[svlug] Firewall Tunnel v0.2

[J C Lawrence]

On Sun, 17 Jun 2001 09:52:53 -0700 (PDT) 
Kevin Kaichuan He <hek at cisco.com> wrote:

> Probably I got it wrong but my impression is when you use "ssh -R"
> to forward a remote port to a local port it wont work with a
> firewall which allows only outbound connection requests. 

You got it wrong.

> I said it because I've done two experirments 1) use ssh -R to
> forward a remote port on "colo box" to a local port on "desktop",
> I can then connect to the remote port on the "colo box" and thus
> be forwarded to the local port on "desktop" without problem if
> there is no firewall between desktop and colo-box 2) repeat 1)
> except that there is a firewall between the desktop and colo-box,
> the connection reqeust to the remote port on the colo-box will
> stall in this case.  

I have exactly this sort of port forward going on now between
machine I'm typing on out thru a Linux NAT box to my colo box, and
from my desktop at work out through a Cisco NAT to a colo box.

> I would be very glad to know if my experiement result is
> incorrect. 

It is.  Make sure to read the sshd man page and what interfaces it
listens on.

> My guess about the reason of such result is: "ssh" initiate a new
> connection from remote to local each time a connection request
> arrives at the remote box and thus the new connection will be
> blocked by the firewall. 

Nope.  I runs over the extant SSH connection, tunneled as it were.

-- 
J C Lawrence                                       claw at kanga.nu
---------(*)                          http://www.kanga.nu/~claw/
The pressure to survive and rhetoric may make strange bedfellows