After reading this, I felt the need to explain further; the WinXP box that I use to remotely manage both the RH machine carrying the webserver and the fw itself, is located INSIDE my network. What I'm now trying to accomplish is the ability to remotely manage both from both INSIDE and OUTSIDE my internal network....
and also, BTW, I'm using a floppy distro, so space is limited. Though I'd rather not, it would be nice to add Telnet in place of ssh on the fw, ssh to it, and then piggyback via telnet to the rh machine, if what I'm trying to do is not possible... Earl ----- Original Message ----- From: "Earl Wilson" <[EMAIL PROTECTED]> To: <leaf-user@lists.sourceforge.net> Sent: Friday, August 19, 2005 9:27 AM Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > Thanks to both of you for your help; well, I did add the "0/0_24" > comment as suggested, but no luck, HOWEVER, I then REMOVED the sshd.lrp > package, and was able to access the inside web server running on the > redhat machine via ssh. > > Now the problem becomes how I manage my fw. Because of a lack of > monitors, I remotely manage both the fw and the rh web server via ssh > thru a WinXP box, so removal of the sshd.lrp package makes managing the > fw with out accessing it locally impossible. On the other hand, when I > shut down the port forwading of ssh traffic: > > #INTERN_SSH_SERVER=192.168.1.200 # Internal SSH server to make available > #EXTERN_SSH_PORT=24 # External port to use for internal > SSH access > > I still am unable to ssh directly into the fw; instead, I'm getting a > connection time out-message. In an ideal world, I'd like to: > > 1. ssh into either the fw or the rh machine remotely; > 2. ssh into the fw, and "piggyback" -ssh from the fw into the rh machine > > Can anyone at least show me what I'm doing incorrectly to not be able to > remotely ssh into the fw? > > BTW, I didn't change the "0/0_22" or "0/0_24" comments from the > "EXTERN_TCP_PORTS=" line > > Earl > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: "M Lu" <[EMAIL PROTECTED]> > Cc: "Earl Wilson" <[EMAIL PROTECTED]>; > <leaf-user@lists.sourceforge.net> > Sent: Tuesday, August 16, 2005 11:22 AM > Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > > > > I think you are correct on the EXTERN_TCP_PORTS line, in fact I'm > quite > > sure you are correct, however, instead of replacing the 0/0_22 line, > it > > might be best to add 0/0_24, unless ssh directly the box is not > needed, > > again Earl will need to answer that. > > > > Joey > > > > ----- Original Message ----- > > From: M Lu <[EMAIL PROTECTED]> > > Date: Tuesday, August 16, 2005 8:16 am > > Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > > > > > If Earl wants to use external port 24, then may be he should use > > > > > > EXTERN_TCP_PORTS="0/0_21 0/0_80 0/0_24" > > > > > > instead of > > > > > > >> >> EXTERN_TCP_PORTS="0/0_21 0/0_80 0/0_22" > > > > > > Anyway, Earl will figure the port usage. > > > > > > > > > > > > ----- Original Message ----- > > > From: <[EMAIL PROTECTED]> > > > To: "M Lu" <[EMAIL PROTECTED]> > > > Cc: "Earl Wilson" <[EMAIL PROTECTED]>; > > > <leaf-user@lists.sourceforge.net> > > > Sent: Tuesday, August 16, 2005 9:04 AM > > > Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > > > > > > > > > > This allows an individual to SSH directly to the external IP > > > address,> using port 24, and Dachstein has an explicit rule to > > > forward port 24 > > > > (ssh traffic only) to the internal_ssh_server ... actually works > > > quite> nicely, and is essentially the same thing as the DNAT under > > > Shorewall,> except that you don't have to change the SSHd server on > > > the internal box > > > > to 24, you leave it as 22 (if I recall correctly). > > > > > > > > Sorry to throw in my 2 cents into the thread... > > > > > > > > joey > > > > > > > > ----- Original Message ----- > > > > From: M Lu <[EMAIL PROTECTED]> > > > > Date: Tuesday, August 16, 2005 7:30 am > > > > Subject: Re: [leaf-user] Port-forwarding ssh thru Dachstein > > > > > > > >> I do not remember Dachstein very well but just wonder why you > have > > > >> > > > >> >> EXTERN_SSH_PORT=24? > > > >> > > > >> Also I have seen some ISPs rejecting SSH traffic so consider that > > > >> possibility too. You can test that by temporary portforwarding > some > > > >> other > > > >> port (e.g. 80 as you know for sure 80 is allowed) to 22 and test > > > >> SSH client > > > >> with port 80. > > > >> > > > >> > > > >> > > > >> ----- Original Message ----- > > > >> From: "Earl Wilson" <[EMAIL PROTECTED]> > > > >> To: <leaf-user@lists.sourceforge.net> > > > >> Sent: Monday, August 15, 2005 11:04 PM > > > >> Subject: Fw: [leaf-user] Port-forwarding ssh thru Dachstein > > > >> > > > >> > > > >> .. > > > >> >> TCP services open to outside world > > > >> >> # Space seperated list: srcip/mask_dstport > > > >> >> EXTERN_TCP_PORTS="0/0_21 0/0_80 0/0_22" > > > >> >> > > > >> >> > > > >> >> (next 2 lines show open ports that are working w/no issues) > > > >> >> > > > >> >> INTERN_FTP_SERVER=192.168.1.4 # Internal FTP server to make > > > >> available>> INTERN_WWW_SERVER=192.168.1.200 # Internal WWW server > > > >> to make > > > >> > available > > > >> >> > > > >> >> > > > >> >> INTERN_SSH_SERVER=192.168.1.200 # Internal SSH server to make > > > >> > available > > > >> >> EXTERN_SSH_PORT=24 # External port to use for > > > internal>> > SSH > > > >> >> access > > > >> >> > > > > > > > > > ------------------------------------------------------- > > SF.Net email is Sponsored by the Better Software Conference & EXPO > > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > > Agile & Plan-Driven Development * Managing Projects & Teams * Testing > & QA > > Security * Process Improvement & Measurement * > http://www.sqe.com/bsce5sf > > ---------------------------------------------------------------------- > -- > > leaf-user mailing list: leaf-user@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > Support Request -- http://leaf-project.org/ > > > > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > ---------------------------------------------------------------------- -- > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ > ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
