Unusual use of ssh

Steve Bertrand iaccounts at ibctech.ca
Thu May 22 01:01:46 UTC 2008

> Sure enough, ssh packets are 
> received by the host.  The problem is that it does not respond on the 
> right interface.  The routing table uses a default route through the 
> T1.  Thats where the sshd responses are being sent.

If I understand correctly, this is only one box you need a correction 
for. Read on.

> Since I have no a priori knowledge what IPs I would have available when 
> I need to use this back door, I can't pre-setup the routing table.  

Fair enough.

> I 
> need sshd to respond on the same interface it receives the packets 
> from.  I don't believe that is possible using IPv4 routing.  

Not at the layer-3 level directly. To do this dynamically you will need 
to perform some sort of "policy based routing".

> I think 
> that it is using IPv6 but none of the networks involved support that 
> yet.

Well, that's a topic up for review. Technically, in IPv6, there is no 
correlation between how a host selects it's source address for an IP 
packet based on it's destination address. I've been trying to understand 
and follow the consequences of this for some time:




>  I don't find any option in sshd to force it to respond on the 
> right interface either.  Is there something I have missed?

Most likely, if this is a single machine you are speaking of, a script 
that will check for connectivity to a remote address periodically (eg 
every five minutes) and then dynamically change it's default gateway at 
kernel level (not userland level) prior to SSH incoming may fix your 

This is a little difficult to do without dynamic routing, but relatively 
simple if you can put up with manually changing back the route once the 
T1 comes back up.

A script that does:

- ping remote addr
- if fail, route delete default, route add default (ADSL gw)

There was a very good discussion on fbsd-net@ last week regarding 
progress with multiple routing tables. I didn't get right into it so I 
don't know if it will help, but your true three options are:

- dynamic routing (co-operation with ISP's)
- IPFW (or equivalent) policy based routing (source routing)
- periodic check via a script



More information about the freebsd-questions mailing list