Date: Wed, 21 May 2008 20:59:47 -0400 From: Steve Bertrand <iaccounts@ibctech.ca> To: Doug Hardie <bc979@lafn.org> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Unusual use of ssh Message-ID: <4834C583.7050606@ibctech.ca> In-Reply-To: <B46C3281-D7BF-489A-8439-921E511C327D@lafn.org> References: <B46C3281-D7BF-489A-8439-921E511C327D@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Sure enough, ssh packets are > received by the host. The problem is that it does not respond on the > right interface. The routing table uses a default route through the > T1. Thats where the sshd responses are being sent. If I understand correctly, this is only one box you need a correction for. Read on. > Since I have no a priori knowledge what IPs I would have available when > I need to use this back door, I can't pre-setup the routing table. Fair enough. > I > need sshd to respond on the same interface it receives the packets > from. I don't believe that is possible using IPv4 routing. Not at the layer-3 level directly. To do this dynamically you will need to perform some sort of "policy based routing". > I think > that it is using IPv6 but none of the networks involved support that > yet. Well, that's a topic up for review. Technically, in IPv6, there is no correlation between how a host selects it's source address for an IP packet based on it's destination address. I've been trying to understand and follow the consequences of this for some time: http://www.ietf.org/internet-drafts/draft-ietf-v6ops-addr-select-ps-06.txt ...or: http://tinyurl.com/64l9pn > I don't find any option in sshd to force it to respond on the > right interface either. Is there something I have missed? Most likely, if this is a single machine you are speaking of, a script that will check for connectivity to a remote address periodically (eg every five minutes) and then dynamically change it's default gateway at kernel level (not userland level) prior to SSH incoming may fix your problem. This is a little difficult to do without dynamic routing, but relatively simple if you can put up with manually changing back the route once the T1 comes back up. A script that does: - ping remote addr - if fail, route delete default, route add default (ADSL gw) There was a very good discussion on fbsd-net@ last week regarding progress with multiple routing tables. I didn't get right into it so I don't know if it will help, but your true three options are: - dynamic routing (co-operation with ISP's) - IPFW (or equivalent) policy based routing (source routing) - periodic check via a script Regards, Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4834C583.7050606>