Date: Thu, 24 Feb 2000 07:50:32 -0700 From: Damien Tougas <damien@tougas.net> To: David Pick <D.M.Pick@qmw.ac.uk> Cc: freebsd-security@freebsd.org Subject: Re: SSH port forwarding Message-ID: <20000224075032.A4699@tougas.net> In-Reply-To: <E12NvWl-0005Dz-00@xi.css.qmw.ac.uk>; from D.M.Pick@qmw.ac.uk on Thu, Feb 24, 2000 at 10:29:47AM %2B0000 References: <20000223170457.A2185@tougas.net> <E12NvWl-0005Dz-00@xi.css.qmw.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for your detailed diagram, that is great. I realized a while after I sent the question, that I was being brain dead, and did not fully grasp what was going on and was in fact not setting up my connection properly. Now that I have it set it up correctly, it all makes sense to me now. This seems like an easy way to set up a VPN. The box is both doing NAT and the VPN, and hence makes it easy to use it as both an internet gateway as well as a VPN. I have heard this method referred to as a poor man's VPN, why? Are there better/more preferred methods of setting up a VPN? SKIP or IPSEC? Why would I want to use one of those instead? Would I need two boxes to achieve the same functionality? -- Damien Tougas, P.Eng. Phone: (780)434-5889 Fax: (780)434-5889 E-mail: damien@tougas.net http://www.tougas.net On Thu, Feb 24, 2000 at 10:29:47AM +0000, David Pick wrote: > > > I am looking at setting up a VPN using the SSH port forwarding > > features, but I have a question: > > > > I have inetd listening on port X for ppp connections. I set > > up SSH on the client machine to pass all packets going from port X > > on the client to port X on the server through the secure channel. > > > > After starting ppp, I do netstat -a and realize that the actual ppp > > connection is taking place on random port Y. My question is, is SSH > > smart enough to realize this has taken place and encrypt the session > > on port Y as well? If not, how do I set it up so that the random > > port picked during the negotiation process is also sent through > > the secure channel? > > Ah, which ports are you talking about? A typical port-forwarding > setup looks like this when in progress: > > Client Machine Server Machine > +----------------------+ +-----------------------+ > ! User process ! ! Server process ! > ! +--------------+ ! ! +----------------+ ! > ! ! ! ! ! ! ! ! > ! ! --+--+ ! <- A D -> ! +--+-- ! ! > ! ! ! ! ! ! ! ! ! ! > ! +--------------+ ! ! ! ! +----------------+ ! > ! ! ! ! ! ! > ! SSH client ! ! ! ! SSH server ! > ! +--------------+ ! ! ! ! +----------------+ ! > ! ! ! ! ! ! ! ! ! ! > ! ! (--+--+ ! <- B C -> ! +--+--) ! ! > ! ! ( ! ! SSH tunnel ! ! ) ! ! > ! ! (==+================================+====+==) ! ! > ! ! ! ! ! ! ! ! > ! +--------------+ ! ! +----------------+ ! > ! ! ! ! > +----------------------+ +-----------------------+ > > Your server process will be listening on its normal port number (D). > > The ssh client will often be listening on the same port number (B). It has > to be told which port to linten on and what address and port the SSH server > should be told to use at the other end. > > The user process will use an arbitary port (A). It has to be told to contact > the SSH client (on port (B)) instead of contacting the server process directly. > > The SSH server will use an arbitary port when forwarding the connection > from itself to the server process (C). > > So which ports do you think are wrong? And on which machine? > > -- > David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000224075032.A4699>