Re: Unusual use of ssh
On Wed, May 21, 2008 at 04:35:29PM -0700, Doug Hardie wrote: > I have an unusual situation that I suspect is not practical, but just in > case... > > I have a class C network with a T1 to the internet. There are a number of > hosts on that network. Unfortunately the T1 line is just part of a path > with several additional links before it gets to the upstream ISP. Some of > those links are relatively prone to outages. In the same facility, I have > a number of WiFi access points that are connected through a router to a DSL > connection to the internet. That path is completely independent from the > T1 and actually goes through a completely different set of central offices. > > What I have tried to do is to link the DSL router to one of my hosts via a > separate NIC and address that is on the LAN of the WiFi router. So far all > is good. I can ping any of the access points from that host just fine. I > have established a pass through port in the DSL router for SSH that sends > the packets to that host. Sure enough, ssh packets are received by the > host. The problem is that it does not respond on the right interface. The > routing table uses a default route through the T1. Thats where the sshd > responses are being sent. > > Since I have no a priori knowledge what IPs I would have available when I > need to use this back door, I can't pre-setup the routing table. I need > sshd to respond on the same interface it receives the packets from. I > don't believe that is possible using IPv4 routing. I think that it is > using IPv6 but none of the networks involved support that yet. I don't > find any option in sshd to force it to respond on the right interface > either. Is there something I have missed? > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" The easiest thing to do here will likely be setting up pf on the box with SSH with a pass rule and reply-to set to the correct interface to respond on. -- pass in on reply-to proto tcp port 22 keep state -- -- David Michael Curry (Dave) <[EMAIL PROTECTED]> () ASCII Ribbon Campaign | Against HTML e-mail /\ www.asciiribbon.org | Against proprietary extensions ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Unusual use of ssh
Sure enough, ssh packets are received by the host. The problem is that it does not respond on the right interface. The routing table uses a default route through the T1. Thats where the sshd responses are being sent. If I understand correctly, this is only one box you need a correction for. Read on. Since I have no a priori knowledge what IPs I would have available when I need to use this back door, I can't pre-setup the routing table. Fair enough. I need sshd to respond on the same interface it receives the packets from. I don't believe that is possible using IPv4 routing. Not at the layer-3 level directly. To do this dynamically you will need to perform some sort of "policy based routing". I think that it is using IPv6 but none of the networks involved support that yet. Well, that's a topic up for review. Technically, in IPv6, there is no correlation between how a host selects it's source address for an IP packet based on it's destination address. I've been trying to understand and follow the consequences of this for some time: http://www.ietf.org/internet-drafts/draft-ietf-v6ops-addr-select-ps-06.txt ...or: http://tinyurl.com/64l9pn I don't find any option in sshd to force it to respond on the right interface either. Is there something I have missed? Most likely, if this is a single machine you are speaking of, a script that will check for connectivity to a remote address periodically (eg every five minutes) and then dynamically change it's default gateway at kernel level (not userland level) prior to SSH incoming may fix your problem. This is a little difficult to do without dynamic routing, but relatively simple if you can put up with manually changing back the route once the T1 comes back up. A script that does: - ping remote addr - if fail, route delete default, route add default (ADSL gw) There was a very good discussion on fbsd-net@ last week regarding progress with multiple routing tables. I didn't get right into it so I don't know if it will help, but your true three options are: - dynamic routing (co-operation with ISP's) - IPFW (or equivalent) policy based routing (source routing) - periodic check via a script Regards, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Unusual use of ssh
At 06:35 PM 5/21/2008, Doug Hardie wrote: I have an unusual situation that I suspect is not practical, but just in case... I have a class C network with a T1 to the internet. There are a number of hosts on that network. Unfortunately the T1 line is just part of a path with several additional links before it gets to the upstream ISP. Some of those links are relatively prone to outages. In the same facility, I have a number of WiFi access points that are connected through a router to a DSL connection to the internet. That path is completely independent from the T1 and actually goes through a completely different set of central offices. What I have tried to do is to link the DSL router to one of my hosts via a separate NIC and address that is on the LAN of the WiFi router. So far all is good. I can ping any of the access points from that host just fine. I have established a pass through port in the DSL router for SSH that sends the packets to that host. Sure enough, ssh packets are received by the host. The problem is that it does not respond on the right interface. The routing table uses a default route through the T1. Thats where the sshd responses are being sent. Since I have no a priori knowledge what IPs I would have available when I need to use this back door, I can't pre-setup the routing table. I need sshd to respond on the same interface it receives the packets from. I don't believe that is possible using IPv4 routing. I think that it is using IPv6 but none of the networks involved support that yet. I don't find any option in sshd to force it to respond on the right interface either. Is there something I have missed? You need to set the correct listen address in /etc/sshd_config then restart sshd. Also you may need to provide a route for this interface if it cannot find it's own route. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Unusual use of ssh
I have an unusual situation that I suspect is not practical, but just in case... I have a class C network with a T1 to the internet. There are a number of hosts on that network. Unfortunately the T1 line is just part of a path with several additional links before it gets to the upstream ISP. Some of those links are relatively prone to outages. In the same facility, I have a number of WiFi access points that are connected through a router to a DSL connection to the internet. That path is completely independent from the T1 and actually goes through a completely different set of central offices. What I have tried to do is to link the DSL router to one of my hosts via a separate NIC and address that is on the LAN of the WiFi router. So far all is good. I can ping any of the access points from that host just fine. I have established a pass through port in the DSL router for SSH that sends the packets to that host. Sure enough, ssh packets are received by the host. The problem is that it does not respond on the right interface. The routing table uses a default route through the T1. Thats where the sshd responses are being sent. Since I have no a priori knowledge what IPs I would have available when I need to use this back door, I can't pre-setup the routing table. I need sshd to respond on the same interface it receives the packets from. I don't believe that is possible using IPv4 routing. I think that it is using IPv6 but none of the networks involved support that yet. I don't find any option in sshd to force it to respond on the right interface either. Is there something I have missed? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"