:5678:9acb:def0 rtadvd_enable=YES rtadvd_interfaces=em0 Then just run rtsol(8) on all the other machines that will use HostB as their IPv6 gateway. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: config as an exit of IPv6 over IPv4 tunnel
Thanks, Matthew ! I will try it, and report again. 2008/7/21 Matthew Seaman [EMAIL PROTECTED]: Hashimoto wrote: Can I configure FreeBSD as an exit of IPv6 over IPv4 tunnel? Let me explain it in detail. Both hostA and hostB have global IPv4 address. And hostA has global IPv6 address. I have installed FreeBSD 7.0 on both hostA and hostB. Then, I want to config IPv6 over IPv4 tunnel from hostB to hostA. Is it possible? Yes, absolutely. I have a similar configuration for my IPv6 connectivity. There are some alternatives (stf(4), faith(4)), but this is based I what I have. This is mostly in terms of what you'ld add to /etc/rc.conf on HostB -- HostA will be similar, but addresses will be reversed in the obvious places. i) Create a gif(4) interface and configure the endpoints: gif_interfaces=gif0 gifconfig_gif0=hostB-ipv4-number hostA-ipv4-number ii) Enable IPv6 on HostB -- I'm assuming you've assigned a /64 net block to HostB (perhaps a tad excessive, but pretty much the default for an allocation of a chunk of IPv6 address space.) Adjust the prefixlen to suit. ipv6_enable=YES ipv6_defaultrouter=-interface gif0 ipv6_default_interface=gif0 ipv6_ifconfig_gif0=1234:5678:9abc:def0::1 prefixlen 64 iii) Settings on HostA are slightly different -- HostA has to be a router, and it only wants to route the HostB block via the gif(4) tunnel: ipv6_enable=YES ipv6_defaultrouter=hostA-ipv6-gateway-address ipv6_gateway_enable=YES ipv6_static_routes=hostB ipv6_route_hostB=1234:5678:9abc:def0:: -prefixlen 64 -interface gif0 iv) That should be everything you need to get point to point connectivity working. Note: it's pretty easy now to make HostB an IPv6 router and assign IPv6 addresses to anything on the same local subnet as HostB. In fact, you can use rtadvd(8) on HostB to make that automatic: ipv6_network_interfaces=auto ipv6_prefix_em0=1234:5678:9acb:def0 rtadvd_enable=YES rtadvd_interfaces=em0 Then just run rtsol(8) on all the other machines that will use HostB as their IPv6 gateway. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -- Hashimoto Kouki [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PF firewall NAT and Windows IPSEC tunnel
Howdy folks. I have several computers behind a FreeBSD router (NAT 192.168.0.x using OpenBSD's PF) . One of those computers is a Windows machine which is using software called Cisco Systems VPN Client to connect to some other computers outside of our internal network. Our connection to the outside world is DHCP via cable modem. I can connect the Windows machine directly to the cable modem, bypassing the FreeBSD router entirely; the VPN works fine in this case. However, when I try going through the FreeBSD router I get dropped VPN connections after four to eight minutes; the VPN works fine only when it first connects and for five minutes thereafter. Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding. We contacted the administrator on the other side and he said to do the following: The following ports should be allowed through the local firewall: UDP port 500, port 1 ESP all ports AH all ports My original /etc/pf.conf: ext_if=fxp0 int_if=fxp3 internal_net=192.168.0.0/24 nat on $ext_if from $internal_net to any - ($ext_if) and I added these three lines (the Windows machine is 192.168.0.3): rdr on $ext_if proto udp from any to ($ext_if) port {500,1} - 192.168.0.3 rdr on $ext_if proto esp from any to ($ext_if) - 192.168.0.3 rdr on $ext_if proto ah from any to ($ext_if) - 192.168.0.3 But the VPN connections still get dropped after five minutes. Any ideas? I'm also running a bridge between several network interfaces. My /etc/sysctl.conf looks like this: net.link.ether.bridge.enable=1 net.link.ether.bridge.config=em0,em1,fxp1,fxp2,fxp3 The interesting lines from /etc/rc.conf are: ifconfig_fxp0=DHCP ifconfig_fxp3=inet 192.168.0.254 netmask 255.255.255.0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ssh tunnel question
Hi, I installed freeBSD 6.3RC2 on my computer. SSH deamon is installed and working. On my linux computer I can connect easily ssh -D 8080 myserver.com and use it as SOCKS for firefox as proxy server. But on windows I cant using putty, I can make it local like -L in linux but i cant make it dynamic, i tried it but all i get is the proxy server is refusing connections in firefox. It works on all linux pcs but not windows, same error msg. I disabled firewall and still not working. wats wrong with it? [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh tunnel question
On Friday 18 January 2008 04:52:44 Juan Ortega wrote: Hi, I installed freeBSD 6.3RC2 on my computer. SSH deamon is installed and working. On my linux computer I can connect easily ssh -D 8080 myserver.com and use it as SOCKS for firefox as proxy server. But on windows I cant using putty, I can make it local like -L in linux but i cant make it dynamic, i tried it but all i get is the proxy server is refusing connections in firefox. It works on all linux pcs but not windows, same error msg. I disabled firewall and still not working. wats wrong with it? In Firefox, are you using SOCKS4 when connecting? Try SOCKS4. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Difficulties establishing VPN tunnel with IPNAT
