PF and ssh problem is jails

fred974

fred974

Hello all,

My current pf.conf is as described bellow:
Code: 
ext_if="bge0"
IP_FREEBSD_HOST="192.168.0.xxx"
IP_WEB="192.168.0.xxx"

PORT_SSH="{22}"

pass in quick proto tcp from any to $IP_FREEBSD_HOST port $PORT_SSH
I addition to the rule above, my home router redirect port 22 to 192.168.0.xxx
This work fine to ssh to my FREEBSD_HOST main server. In order to access my jails i normally do
jexec 1 tcsh, jexec 2 tcsh ect..

What I would like to achive now is the ability to ssh to each jails without to go through the FREEBSD_HOST.

I have only 1 external static IP and not sure how to achieve that. Do I have to set a different ssh port for each jail?

Thank you
 
fred974 said:
I have only 1 external static IP and not sure how to achieve that. Do I have to set a different ssh port for each jail?
Click to expand...
Yes, you only have one IP address and a port can only be redirected to one IP address.
 
Hi @SirDice

will this do?
Code: 
ext_if="bge0"

#### SERVERS ####
IP_FREEBSD_HOST="192.168.0.198"
IP_WEB="192.168.0.115"
IP_SQL="192.168.0.120"
IP_MAIL="192.168.0.125"

SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB $IP_SQL $IP_MAIL "}"
IP_SSH_ALLOWED="213.146.159.xxx,82.31.44.xxx,192.168.0.0/24"

# Allow ssh traffic from authorise hosts with synproxy handshaking
pass in quick proto tcp from $IP_SSH_ALLOWED to $SSH_HOSTS port $PORT_SSH flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
 
Last edited by a moderator:
That should allow access to all the jail's sshd(8). If you want to access them from outside your network you have to add additional port forwarding rules in your router. But because you can redirect port 22 only once you're going to have to use other ports to forward them to a jail's sshd(8). The sshd(8) on the jails can be kept on port 22 but the router will need to forward 2222 to jail1 port 22, 2223 to jail2 port 22, etc. The ports 2222 and 2223 are just examples, pick some ports you like.
 
Hi,

I managed to get ssh access to the jail on port 22 but not on a custom port.
Could you please confirm that all I need to do is add
Code: 
Port 21913
in my /etc/ssh/sshd_config file and restart
 
Changing each jail's SSH port would be confusing. Leave each sshd_config as it is on port 22 and use that port while you are internal to your network.

To access it outside your network. You'll need redirection rules with one unique port for each jail.
Code: 
rdr pass on $ext_if proto tcp from any to any port 21913 -> 192.168.0.198 port 22
rdr pass on $ext_if proto tcp from any to any port 21914 -> 192.168.0.115 port 22
rdr pass on $ext_if proto tcp from any to any port 21915 -> 192.168.0.120 port 22
... continued ...
 
junovitch said:
Changing each jail's SSH port would be confusing. Leave each sshd_config as it is on port 22 and use that port while you are internal to your network.

To access it outside your network. You'll need redirection rules with one unique port for each jail.
Code: 
rdr pass on $ext_if proto tcp from any to any port 21913 -> 192.168.0.198 port 22
rdr pass on $ext_if proto tcp from any to any port 21914 -> 192.168.0.115 port 22
rdr pass on $ext_if proto tcp from any to any port 21915 -> 192.168.0.120 port 22
... continued ...
Click to expand...

Hi @junovitch

Sorry for the long reply.
So if I set the redirect rule like you said in Pf, do I need only one port forwarding on the router to redirect ssh to my IP_FREEBSD_HOST?
 
Last edited by a moderator:
No, you don't need the redirects with PF. You need to create all the redirects on your router. They can be created in a similar fashion though, but they're not needed on the FreeBSD side because your jails are all bound to the 192.168.0.0/24 network.
 
SirDice said:
No, you don't need the redirects with PF. You need to create all the redirects on your router. They can be created in a similar fashion though, but they're not needed on the FreeBSD side because your jails are all bound to the 192.168.0.0/24 network.
Click to expand...

Thank you.

My router will not allow me to do that (same port different IP), I'll see if I can hack the router or simply have different port for each jails.
 
fred974 said:
My router will not allow me to do that (same port different IP), I'll see if I can hack the router or simply have different port for each jails.
Click to expand...
There's no need to hack anything. You can only forward your external port 22 once, to one other IP address and port combination. You can however create multiple redirects but they have to redirect different ports. So this is possible:
Code: 
external -> internal
------------------------
 22       -> 192.168.0.1:22
 2222   -> 192.168.0.2:22
 2223   -> 192.168.0.3:22
 2224   -> 192.168.0.4:22
etc.

But maybe your router doesn't like that. Blame that on the crap firmware of your router because a normal NAT redirection shouldn't have a problem with it ;)
 
SirDice said:
But maybe your router doesn't like that. Blame that on the crap firmware of your router because a normal NAT redirection shouldn't have a problem with it ;)
Click to expand...

Yup, thank you virgin.. I'm about to change to a proper ISP.

Thank you guys
 
You must log in or register to reply here.
Back
Top