sshd in jail
Sajó Zsolt Attila
sajozsattila at citromail.hu
Wed Jun 3 07:19:29 UTC 2009
Hi!
I would like use the sshd in jail, but the port forwarding doesn't work in the pf firewall. My jail ip: 10.0.0.40. If I use the ssh -l user 10.0.0.40 command it's well, but when I use the "ssh -p 5859 -vv -l user luk1814.no-ip.org" command I get this error:
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to luk1814.no-ip.org [84.3.27.205] port 5859.
debug1: connect to address 84.3.27.205 port 5859: Connection refused
ssh: connect to host luk1814.no-ip.org port 5859: Connection refused
The "pfctr -sn" command output's:
nat on vr0 inet from 10.0.0.20 to any -> (vr0) round-robin
nat on vr0 inet from 10.0.0.40 to any -> (vr0) round-robin
rdr on vr0 inet proto tcp from any to any port = 5859 -> 10.0.0.40 port 22
My pf.conf:
Ext = "vr0" # output interface
Loop = "lo0" # Loopback interface
IntNet1="10.0.0.20" # Jail 1
IntNet2="10.0.0.40" # Jail 2 this is running the sshd
NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
InServicesTCP = "{ ssh, http, https }"
OutServicesTCP = "{ http, https, whois, domain, ssh, ftp, ftp-data, nntp, 1863, 8880 }"
OutServicesUDP = "{ ntp, domain }"
NowDeny = "{ 445, 67, 68 }"
X11 = "{ 6010, 5900}"
Timeserver = "{ 148.6.0.1 }"
CVSupServers = "{ 212.19.57.134 }"
CVSupPorts = "{ 5999 }"
DynDNSServer = "{ 63.208.196.94 }"
DynDNSPorts = "{ 8245 }"
scrub in on $Ext all
altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
nat on $Ext from $IntNet1 to any -> ($Ext)
nat on $Ext from $IntNet2 to any -> ($Ext)
rdr on $Ext proto tcp from any to any port 5859 -> $IntNet2 port 22
block in quick on $Ext proto { tcp, udp} from any to any port $NowDeny
block out log on $Ext all
block in log on $Ext all
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute
block in quick on $Ext from any to 255.255.255.255
pass in quick on $Ext proto tcp from any to $IntNet2 port 8022 keep state
pass in quick on $Loop all
pass out quick on $Loop all
pass out quick on $Ext inet proto tcp from any to any port > 1024 flags S/SA keep state
pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SA keep state
pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP keep state
pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP flags S/SA modulate state
pass out quick on $Ext inet proto tcp from any to $CVSupServers port $CVSupPorts flags S/SA modulate state
pass out quick on $Ext inet proto tcp from any to $Timeserver port time flags S/SA modulate state
pass out quick on $Ext inet proto tcp from any to any port { 6880><6889, 6969 } flags S/SAFR keep state
pass in quick on $Ext inet proto tcp from any to any port 6880><6889 flags S/SAFR keep state
anchor passin
Somebody knows why doesn't work the rdr?
More information about the freebsd-questions
mailing list