Re: combination of ssh port fowarding and pf redirection

[stan]

On Thu, Oct 09, 2014 at 07:27:37AM -0300, Giancarlo Razzolini wrote:
> On 08-10-2014 18:25, stan wrote:
> > Anyone have any sugestions as to how to make this work?
> Did you try the suggestion I gave you off list, of making two ssh
> connections? Also, you could provide more details of your setup? Both
> your e-mails trying to explain it, were confusing. I think I understood
> what you want, but I'm not sure.
> 
> Cheers
> 
> 
Thought i replied to this one, but I do not see it

First, sorry  missed your offline reply, the accont this s tied to gets a
lot of spam.

In any case, I wrote this p to try to carify the issue.


I am having trouble establishing a ssh tunnell to an OpenBSD 5.5 machine. Here 
is the command I am running on the remoote macine:

ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N

The targer OpneBSD machine is in the DNS and resolves corectly as phfw1

Here is the /etc/ssh/sshd_config file from the OpenBSD machine:


#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation sandbox  # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
PermitTunnel yes
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server


When I run the command I get hte following output


Script started on Thu 09 Oct 2014 01:58:55 PM EDT
]0;s...@plabws1.mcn.chs: ~stan@plabws1:~$ ./tst2
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /home/stan/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to phfw1 [10.209.142.152] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/stan/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/stan/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/stan/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/stan/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /home/stan/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/stan/.ssh/id_dsa-c

Re: combination of ssh port fowarding and pf redirection

[Giancarlo Razzolini]

On 08-10-2014 18:25, stan wrote:
> Anyone have any sugestions as to how to make this work?
Did you try the suggestion I gave you off list, of making two ssh
connections? Also, you could provide more details of your setup? Both
your e-mails trying to explain it, were confusing. I think I understood
what you want, but I'm not sure.

Cheers

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: combination of ssh port fowarding and pf redirection

[stan]

Anyone have any sugestions as to how to make this work?

On Tue, Oct 07, 2014 at 07:32:53PM -0400, stan wrote:
> Sorry that I did not make this clear.
> 
> Here s what I am tryin to do, I have a DB server behind a OpenbSD firewall
> that we control. I have a non routable nework behind it that connect
> outbound doing NAT, and inbound using rt fowarding. I have this wrking so
> that mahines on the orporate network can cnnect to it by conecting to the
> apropriate port on the firewall.
> 
> We have a corporate VPN to access only certain machines on that network.
> The firewall hapens to NOT be ne of thse, and I need access to this
> database whiile conected ia the PVPN/
> 
> So, what I need to do is set up an ssh tunnell through one of te machines
> hat are accessiable from the VPN. So what I am tyring to do is set hat
> tunnell p. But the OpenBSD machine s efusing the conection, as shown.
> 
> So, hee is a diagram of what I am tryng to do
> 
> External machine -> VPN -> our machine - SSH tunnel -> FW -> DB machine
> 
> This works already:
> 
> our machine -> FW - DB machine
> 
> des that make it clearer?
> 
> On Mon, Oct 06, 2014 at 09:22:52PM -0300, Giancarlo Razzolini wrote:
> > On 06-10-2014 20:59, stan wrote:
> > > I have a pf configuration which corectly fowards external conections to
> > > port 5432 on a machine on the inside. Iam trying to set up a machine on 
> > > the
> > > outside to use ssh port fowarding to send ackets to port 5432 on the
> > > machine runing pf (firewall). Here is my ssh command line:
> > >
> > > ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N
> > >
> > > I keep getting errrs in auth.og about falure to connect on that port.
> > >
> > > Any idea what I am ding wrong?
> > >
> > >
> > >
> > Very confusing. But if I understood correctly, you are trying to make a
> > tcp port on a machine behind your firewall, available to others, in your
> > internal lan, to others, right? Well, for starters, I wouldn't use dns
> > names on the port forwarding part. It's prone to errors, not to mention
> > the fact that you'll get confused wheter the name is resolved locally or
> > remote. But it's remote, IIRC. In your case, you need to add your ip
> > address to the forwarding. In your case, it would become:
> > 
> > -L :6030::5432
> > 
> > If it's not this that you want, please clarify.
> > 
> > Cheers,
> > 
> > [demime 1.01d removed an attachment of type application/pkcs7-signature 
> > which had a name of smime.p7s]
> > 
> 
> -- 
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> 

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: combination of ssh port fowarding and pf redirection

[stan]

Sorry that I did not make this clear.