On 27/11/2007, at 5:49 PM, Ted Mittelstaedt wrote: -Original Message- From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 4:48 AM To: Ted Mittelstaedt Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Perhaps, but I'v heard a lot of good things about IPF and IPNAT, especially since the nat is all in kernel where as natd is userland, so there is a slight performance boost possibly there as well.. I will address this one point here since it's enough to make someone scream, it's such an old chestnut. natd is always criticized because going to userland is slow. So, people who have slowness problems think that is the issue. In reality, the problem is that the DEFAULT setup and man page examples for natd use the following ipfw divert rule: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any This produces a rule such as the following: 00050 divert 8668 ip from any to any via de0 The problem though, is this is wrong. What it is doing is that ALL traffic that comes into and out of the box - no matter what the source and destination is - will be passed to the natd translator. What you SHOULD be using is a set of commands such: ipfw add divert natd ip from any to [outside IP address] in recv [outside interface] ipfw add divert natd ip from not [outside IP address] to any out recv [inside interface] xmit [outside interface] That does make a lot of sense! How ever the 2nd rule is slightly confusing me.. Shouldn't it be something like: divert natd ip from [internal net range] to any out via [outside if]? Cheers, J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Difficulties establishing VPN tunnel with IPNAT
-Original Message- From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 27, 2007 7:07 AM To: Ted Mittelstaedt Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT On 27/11/2007, at 5:49 PM, Ted Mittelstaedt wrote: -Original Message- From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 4:48 AM To: Ted Mittelstaedt Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Perhaps, but I'v heard a lot of good things about IPF and IPNAT, especially since the nat is all in kernel where as natd is userland, so there is a slight performance boost possibly there as well.. I will address this one point here since it's enough to make someone scream, it's such an old chestnut. natd is always criticized because going to userland is slow. So, people who have slowness problems think that is the issue. In reality, the problem is that the DEFAULT setup and man page examples for natd use the following ipfw divert rule: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any This produces a rule such as the following: 00050 divert 8668 ip from any to any via de0 The problem though, is this is wrong. What it is doing is that ALL traffic that comes into and out of the box - no matter what the source and destination is - will be passed to the natd translator. What you SHOULD be using is a set of commands such: ipfw add divert natd ip from any to [outside IP address] in recv [outside interface] ipfw add divert natd ip from not [outside IP address] to any out recv [inside interface] xmit [outside interface] That does make a lot of sense! How ever the 2nd rule is slightly confusing me.. Shouldn't it be something like: divert natd ip from [internal net range] to any out via [outside if]? As I recall the via keyword was a later addition to ipfw, the way you wrote it is the same thing - the earlier form I used works on both old and new ipfw (not that it probably matters much nowadays) Use whichever is more clear to you - the gist of it is to use the ipfw rulesets to keep the traffic that doesen't need attention of natd, out of userland. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Difficulties establishing VPN tunnel with IPNAT
-Original Message- From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 4:48 AM To: Ted Mittelstaedt Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Perhaps, but I'v heard a lot of good things about IPF and IPNAT, especially since the nat is all in kernel where as natd is userland, so there is a slight performance boost possibly there as well.. I will address this one point here since it's enough to make someone scream, it's such an old chestnut. natd is always criticized because going to userland is slow. So, people who have slowness problems think that is the issue. In reality, the problem is that the DEFAULT setup and man page examples for natd use the following ipfw divert rule: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any This produces a rule such as the following: 00050 divert 8668 ip from any to any via de0 The problem though, is this is wrong. What it is doing is that ALL traffic that comes into and out of the box - no matter what the source and destination is - will be passed to the natd translator. What you SHOULD be using is a set of commands such: ipfw add divert natd ip from any to [outside IP address] in recv [outside interface] ipfw add divert natd ip from not [outside IP address] to any out recv [inside interface] xmit [outside interface] What these rules do is ONLY pass traffic to natd that needs natting - that is, traffic that is passing through the FreeBSD box onward to the Internet. Traffic that is broadcast, or traffic that is a destination of the nat box itself (such as if the nat box is also running a proxy server, mailserver, fileserver, etc.) or sourced from the nat box, is NOT passed to natd. There are some pretty fast Internet connections circuits out there these days - DSL and Cable can both offer up to 10Mbt of bandwidth. But, these are nothing compared to the bandwidth of a 100BaseT ethernet card, or the PCI bus of a computer. If someone is saturating their natd with filesharing traffic to the nat box, why then no wonder they are seeing things run slow. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Difficulties establishing VPN tunnel with IPNAT
