[lug] Tunneling TCP

Hugh Brown hugh at math.byu.edu
Sat Jan 22 12:48:46 MST 2005


Yes, allowing ssh through a firewall is the perfect way to make your
firewall completely useless for anyone that can establish a session.  I've
used what you describe to help support remote users (they do remote port
forwarding which I use to then log in to their machine and fix things).
I've also used it to connect to services that only exist behind the
firewall.

Hugh

On Fri, 21 Jan 2005, Daniel Webb wrote:

> Did you realize you can run servers on a machine behind a firewall with
> a single SSH command, changing nothing on the firewall?  Suppose host
> pib is behind a firewall and host fuzzy is a host you have an account
> on.
>
> pib$ ssh -n -N -R2222:localhost:22 some_fuzzy_user at fuzzy &
>
> will allow you to ssh in to pib by doing:
>
> $ ssh -p2222 -oStrictHostKeyChecking=no some_pib_user at fuzzy
>
> from any machine with internet access.
>
> The assumptions here are:
>   - all incoming ports on pib's firewall are blocked
>   - fuzzy doesn't firewall incoming port 2222
>   - pib's firewall doesn't block outgoing port 22
>
> This is important for me because I'm helping my sister (who's out of
> state) with her computer, and she's getting internet access by plugging
> in her wireless card and associating with an unknown access point in her
> apartment building.  I want to ssh in to her machine, but obviously all
> incoming ports are blocked and we don't have access to the firewall.
> She understands the potential ethical and privacy risks of doing this,
> by the way.
>
> SSH is a wicked tool.  If you need full IP forwarding, not just TCP
> forwarding, you can set up a PPP tunnel over a single SSH session that
> will do that too, but it's way more complicated.  If you're interested
> in that, check out the vpn-pppssh mini-howto.
>
> Sorry if all of you knew this already, but I thought it was too good to
> not share.  I have written a small script to keep a tunnel up all the
> time as well if anyone has a use for it.
>
> Daniel
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
>
>



More information about the LUG mailing list