sshd in jail

Sajó Zsolt Attila sajozsattila at citromail.hu
Wed Jun 3 08:13:07 UTC 2009 

Thank you the help, but it doesn't work yet.
I prefer the "rdr pass on $Ext inet proto tcp from any to any port 5859 -> 10.0.0.40 port 22", but I tried all ways, but absolutely nothing's changed. 

-- Eredeti üzenet --
Feladó: Valentin Bud <valentin.bud at gmail.com>
Címzett: Sajó Zsolt Attila<sajozsattila at citromail.hu>
Elküldve: 09:33
Téma: Re: sshd in jail

2009/6/3 Sajó Zsolt Attila  luk1814.no-ip.org" command I get this error:

> OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007

> debug1: Reading configuration data /etc/ssh/ssh_config

> debug2: ssh_connect: needpriv 0

> debug1: Connecting to luk1814.no-ip.org [84.3.27.205] port 5859.

> debug1: connect to address 84.3.27.205 port 5859: Connection refused

> ssh: connect to host luk1814.no-ip.org port 5859: Connection refused

>

>

> The "pfctr -sn" command output's:

> nat on vr0 inet from 10.0.0.20 to any -> (vr0) round-robin

> nat on vr0 inet from 10.0.0.40 to any -> (vr0) round-robin

> rdr on vr0 inet proto tcp from any to any port = 5859 -> 10.0.0.40 port

> 22

>

>

> My pf.conf:

> Ext = "vr0" # output interface

> Loop = "lo0" # Loopback interface

> IntNet1="10.0.0.20" # Jail 1

> IntNet2="10.0.0.40" # Jail 2 this is running the sshd

> NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,

> 255.255.255.255/32 }"

> InServicesTCP = "{ ssh, http, https }"

> OutServicesTCP = "{ http, https, whois, domain, ssh, ftp, ftp-data, nntp,

> 1863, 8880 }"

> OutServicesUDP = "{ ntp, domain }"

> NowDeny = "{ 445, 67, 68 }"

> X11 = "{ 6010, 5900}"

> Timeserver = "{ 148.6.0.1 }"

> CVSupServers = "{ 212.19.57.134 }"

> CVSupPorts = "{ 5999 }"

> DynDNSServer = "{ 63.208.196.94 }"

> DynDNSPorts = "{ 8245 }"

> scrub in on $Ext all

> altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }

> queue q_pri priority 7

> queue q_def priority 1 priq(default)

> nat on $Ext from $IntNet1 to any -> ($Ext)

> nat on $Ext from $IntNet2 to any -> ($Ext)

> rdr on $Ext proto tcp from any to any port 5859 -> $IntNet2 port 22

> block in quick on $Ext proto { tcp, udp} from any to any port $NowDeny

> block out log on $Ext all

> block in log on $Ext all

> block return-rst out log on $Ext proto tcp all

> block return-rst in log on $Ext proto tcp all

> block return-icmp out log on $Ext proto udp all

> block return-icmp in log on $Ext proto udp all

> block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP

> block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA

> block in log quick on $Ext inet proto tcp from any to any flags /SFRA

> block in log quick on $Ext from $NoRoute to any

> block out log quick on $Ext from any to $NoRoute

> block in quick on $Ext from any to 255.255.255.255

> pass in quick on $Ext proto tcp from any to $IntNet2 port 8022 keep state







>

> pass in quick on $Loop all

> pass out quick on $Loop all



This two could be changed to

'set skip on lo0' in the pf OPTIONS section.



>

> pass out quick on $Ext inet proto tcp from any to any port > 1024 flags

> S/SA keep state

> pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

> pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

> pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP

> flags S/SA keep state

> pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP

> keep state

> pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP

> flags S/SA modulate state

> pass out quick on $Ext inet proto tcp from any to $CVSupServers port

> $CVSupPorts flags S/SA modulate state

> pass out quick on $Ext inet proto tcp from any to $Timeserver port time

> flags S/SA modulate state

> pass out quick on $Ext inet proto tcp from any to any port {

> 6880> pass in quick on $Ext inet proto tcp from any to any port 6880> flags S/SAFR keep state

> anchor passin

>

>

> Somebody knows why doesn't work the rdr?

>



You don't have a pass rule for the 5859 port. You can, however, accomplish

what you want in a couple of ways.



1. use the pass keyword in rdr

rdr *pass* on vr0 inet proto tcp from any to any port = 5859 -> 10.0.0 .40

port 22



2. a separate pass in rule

pass in quick on $Ext inet proto tcp from any to any port 5859 flags S/SA

keep state.



3. simply add 5859 port to $InServicesTCP macro.



a great day,

v



>

>

> _______________________________________________

> freebsd-questions at freebsd.org mailing list

> http://lists.freebsd.org/mailman/listinfo/freebsd-questions

> To unsubscribe, send any mail to "

> freebsd-questions-unsubscribe at freebsd.org"

>







-- 

network warrior since 2005

_______________________________________________

freebsd-questions at freebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-questions

To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list