The other thing you can do is simply switch back to natd. You didn't say why you decided to switch in the first place. A lot of times people switch because they are having problems with natd. Are you? If not, you should be aware that natd does support more kinds of protocol translations. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Olofsson Sent: Saturday, November 24, 2007 2:09 PM To: Jerahmy Pocott Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 - 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto-config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f path to ipnat.rules'. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either
Re: Difficulties establishing VPN tunnel with IPNAT
Well the main reason is that it was part of IPF, and IPF seemed to be better than IPFW? So when trying out IPF I also used IPNAT.. I had no problems with natd but it seemed I should use the IPNAT if I was using IPF? On 25/11/2007, at 8:00 PM, Ted Mittelstaedt wrote: The other thing you can do is simply switch back to natd. You didn't say why you decided to switch in the first place. A lot of times people switch because they are having problems with natd. Are you? If not, you should be aware that natd does support more kinds of protocol translations. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Olofsson Sent: Saturday, November 24, 2007 2:09 PM To: Jerahmy Pocott Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 - 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto- config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f path to ipnat.rules'. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect
Re: Difficulties establishing VPN tunnel with IPNAT
The Sonic Wall client doesn't trigger ANY firewall rules, which is why I thought there must be something going wrong with the NAT. It actually establishes the tunnel okay but never gets an IP address, from my understanding this client uses some sort of dhcp over ipsec to provision the client address.. What I am getting using the standard PPTP method are a bunch of hits: fxp1 @0:25 b x.x.x.x - 10.0.0.3 PR gre len 20 (93) IN NAT (rule @0:25 is the final 'block all' rule) What is protocol 'gre'? Why is a NAT'd packet getting blocked?! Thanks! J. On 25/11/2007, at 9:09 AM, Roger Olofsson wrote: Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 - 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto- config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f path to ipnat.rules'. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map
RE: Difficulties establishing VPN tunnel with IPNAT
That's an absolutely terrible reason. On FreeBSD and the other open source operating systems there are always multiple ways to solve a problem. While in a few situations it can definitively be stated that one program is better (for example, sendmail is obviously superior to qmail) in most situations the different programs are merely different. The better one is the one that works for YOUR problem the best. Not the one that works for someone else's problem. ipf is no better than ipfw for most purposes, it's just different. In this case, you had a working solution and now you don't. So, clearly, in your case, it's WORSE. Ted -Original Message- From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 2:12 AM To: Ted Mittelstaedt Cc: Roger Olofsson; FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Well the main reason is that it was part of IPF, and IPF seemed to be better than IPFW? So when trying out IPF I also used IPNAT.. I had no problems with natd but it seemed I should use the IPNAT if I was using IPF? On 25/11/2007, at 8:00 PM, Ted Mittelstaedt wrote: The other thing you can do is simply switch back to natd. You didn't say why you decided to switch in the first place. A lot of times people switch because they are having problems with natd. Are you? If not, you should be aware that natd does support more kinds of protocol translations. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Olofsson Sent: Saturday, November 24, 2007 2:09 PM To: Jerahmy Pocott Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 - 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto- config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any
Re: Difficulties establishing VPN tunnel with IPNAT
