On Aug 05, 2010, hutmat wrote: > Hello Michael! > > > On Thu, Aug 5, 2010 at 6:16 AM, Michael Rash <[email protected]> wrote: > > > > > I'm not quite sure I understand the above. It sounds like you want to > > first > > ssh directly to the firewall, and then you want to ssh again to an internal > > server. Is that right? > > > > Thanks for prompt reply! Almost correct. First I want to do normal user > authentication (SPA) but after that idea is to connect real server, not to > the firewall.
Ok, you want SPA access to the internal server without using ssh to access the firewall first. This is exactly what the NAT support in fwknop is designed to do. > > But if you ssh to the firewall IP after fwknopd has built the NAT rules, > > your > > connection is sent right on through to the internal system without the user > > ever knowing it. That is, the user will never talk directly to the sshd > > instance on the firewall itself because the NAT rule sends the connection > > to the internal system. Either way, the IP packets coming from the user on > > the external side are going to hit the external interface of the firewall. > > > > Yes, that is what I found. Ok. > > In your scenario above, it looks as though the user would put the > > destination > > IP of the internal system on the ssh command line, and if this worked > > anyone > > on the external network would be able to see the addressing information of > > your internal network. Because any system that communicated out through > > the > > firewall (assuming a non-bridging firewall) is going to see the external IP > > of the firewall anyway, there is no added harm in making it look like an > > external client is connecting to the firewall via ssh. Behind the scenes > > the > > connection is sent on through to the requested internal system, but anyone > > on > > the outside cannot see this. > > > > Yes :) Just like you said, I am trying to do this, user tries to connect > _real_ server, not to the firewall, I am not trying to hide real address of > client or the server. Trying to do setup where server can see client address > (in real world client address can be NATted by operator, but still) and > client tries to connect real server. > No harm will happen even if server address is shown, there can be IPSEC-VPN > tunnel where all this traffic is flowing so no one can see server address > (user of course can see server address). > > My goal is to have this kind of rule into the iptables after SPA: > > iptables -A FWKNOP_FORWARD -p tcp -m tcp -s 192.168.171.1 -d 10.11.12.5 > --dport 22 -m state --state NEW -j ACCEPT > > Did this clarify my goal? If you use the NAT support in fwknop, send and SPA packet, and then on the firewall do "fwknopd --fw-list", you should see a rule that is very close to what you have above. What is the output of the above command after you send the SPA packet? --Mike > Best Regards, > > Matti > > > > > > Not sure if this helped. > > > > --Mike > > > > > > > Any help would be appreciated! > > > > > > Cheers, > > > > > > Matti > > > -- > > > palaste-at-gmail-com > > > > > > > ------------------------------------------------------------------------------ > > > The Palm PDK Hot Apps Program offers developers who use the > > > Plug-In Development Kit to bring their C/C++ apps to Palm for a share. > > > of $1 Million in cash or HP Products. Visit us here for more details: > > > http://p.sf.net/sfu/dev2dev-palm > > > > > _______________________________________________ > > > Fwknop-discuss mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > > > ------------------------------------------------------------------------------ > > The Palm PDK Hot Apps Program offers developers who use the > > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > > of $1 Million in cash or HP Products. Visit us here for more details: > > http://p.sf.net/sfu/dev2dev-palm > > _______________________________________________ > > Fwknop-discuss mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
