Hello Michael!
On Thu, Aug 5, 2010 at 6:16 AM, Michael Rash <[email protected]> wrote:
>
> I'm not quite sure I understand the above. It sounds like you want to
> first
> ssh directly to the firewall, and then you want to ssh again to an internal
> server. Is that right?
>
Thanks for prompt reply! Almost correct. First I want to do normal user
authentication (SPA) but after that idea is to connect real server, not to
the firewall.
>
> But if you ssh to the firewall IP after fwknopd has built the NAT rules,
> your
> connection is sent right on through to the internal system without the user
> ever knowing it. That is, the user will never talk directly to the sshd
> instance on the firewall itself because the NAT rule sends the connection
> to the internal system. Either way, the IP packets coming from the user on
> the external side are going to hit the external interface of the firewall.
>
Yes, that is what I found.
> In your scenario above, it looks as though the user would put the
> destination
> IP of the internal system on the ssh command line, and if this worked
> anyone
> on the external network would be able to see the addressing information of
> your internal network. Because any system that communicated out through
> the
> firewall (assuming a non-bridging firewall) is going to see the external IP
> of the firewall anyway, there is no added harm in making it look like an
> external client is connecting to the firewall via ssh. Behind the scenes
> the
> connection is sent on through to the requested internal system, but anyone
> on
> the outside cannot see this.
>
Yes :) Just like you said, I am trying to do this, user tries to connect
_real_ server, not to the firewall, I am not trying to hide real address of
client or the server. Trying to do setup where server can see client address
(in real world client address can be NATted by operator, but still) and
client tries to connect real server.
No harm will happen even if server address is shown, there can be IPSEC-VPN
tunnel where all this traffic is flowing so no one can see server address
(user of course can see server address).
My goal is to have this kind of rule into the iptables after SPA:
iptables -A FWKNOP_FORWARD -p tcp -m tcp -s 192.168.171.1 -d 10.11.12.5
--dport 22 -m state --state NEW -j ACCEPT
Did this clarify my goal?
Best Regards,
Matti
> Not sure if this helped.
>
> --Mike
>
>
> > Any help would be appreciated!
> >
> > Cheers,
> >
> > Matti
> > --
> > palaste-at-gmail-com
>
> >
> ------------------------------------------------------------------------------
> > The Palm PDK Hot Apps Program offers developers who use the
> > Plug-In Development Kit to bring their C/C++ apps to Palm for a share.
> > of $1 Million in cash or HP Products. Visit us here for more details:
> > http://p.sf.net/sfu/dev2dev-palm
>
> > _______________________________________________
> > Fwknop-discuss mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