Perhaps, but I'v heard a lot of good things about IPF and IPNAT, especially since the nat is all in kernel where as natd is userland, so there is a slight performance boost possibly there as well.. It is not difficult to switch back to my old set up, but I thought I would give it a chance, since I'v not used IPF before I figured it was likely something I'v done wrong rather than something wrong with the program! I like the rule format in ipf and how simple it is to change ipnat rules on the fly without dumping current mappings. And it SHOULD work just as well as natd? On 25/11/2007, at 10:42 PM, Ted Mittelstaedt wrote: That's an absolutely terrible reason. On FreeBSD and the other open source operating systems there are always multiple ways to solve a problem. While in a few situations it can definitively be stated that one program is better (for example, sendmail is obviously superior to qmail) in most situations the different programs are merely different. The better one is the one that works for YOUR problem the best. Not the one that works for someone else's problem. ipf is no better than ipfw for most purposes, it's just different. In this case, you had a working solution and now you don't. So, clearly, in your case, it's WORSE. Ted -Original Message- From: Jerahmy Pocott [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 2:12 AM To: Ted Mittelstaedt Cc: Roger Olofsson; FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Well the main reason is that it was part of IPF, and IPF seemed to be better than IPFW? So when trying out IPF I also used IPNAT.. I had no problems with natd but it seemed I should use the IPNAT if I was using IPF? On 25/11/2007, at 8:00 PM, Ted Mittelstaedt wrote: The other thing you can do is simply switch back to natd. You didn't say why you decided to switch in the first place. A lot of times people switch because they are having problems with natd. Are you? If not, you should be aware that natd does support more kinds of protocol translations. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Olofsson Sent: Saturday, November 24, 2007 2:09 PM To: Jerahmy Pocott Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 - 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto- config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special
Re: Difficulties establishing VPN tunnel with IPNAT
Jerahmy Pocott skrev: The Sonic Wall client doesn't trigger ANY firewall rules, which is why I thought there must be something going wrong with the NAT. It actually establishes the tunnel okay but never gets an IP address, from my understanding this client uses some sort of dhcp over ipsec to provision the client address.. What I am getting using the standard PPTP method are a bunch of hits: fxp1 @0:25 b x.x.x.x - 10.0.0.3 PR gre len 20 (93) IN NAT (rule @0:25 is the final 'block all' rule) What is protocol 'gre'? Why is a NAT'd packet getting blocked?! Thanks! J. On 25/11/2007, at 9:09 AM, Roger Olofsson wrote: Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 - 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto-config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f path to ipnat.rules'. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1
Re: Difficulties establishing VPN tunnel with IPNAT
On 26/11/2007, at 1:00 AM, Roger Olofsson wrote: Hello Jerahmy, (sorry for top-posting, btw). Gre is protocol 47. In your firewall rules you only allow/block protocols tcp/udp/icmp. If you want to use PPTP you will need to allow both the port and the protocol for it. I put: pass out quick on fxp1 proto gre from any to any keep state This allowed the PPTP connection to establish, how ever trying to use apps over that connection resulted in: fxp1 (block all rule) b x.x.x.x - 10.0.0.3 PR gre len 20 (53) (frag 57516:[EMAIL PROTECTED]) IN bad NAT By placing to rule: pass in quick on fxp1 proto gre from any to any and allowing frags everything started working properly, but allowing all gre traffic in doesn't seem like a good idea.. Is there any way to make this work without putting static ip address rules or allowing all traffic? In your original question you mentioned having problems with CVS. From the looks of it, you redirect CVS to 10.0.0.2, meaning that all users on that machine can use CVS. The redirect rule is supposed to redirect connections to CVS on the external interface to 10.0.0.2 on the internal lan, where the CVS server is actually running. Cheers, J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Difficulties establishing VPN tunnel with IPNAT
Jerahmy Pocott skrev: On 26/11/2007, at 1:00 AM, Roger Olofsson wrote: Hello Jerahmy, (sorry for top-posting, btw). Gre is protocol 47. In your firewall rules you only allow/block protocols tcp/udp/icmp. If you want to use PPTP you will need to allow both the port and the protocol for it. I put: pass out quick on fxp1 proto gre from any to any keep state This allowed the PPTP connection to establish, how ever trying to use apps over that connection resulted in: fxp1 (block all rule) b x.x.x.x - 10.0.0.3 PR gre len 20 (53) (frag 57516:[EMAIL PROTECTED]) IN bad NAT By placing to rule: pass in quick on fxp1 proto gre from any to any and allowing frags everything started working properly, but allowing all gre traffic in doesn't seem like a good idea.. Is there any way to make this work without putting static ip address rules or allowing all traffic? In your original question you mentioned having problems with CVS. From the looks of it, you redirect CVS to 10.0.0.2, meaning that all users on that machine can use CVS. The redirect rule is supposed to redirect connections to CVS on the external interface to 10.0.0.2 on the internal lan, where the CVS server is actually running. Cheers, J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello Jerahmy, Some progress it seems? Why not set it to allow gre from VPN server only? Ie pass in quick on fxp1 proto gre from vpn server ip to any? The way you ask your question, 'make it work without static ip or allowing all traffic', isn't that contradictory? As for the frag part, I'd say that if gre needs frag, then you will have to enable it. About the CVS, I seem to have misunderstood your question. I assumed 10.0.0.2 wanted to recieve CVS inbound and not serve it outbound, or am I mistaking again? /Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Difficulties establishing VPN tunnel with IPNAT
