Apologies for the confusion. Here's what I need to do: I have client
applications that need to make a connection to an application server
(WebLogic) from anywhere on the Internet.
Problem is, my app server is behind two layers of firewalls. The first
layer firewall permits traffic on the two ports I need, but only to hosts in
the first layer (i.e. my web servers). Since there's no way to directly
reach the hosts running my app server, I have to redirect the traffic from
the first layer hosts to the second layer hosts. This is where the port
forwarding come's in: the second layer firewalls permit traffic on the two
ports I need, but _only_ with source IPs of the second layer hosts. In
other words, I need to redirect incomming traffic through the second layer
firewall by mapping the source IP from anything (i.e. Internet addresses) to
the IPs of the second layer hosts -- kind of a reverse NAT.
That's it. SSH port forwarding works because the second layer firewalls
also permit SSH traffic -- by establishing an SSH tunnel from the web
servers to the app servers, I can direct the Internet traffic through the
second layer firewall. I _don't_ need the encryption that SSH provides, and
it certainly does slow us down a bit unnecessarily. The reason I was
willing to accept the slowdown is that the SSH software is already installed
and supported on my Solaris hosts -- figured I'd take a small performance
hit in the interests of a simpler deployment.
Our environment is entirely Solaris 7 on Sparc. We are currently using
FSecure's SSH daemon and client software supporting ssh2. We either need a
way to keep an ssh tunnel active all the time, or some other port
forwarding/mapping daemon. Suggestions?
Thanks for slogging through this!
- N.
----- Original Message -----
From: "Brian Hatch" <[EMAIL PROTECTED]>
To: "Neal Ruskin" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, November 21, 2000 1:47 AM
Subject: Re: FW: "permanent" tunnel ??
> You're correct, I'm simply looking for a single port (two, actually) to be
> forwarded, not all a la a VPN. Specifically, I'm looking to leverage the
> port forwarding capabilities of ssh to map all incomming Internet traffic
to a
> single "source" IP in order to tunnel through an intermediate layer
> firewall. In fact, I don't even need the encryption, as the incomming
> streams are already encrypted...
Ok. I for one am confused. You started by talking about using
ssh portforwarding, and so we all thought you needed encryption.
If you don't, you may be able to use something as simple as
rinetd, redir, or plug-gw.
Why don't you explain what actual machines, ports, and traffic
is involved in your senario so it's clearer?
> If this can't be done, can stunnel be used without the encryption
> capabilities?
Honestly, I don't know if OpenSSL supports 'none' encryption.
If you truely don't need encryption, using ssh, stunnel, or any
other encrypting software is only going to slow things down for
you.
--
Brian Hatch Anything worth
Systems and fighting for is
Security Engineer worth fighting
http://www.ifokr.org/bri/ dirty for.
Every message PGP signed
