sshd in jail

Valentin Bud valentin.bud at gmail.com
Wed Jun 3 07:32:25 UTC 2009 

2009/6/3 Sajó Zsolt Attila <sajozsattila at citromail.hu>

> Hi!
>
> I would like use the sshd in jail, but the port forwarding doesn't work in
> the pf firewall. My jail ip: 10.0.0.40. If I use the ssh -l user 10.0.0.40
> command it's well, but when I use the "ssh -p 5859 -vv -l user
> luk1814.no-ip.org" command I get this error:
> OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to luk1814.no-ip.org [84.3.27.205] port 5859.
> debug1: connect to address 84.3.27.205 port 5859: Connection refused
> ssh: connect to host luk1814.no-ip.org port 5859: Connection refused
>
>
> The "pfctr -sn" command output's:
> nat on vr0 inet from 10.0.0.20 to any -&gt; (vr0) round-robin
> nat on vr0 inet from 10.0.0.40 to any -&gt; (vr0) round-robin
> rdr on vr0 inet proto tcp from any to any port = 5859 -&gt; 10.0.0.40 port
> 22
>
>
> My pf.conf:
> Ext = "vr0" # output interface
> Loop = "lo0" # Loopback interface
> IntNet1="10.0.0.20" # Jail 1
> IntNet2="10.0.0.40" # Jail 2 this is running the sshd
> NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
> 255.255.255.255/32 }"
> InServicesTCP = "{ ssh, http, https }"
> OutServicesTCP = "{ http, https, whois, domain, ssh, ftp, ftp-data, nntp,
> 1863, 8880 }"
> OutServicesUDP = "{ ntp, domain }"
> NowDeny = "{ 445, 67, 68 }"
> X11 = "{ 6010, 5900}"
> Timeserver = "{ 148.6.0.1 }"
> CVSupServers = "{ 212.19.57.134 }"
> CVSupPorts = "{ 5999 }"
> DynDNSServer = "{ 63.208.196.94 }"
> DynDNSPorts = "{ 8245 }"
> scrub in on $Ext all
> altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
> queue q_pri priority 7
> queue q_def priority 1 priq(default)
> nat on $Ext from $IntNet1 to any -&gt; ($Ext)
> nat on $Ext from $IntNet2 to any -&gt; ($Ext)
> rdr on $Ext proto tcp from any to any port 5859 -&gt; $IntNet2 port 22
> block in quick on $Ext proto { tcp, udp} from any to any port $NowDeny
> block out log on $Ext all
> block in log on $Ext all
> block return-rst out log on $Ext proto tcp all
> block return-rst in log on $Ext proto tcp all
> block return-icmp out log on $Ext proto udp all
> block return-icmp in log on $Ext proto udp all
> block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
> block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
> block in log quick on $Ext inet proto tcp from any to any flags /SFRA
> block in log quick on $Ext from $NoRoute to any
> block out log quick on $Ext from any to $NoRoute
> block in quick on $Ext from any to 255.255.255.255
> pass in quick on $Ext proto tcp from any to $IntNet2 port 8022 keep state



>
> pass in quick on $Loop all
> pass out quick on $Loop all

This two could be changed to
'set skip on lo0' in the pf OPTIONS section.

>
> pass out quick on $Ext inet proto tcp from any to any port &gt; 1024 flags
> S/SA keep state
> pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
> pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
> pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP
> flags S/SA keep state
> pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP
> keep state
> pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP
> flags S/SA modulate state
> pass out quick on $Ext inet proto tcp from any to $CVSupServers port
> $CVSupPorts flags S/SA modulate state
> pass out quick on $Ext inet proto tcp from any to $Timeserver port time
> flags S/SA modulate state
> pass out quick on $Ext inet proto tcp from any to any port {
> 6880&gt;&lt;6889, 6969 } flags S/SAFR keep state
> pass in quick on $Ext inet proto tcp from any to any port 6880&gt;&lt;6889
> flags S/SAFR keep state
> anchor passin
>
>
> Somebody knows why doesn't work the rdr?
>

You don't have a pass rule for the 5859 port. You can, however, accomplish
what you want in a couple of ways.

1. use the pass keyword in rdr
rdr *pass* on vr0 inet proto tcp from any to any port = 5859 -&gt; 10.0.0.40
port 22

2. a separate pass in rule
pass in quick on $Ext inet proto tcp from any to any port 5859 flags S/SA
keep state.

3. simply add 5859 port to $InServicesTCP macro.

a great day,
v

>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>



-- 
network warrior since 2005

More information about the freebsd-questions mailing list