On 26/11/2007, at 4:47 AM, Roger Olofsson wrote: Hello Jerahmy, Some progress it seems? Why not set it to allow gre from VPN server only? Ie pass in quick on fxp1 proto gre from vpn server ip to any? The way you ask your question, 'make it work without static ip or allowing all traffic', isn't that contradictory? As for the frag part, I'd say that if gre needs frag, then you will have to enable it. About the CVS, I seem to have misunderstood your question. I assumed 10.0.0.2 wanted to recieve CVS inbound and not serve it outbound, or am I mistaking again? /Roger Yes, that is what I meant by 'static ip' I could allow all gre from the specific ip address but I would prefer that gre traffic be allowed from a host only when an existing connection has been opened to it.. 10.0.0.2 is a CVS server. It seems to me that natd works better with ipsec ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Difficulties establishing VPN tunnel with IPNAT
Jerahmy Pocott skrev: On 26/11/2007, at 4:47 AM, Roger Olofsson wrote: Hello Jerahmy, Some progress it seems? Why not set it to allow gre from VPN server only? Ie pass in quick on fxp1 proto gre from vpn server ip to any? The way you ask your question, 'make it work without static ip or allowing all traffic', isn't that contradictory? As for the frag part, I'd say that if gre needs frag, then you will have to enable it. About the CVS, I seem to have misunderstood your question. I assumed 10.0.0.2 wanted to recieve CVS inbound and not serve it outbound, or am I mistaking again? /Roger Yes, that is what I meant by 'static ip' I could allow all gre from the specific ip address but I would prefer that gre traffic be allowed from a host only when an existing connection has been opened to it.. 10.0.0.2 is a CVS server. It seems to me that natd works better with ipsec ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello again Jerahmy, It would seem that there is a PPTP proxy in ipf that you might want to try as well. The syntax would be: map fxp1 10.0.0.0/0 - 0/32 proxy port 1723 pptp/tcp Good luck! /Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Difficulties establishing VPN tunnel with IPNAT
Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 - 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 - 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 - 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 - 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Difficulties establishing VPN tunnel with IPNAT
Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f path to ipnat.rules'. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 - 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 - 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 - 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 - 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Difficulties establishing VPN tunnel with IPNAT
Sorry, the issue is connecting TO any out side VPN, not connecting from outside. I tested with ipf set to accept all and it still failed, so I figured it must be ipnat.. I had no issues when using ipfw/natd. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f path to ipnat.rules'. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 - 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 - 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 - 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 - 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Difficulties establishing VPN tunnel with IPNAT
Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto-config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f path to ipnat.rules'. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 - 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 - 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 - 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 - 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Difficulties establishing VPN tunnel with IPNAT
Hello again Jerahmy, I would suggest that you verify what port(s) and protocol(s) 'Sonic Wall Global VPN Client' needs to work. I would also suggest that you look in the logfile from ipf to see what it's blocking and when. My guess is that the VPN client is using a protocol like IPSEC (IP protocol 50) and possibly port 500 (IKE) for which you will have to activate the ipnat proxy. map WAN internal_ip/24 - 0.0.0.0/32 proxy port 500 ipsec/udp You might also try to disable the blocking of fragged packets. For some VPN clients this can cause problems. Good luck! /Roger Jerahmy Pocott skrev: Sorry let me clarify.. There are two issues, one is connecting to any external VPN, with no filter I can establish a connection to PPTP VPN, but the 'Sonic Wall Global VPN Client' still fails to connect even with no filter rules. The redirect for the CVS server has an ipf rule to allow traffic on that port, but users are getting connection refused messages. I will include my ipf rules, I clearly need some sort of rule to allow inbound for the VPN to work, though I think the ipnat is breaking the Sonic Wall