From owner-freebsd-questions Fri Jan 31 2:51:48 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 022DB37B405 for ; Fri, 31 Jan 2003 02:51:47 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id D442843E4A for ; Fri, 31 Jan 2003 02:51:45 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id h0VApf0F069089 for ; Fri, 31 Jan 2003 10:51:41 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id h0VApakT069088 for freebsd-questions@FreeBSD.ORG; Fri, 31 Jan 2003 10:51:36 GMT Date: Fri, 31 Jan 2003 10:51:36 +0000 From: Matthew Seaman To: freebsd-questions@FreeBSD.ORG Subject: Re: ssh & ipfw Message-ID: <20030131105136.GB68243@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , freebsd-questions@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-2.2 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_05_08, USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jan 30, 2003 at 10:06:45PM -0500, Pete C wrote: > any quick pointers for how to go about setting up ssh though ipfw on a > gateway/router running nat to one of the internal machines ? (FreeBSD > on both the router and internal machine) Let me guess. You've set up natd(8) on your gateway machine to forward port 22 to your internal machine --- something like: natd -redirect_port tcp internalhost:22 22 and when you connect from an external site to port 22 on the gateway, ssh rejects the connection complaining that some impostor is trying to pose as your intended target machine? Supplying this level of detail will get you much more effective answers than hinting vaguely about your problems. Two thoughts: i) If you want ssh access to your site to be redirected from the gateway to an internal machine as shown above, then you should realise that you can't mix that with direct ssh access to the gateway machine. You need to ensure that the same host key is presented to the client each time it attempts to connect to the same server name / IP number. You should set up the host keys in ~/.known_hosts or /etc/ssh/ssh_known_hosts accordingly. ii) You might find this rather useful: http://www.oreilly.com/catalog/sshtdg/chapter/ch11.html Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message