Date: Mon, 10 Mar 2003 22:37:37 -0800 From: Nathan Kinkade <nkinkade@dsl-only.net> To: Ryan Thompson <ryan@sasknow.com> Cc: freebsd-questions@freebsd.org Subject: Re: SSH to a box behind NAT Message-ID: <20030311063737.GC17359@sub21-156.member.dsl-only.net> In-Reply-To: <20030310224025.L34446-100000@ren.sasknow.com> References: <20030310224025.L34446-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--69pVuxX8awAiJ7fD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Mar 10, 2003 at 11:32:00PM -0600, Ryan Thompson wrote:
>=20
> Hi all,
>=20
> I have a FreeBSD server behind NAT (on an RFC1918 address). The NAT
> machine is actually an NT box on a network we don't have access to.
> (So, it is not possible, for instance, to set up port based NAT for
> inbound SSH, which is one of two things I'd normally do). The server
> can, however, initiate arbitrary outbound connections.
>=20
> So, I'm fishing for a tech workaround to this management problem. :-)
>=20
> I need to be able to have an interactive SSH session on the server
> (Server) from another host (Manager) on the Internet (for remote
> management). That is, I need to connect to Server to do remote
> management.
>=20
> <--- NAT --->
> [ Server ] --- [ NT Gateway ] --- { Internet } --- [ Manager ]
> 192.168.0.2 192.168.0.1 207.1.1.1
> 24.1.1.1
>=20
> Manager is a highly available FreeBSD server (i.e., static public IP).
>=20
> The first thing that comes to mind is some kind of "pull" technique to
> have *Server* initiate the connection. Server already initiates cron'd
> SSH connections to Manager to do automated backup/rsync tasks, but I
> can't think of a way to actually start an interactive login in that
> manner.
>=20
> So far the best I've come up with is to configure a secure known path
> on Manager for batch scripts (so, not really interactive, but close
> enough for 90% of tasks) and have Server simply attempt to scp (pull)
> the file at regular intervals, and execute its contents. Server can
> capture the output and scp (push) that back to Manager. Manager never
> actually initiates anything. Obviously, this will be a leading cause
> of ass pain in troubleshooting scenarios, and will be a *real* pain
> for anything that actually requires an interactive session.
>=20
> Unfortunately, that idea has, so far, been the *last* thing to come to
> mind. Any *other* ideas? :-)
>=20
> Thanks,
> - Ryan
Could you have Server start an xterm, or similar, and have it send the
display to Manager - with something like 'xterm -display Manager:0' from
Server? This is assuming that you are running X on Manager.
Nathan
--=20
GPG Public Key ID: 0x4250A04C
gpg --keyserver pgp.mit.edu --recv-keys 4250A04C
http://63.105.21.156/gpg_nkinkade_4250A04C.asc
--69pVuxX8awAiJ7fD
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+bYQxWZYS9EJQoEwRAj4SAKDMaBy4oGkWWRw/HkBgbX13jqc7SQCdE/ew
ykoht0DVYG6M6EqVeROa53c=
=Oznz
-----END PGP SIGNATURE-----
--69pVuxX8awAiJ7fD--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030311063737.GC17359>