client. Which is strange because everything worked fine with ipfw/natd. Here are my ipf rules: # Allow all in/out on internel interface pass in quick on fxp0 all pass out quick on fxp0 all # Allow all in/out on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Allow all out-going on public interface and keep state pass out quick on fxp1 proto tcp from any to any flags S keep state pass out quick on fxp1 proto udp from any to any keep state pass out quick on fxp1 proto icmp from any to any keep state # Block all inbound traffic from non-routable or reserved address spaces block in quick on fxp1 from 192.168.0.0/16 to any#RFC 1918 private IP block in quick on fxp1 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on fxp1 from 10.0.0.0/8 to any#RFC 1918 private IP block in quick on fxp1 from 127.0.0.0/8 to any #loopback block in quick on fxp1 from 0.0.0.0/8 to any #loopback block in quick on fxp1 from 169.254.0.0/16 to any#DHCP auto-config block in quick on fxp1 from 192.0.2.0/24 to any #reserved for docs block in quick on fxp1 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on fxp1 from 224.0.0.0/3 to any #Class D E multicast # Block frags block in quick on fxp1 all with frags # Block short tcp packets block in quick on fxp1 proto tcp all with short # block source routed packets block in quick on fxp1 all with opt lsrr block in quick on fxp1 all with opt ssrr # Block anything with special options block in quick on fxp1 all with ipopts # Block public pings block in quick on fxp1 proto icmp all icmp-type 8 # Block ident block in quick on fxp1 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Block MS/Windows hosts2 name server requests 81 block in quick on fxp1 proto tcp/udp from any to any port = 137 block in quick on fxp1 proto tcp/udp from any to any port = 138 block in quick on fxp1 proto tcp/udp from any to any port = 139 block in quick on fxp1 proto tcp/udp from any to any port = 81 # Allow CVS access pass in quick on fxp1 proto tcp/udp from any to any port = 2401 # Logged Blocking Rules # # Block nmap OS fingerprint attempts block in log first quick on fxp1 proto tcp from any to any flags FUP # Block all other in coming traffic block in log first quick on fxp1 all Thanks for the help! J. On 25/11/2007, at 12:50 AM, Roger Olofsson wrote: Hello Jerahmy, Assuming you want to connect from the outside to your VPN. Have you made sure that port 2401 is open for inbound traffic in your ipf.rules? You might also want to do 'ipnat -C -f path to ipnat.rules'. Man ipnat ;^) Greeting from Sweden /Roger Jerahmy Pocott skrev: Hello, I recently decided to give ipf and ipnat a try, previously I had always been using ipfw and natd. Since switching over I can no longer establish a VPN tunnel from any system behind the gateway. I did 'ipf -F a' to flush all rules but I was still unable to connect so I think it's a problem with ipnat? Also my redirect from ipnat doesn't seem to work either. These are the only ipnat rules I have: (fxp1 is the external interface) # ipnat built in ftp proxy rules map fxp1 10.0.0.0/24 - 0/32 proxy port 21 ftp/tcp map fxp1 0.0.0.0/0 - 0/32 proxy port 21 ftp/tcp # CVS Server on Fileserv rdr fxp1 0/32 port 2401 - 10.0.0.2 port 2401 tcp/udp # nat all out going traffic on fxp1 from internal lan map fxp1 10.0.0.0/24 - 0/32 I can post my firewall rules too if that would help, however with NO rules set it still didn't work so I don't think that would help.. (I'm using the klm which is default to accept?) Thanks! J. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any
Re: tunnel ipsec whith racoon2-20070720a
thank u . The probleme was with gif interface. when i start iked, it trys to bind the ip @ already allowed by the kernel for gif. Now, i'm looking fro experience using racoo2-02006... or racon2-2007...whith (net|free)BSD best regards ckd 2007/9/19, Lowell Gilbert [EMAIL PROTECTED]: ckd ckd [EMAIL PROTECTED] writes: hi, i'm looking for some experience using racoon2 to create tunnel IPSEC between 2 freebsd 6.2 gateways. i followed the procedure described in freebsd handbook, but whne i start iked, i get the follow message : iked: [INTERNAL ERR]: isakmþ.c:521:isakmp_øþen_address(): bind(10.0.2.254[500]): Address already in use. there is no iked/racoon daemon started before . thank for ur help Use sockstat(1) to see what is holding the port? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tunnel ipsec whith racoon2-20070720a
ckd ckd [EMAIL PROTECTED] writes: hi, i'm looking for some experience using racoon2 to create tunnel IPSEC between 2 freebsd 6.2 gateways. i followed the procedure described in freebsd handbook, but whne i start iked, i get the follow message : iked: [INTERNAL ERR]: isakmþ.c:521:isakmp_øþen_address(): bind(10.0.2.254[500]): Address already in use. there is no iked/racoon daemon started before . thank for ur help Use sockstat(1) to see what is holding the port? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
tunnel ipsec whith racoon2-20070720a
hi, i'm looking for some experience using racoon2 to create tunnel IPSEC between 2 freebsd 6.2 gateways. i followed the procedure described in freebsd handbook, but whne i start iked, i get the follow message : iked: [INTERNAL ERR]: isakmþ.c:521:isakmp_øþen_address(): bind(10.0.2.254[500]): Address already in use. there is no iked/racoon daemon started before . thank for ur help ckd ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPv6 Tunnel Brokers?
