Unusual use of ssh
Steve Bertrand
iaccounts at ibctech.ca
Thu May 22 01:01:46 UTC 2008
> Sure enough, ssh packets are
> received by the host. The problem is that it does not respond on the
> right interface. The routing table uses a default route through the
> T1. Thats where the sshd responses are being sent.
If I understand correctly, this is only one box you need a correction
for. Read on.
> Since I have no a priori knowledge what IPs I would have available when
> I need to use this back door, I can't pre-setup the routing table.
Fair enough.
> I
> need sshd to respond on the same interface it receives the packets
> from. I don't believe that is possible using IPv4 routing.
Not at the layer-3 level directly. To do this dynamically you will need
to perform some sort of "policy based routing".
> I think
> that it is using IPv6 but none of the networks involved support that
> yet.
Well, that's a topic up for review. Technically, in IPv6, there is no
correlation between how a host selects it's source address for an IP
packet based on it's destination address. I've been trying to understand
and follow the consequences of this for some time:
http://www.ietf.org/internet-drafts/draft-ietf-v6ops-addr-select-ps-06.txt
...or:
http://tinyurl.com/64l9pn
> I don't find any option in sshd to force it to respond on the
> right interface either. Is there something I have missed?
Most likely, if this is a single machine you are speaking of, a script
that will check for connectivity to a remote address periodically (eg
every five minutes) and then dynamically change it's default gateway at
kernel level (not userland level) prior to SSH incoming may fix your
problem.
This is a little difficult to do without dynamic routing, but relatively
simple if you can put up with manually changing back the route once the
T1 comes back up.
A script that does:
- ping remote addr
- if fail, route delete default, route add default (ADSL gw)
There was a very good discussion on fbsd-net@ last week regarding
progress with multiple routing tables. I didn't get right into it so I
don't know if it will help, but your true three options are:
- dynamic routing (co-operation with ISP's)
- IPFW (or equivalent) policy based routing (source routing)
- periodic check via a script
Regards,
Steve
More information about the freebsd-questions
mailing list