Here s what I am tryin to do, I have a DB server behind a OpenbSD firewall
that we control. I have a non routable nework behind it that connect
outbound doing NAT, and inbound using rt fowarding. I have this wrking so
that mahines on the orporate network can cnnect to it by conecting to the
apropriate port on the firewall.

We have a corporate VPN to access only certain machines on that network.
The firewall hapens to NOT be ne of thse, and I need access to this
database whiile conected ia the PVPN/

So, what I need to do is set up an ssh tunnell through one of te machines
hat are accessiable from the VPN. So what I am tyring to do is set hat
tunnell p. But the OpenBSD machine s efusing the conection, as shown.

So, hee is a diagram of what I am tryng to do

External machine -> VPN -> our machine - SSH tunnel -> FW -> DB machine

This works already:

our machine -> FW - DB machine

des that make it clearer?

On Mon, Oct 06, 2014 at 09:22:52PM -0300, Giancarlo Razzolini wrote:
> On 06-10-2014 20:59, stan wrote:
> > I have a pf configuration which corectly fowards external conections to
> > port 5432 on a machine on the inside. Iam trying to set up a machine on the
> > outside to use ssh port fowarding to send ackets to port 5432 on the
> > machine runing pf (firewall). Here is my ssh command line:
> >
> > ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N
> >
> > I keep getting errrs in auth.og about falure to connect on that port.
> >
> > Any idea what I am ding wrong?
> >
> >
> >
> Very confusing. But if I understood correctly, you are trying to make a
> tcp port on a machine behind your firewall, available to others, in your
> internal lan, to others, right? Well, for starters, I wouldn't use dns
> names on the port forwarding part. It's prone to errors, not to mention
> the fact that you'll get confused wheter the name is resolved locally or
> remote. But it's remote, IIRC. In your case, you need to add your ip
> address to the forwarding. In your case, it would become:
> 
> -L :6030::5432
> 
> If it's not this that you want, please clarify.
> 
> Cheers,
> 
> [demime 1.01d removed an attachment of type application/pkcs7-signature which 
> had a name of smime.p7s]
> 

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: combination of ssh port fowarding and pf redirection

[Giancarlo Razzolini]

On 06-10-2014 20:59, stan wrote:
> I have a pf configuration which corectly fowards external conections to
> port 5432 on a machine on the inside. Iam trying to set up a machine on the
> outside to use ssh port fowarding to send ackets to port 5432 on the
> machine runing pf (firewall). Here is my ssh command line:
>
> ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N
>
> I keep getting errrs in auth.og about falure to connect on that port.
>
> Any idea what I am ding wrong?
>
>
>
Very confusing. But if I understood correctly, you are trying to make a
tcp port on a machine behind your firewall, available to others, in your
internal lan, to others, right? Well, for starters, I wouldn't use dns
names on the port forwarding part. It's prone to errors, not to mention
the fact that you'll get confused wheter the name is resolved locally or
remote. But it's remote, IIRC. In your case, you need to add your ip
address to the forwarding. In your case, it would become:

-L :6030::5432

If it's not this that you want, please clarify.

Cheers,

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: combination of ssh port fowarding and pf redirection

[stan]

BTW here is the error mesage from auth.log

authlog:Oct  6 13:40:45 phfw1 sshd[13604]: error: connect to phfw1 port
5432 failed: Connection refused

On Mon, Oct 06, 2014 at 07:59:10PM -0400, stan wrote:
> I have a pf configuration which corectly fowards external conections to
> port 5432 on a machine on the inside. Iam trying to set up a machine on the
> outside to use ssh port fowarding to send ackets to port 5432 on the
> machine runing pf (firewall). Here is my ssh command line:
> 
> ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N
> 
> I keep getting errrs in auth.og about falure to connect on that port.
> 
> Any idea what I am ding wrong?
> 
> 
> 
> -- 
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> 

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

combination of ssh port fowarding and pf redirection

[stan]

I have a pf configuration which corectly fowards external conections to
port 5432 on a machine on the inside. Iam trying to set up a machine on the
outside to use ssh port fowarding to send ackets to port 5432 on the
machine runing pf (firewall). Here is my ssh command line:

ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N

I keep getting errrs in auth.og about falure to connect on that port.

Any idea what I am ding wrong?



-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?