Hey list, While my ISP is rather geeky and more than willing to give me an IPv6 tunnel to the internet, there seems to be a large number of routing problems upstream from them that prevent us from accessing the majority of the IPv6 net. So, I ask two things really. 1) Does anyone know of an ISP that'll give me a /48 or /64 they'll route across a gif tunnel? 2) What could I do to help remedy this routing problem? Thanks! Eric Crist ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPv6 Tunnel Brokers?
Sure I was: [T]here seems to be a large number of routing problems upstream from them that prevent us from accessing the majority of the IPv6 net. Eric On Aug 1, 2007, at 10:06 AMAug 1, 2007, Tuc at T-B-O-H.NET wrote: http://ipv6tb.he.net/index.php You aren't clear on the problems at the ISP, so not sure what to tell you. Tuc Hey list, While my ISP is rather geeky and more than willing to give me an IPv6 tunnel to the internet, there seems to be a large number of routing problems upstream from them that prevent us from accessing the majority of the IPv6 net. So, I ask two things really. 1) Does anyone know of an ISP that'll give me a /48 or /64 they'll route across a gif tunnel? 2) What could I do to help remedy this routing problem? Thanks! Eric Crist ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPv6 Tunnel Brokers?
On Wed, 1 Aug 2007 09:52:45 -0500, Eric Crist wrote: Hey list, While my ISP is rather geeky and more than willing to give me an IPv6 tunnel to the internet, there seems to be a large number of routing problems upstream from them that prevent us from accessing the majority of the IPv6 net. So, I ask two things really. 1) Does anyone know of an ISP that'll give me a /48 or /64 they'll route across a gif tunnel? http://www.tunnelbroker.net/ I use them and seem to be quite good. -jav ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPv6 Tunnel Brokers?
Javier Henderson wrote: On Wed, 1 Aug 2007 09:52:45 -0500, Eric Crist wrote: Hey list, While my ISP is rather geeky and more than willing to give me an IPv6 tunnel to the internet, there seems to be a large number of routing problems upstream from them that prevent us from accessing the majority of the IPv6 net. So, I ask two things really. 1) Does anyone know of an ISP that'll give me a /48 or /64 they'll route across a gif tunnel? http://www.tunnelbroker.net/ I use them and seem to be quite good. I second that recommendation. The ISP in question is Hurricane Electric and the process is 100% web driven. It took me less than a day to get a gif tunnel up and an ipv6 /64 assignment. -- Chris -- __o All I was doing was trying to get home from work. _`\,_ -Rosa Parks ___(*)/_(*)___ Christopher Sean Hiltonchris | at | vindaloo.com pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPv6 Tunnel Brokers?
I second that recommendation. The ISP in question is Hurricane Electric and the process is 100% web driven. It took me less than a day to get a gif tunnel up and an ipv6 /64 assignment. They are FAIRLY response to service issues (I had problems getting to FTP1.FREEBSD.ORG for a bit, and within 8 hours of putting a ticket in it was resolved). They also show exact configuration for 1/2 a dozen different OS/routers. Tuc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPv6 Tunnel Brokers?
On Wed, August 1, 2007 16:12, Christopher Hilton wrote: Javier Henderson wrote: On Wed, 1 Aug 2007 09:52:45 -0500, Eric Crist wrote: Hey list, While my ISP is rather geeky and more than willing to give me an IPv6 tunnel to the internet, there seems to be a large number of routing problems upstream from them that prevent us from accessing the majority of the IPv6 net. So, I ask two things really. 1) Does anyone know of an ISP that'll give me a /48 or /64 they'll route across a gif tunnel? http://www.tunnelbroker.net/ I use them and seem to be quite good. I second that recommendation. The ISP in question is Hurricane Electric and the process is 100% web driven. It took me less than a day to get a gif tunnel up and an ipv6 /64 assignment. I was up and running in a few hours! I'm using a Cisco rouer on my end, it was very easy to set up and get going. -jav (disclaimer: I work at Cisco) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPv6 Tunnel Brokers?
On Aug 1, 2007, at 4:41 PMAug 1, 2007, Javier Henderson wrote: On Wed, August 1, 2007 16:12, Christopher Hilton wrote: Javier Henderson wrote: On Wed, 1 Aug 2007 09:52:45 -0500, Eric Crist wrote: Hey list, While my ISP is rather geeky and more than willing to give me an IPv6 tunnel to the internet, there seems to be a large number of routing problems upstream from them that prevent us from accessing the majority of the IPv6 net. So, I ask two things really. 1) Does anyone know of an ISP that'll give me a /48 or /64 they'll route across a gif tunnel? http://www.tunnelbroker.net/ I use them and seem to be quite good. I second that recommendation. The ISP in question is Hurricane Electric and the process is 100% web driven. It took me less than a day to get a gif tunnel up and an ipv6 /64 assignment. I was up and running in a few hours! I'm using a Cisco rouer on my end, it was very easy to set up and get going. -jav (disclaimer: I work at Cisco) Thanks for the pointer to he.net! I signed up, and my tunnel was approved within a half hour. I've already setup reverse DNS and the tunnel, and, 2 hours after signing up, I'm routed and operational! What's weird, is that from the he.net tunnel, I can ping6 www.kame.net, and I can ping6 my other ip6 addresse (my other tunnel). But, from my old tunnel, I cannot ping6 www.kame.net. Must be a routing issue somewhere between... Thanks for the pointer guys! Eric Crist ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
gre tunnel with key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi guys, I'm trying to establish a gre tunnel between 2 offices in different cities, my problem is that, at the other end, they use a Linux router. And they specified at the gre tunnel a key, as in: ip tunnel add goofy mode gre remote x.x.x.x key 294. I used gre before, but I have no idea how to set a key on FreeBSD. I've read http://www.freebsd.org/cgi/man.cgi?query=greapropos=0sektion=0manpath=FreeBSD+6.2-RELEASEformat=html and other man pages, googled around... but with no luck. Can anyone help me on this? Thank you! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGriRm7nEMcIvWOSIRAiJkAJ45/LOMGDdKCjnfURSi3/Bv+Y7p1ACfdj39 lqW3DeUYEfaaXTu+MZVRqpQ= =U9jy -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gre tunnel with key
Bazy wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi guys, I'm trying to establish a gre tunnel between 2 offices in different cities, my problem is that, at the other end, they use a Linux router. And they specified at the gre tunnel a key, as in: ip tunnel add goofy mode gre remote x.x.x.x key 294. I used gre before, but I have no idea how to set a key on FreeBSD. I've read http://www.freebsd.org/cgi/man.cgi?query=greapropos=0sektion=0manpath=FreeBSD+6.2-RELEASEformat=html and other man pages, googled around... but with no luck. Can anyone help me on this? Thank you! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGriRm7nEMcIvWOSIRAiJkAJ45/LOMGDdKCjnfURSi3/Bv+Y7p1ACfdj39 lqW3DeUYEfaaXTu+MZVRqpQ= =U9jy -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hello Bazi, You could try the patch listed here and see if it works for you: http://archive.netbsd.se/?ml=freebsd-neta=2007-03m=3388392 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPv6 Tunnel issues...
Hey all, I've got a FreeBSD 6.2 system, compiled from source only two days ago, so it should have the routing patch applied. I'm trying to get a tunnel between my systems and my ISP. I'm performing the configuration as follows: ifconfig gif0 create ifconfig gif0 tunnel my IPv4 address my ISP IPv4 address ifconfig gif0 inet6 alias ::a::a ::b::b prefixlen 126 When I execute the last command, I get: ifconfig: ioctl (SIOCAIFADDR): Invalid argument This works on a FreeBSD 4.11 system when my ISP tested on their end (slightly different syntax). What am I doing wrong? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPv6 Tunnel issues...
On 3/20/07, Eric F Crist [EMAIL PROTECTED] wrote: My ISP tells me it should be prefixlen 126, not 128 On 3/20/07, Björn König [EMAIL PROTECTED] wrote: Eric F Crist schrieb: [...] I'm performing the configuration as follows: ifconfig gif0 create ifconfig gif0 tunnel my IPv4 address my ISP IPv4 address ifconfig gif0 inet6 alias ::a::a ::b::b prefixlen 126 When I execute the last command, I get: ifconfig: ioctl (SIOCAIFADDR): Invalid argument [...] Use a prefix length of 128 instead of 126. Regards Björn Sorry for the top post earlier. I've eliminated the second IP address on the inet6 ifconfig command, and prefixlen 126 is accepted. Now I just get no ping replies accross the gif0 interface. ifconfig shows all the correct information, and netstat -rn shows valid routes. What am I missing? I *did* have this working at one time this morning, but I tried to get things into rc.conf and haven't been able to get it back up. TIA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]