SSH port forwarding

A

Alexandr Kirilov

Hello!

Trying to setup port forwarding of 443 port to the server on FreeBSD. What need to be setup in sshd_config?
For now have this troubles:


bind [127.0.0.1]:443: Permission denied
channel_setup_fwd_listener_tcpip: cannot listen to port: 443
Could not request local forwarding.


The command on MacOS client is:


ssh -L 443:1.1.1.1:443 user@1.1.1.1


The ssh is working and by key could be logged in.
 
You are trying to bind a port below 1024 as a user. That is - for good reason - not allowed by default and should be avoided. You can try a local port like 8443 which is the better practice. If you need ports below 1024 as a normal user, read about mac_portacl. Enable the mac_portacl in /boot/loader.conf by adding

Code: 
mac_portacl_load="YES"

and add something like

Code: 
security.mac.portacl.rules="myuser:443"

to /etc/sysctl.conf

Please understand, this a bad idea. It should only be used, if the web application is is really programmed so badly, that it has hard coded needs for port 443.
 
stefs1 said:
You are trying to bind a port below 1024 as a user. That is - for good reason - not allowed by default and should be avoided. You can try a local port like 8443 which is the better practice. If you need ports below 1024 as a normal user, read about mac_portacl. Enable the mac_portacl in /boot/loader.conf by adding

Code: 
mac_portacl_load="YES"

and add something like

Code: 
security.mac.portacl.rules="myuser:443"

to /etc/sysctl.conf

Please understand, this a bad idea. It should only be used, if the web application is is really programmed so badly, that it has hard coded needs for port 443.
Click to expand...
Trying to do SSH port forwarding. Need to use SSH like proxy. Maybe wrong from begin in my understanding of SSH port forwarding.
Need to do something like this:

Client (MacOS/SSH) all TCP/UDP -> Server (SSH/FreeBSD) -> Internet
 
Alexandr Kirilov said:
Need to use SSH like proxy.
Click to expand...
Code: 
     -D [bind_address:]port
             Specifies a local “dynamic” application-level port forwarding.
             This works by allocating a socket to listen to port on the local
             side, optionally bound to the specified bind_address.  Whenever a
             connection is made to this port, the connection is forwarded over
             the secure channel, and the application protocol is then used to
             determine where to connect to from the remote machine.  Currently
             the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
             as a SOCKS server.  Only root can forward privileged ports.
             Dynamic port forwardings can also be specified in the
             configuration file.

             IPv6 addresses can be specified by enclosing the address in
             square brackets.  Only the superuser can forward privileged
             ports.  By default, the local port is bound in accordance with
             the GatewayPorts setting.  However, an explicit bind_address may
             be used to bind the connection to a specific address.  The
             bind_address of “localhost” indicates that the listening port be
             bound for local use only, while an empty address or ‘*’ indicates
             that the port should be available from all interfaces.
ssh(1)
 
SirDice said:
Code: 
     -D [bind_address:]port
             Specifies a local “dynamic” application-level port forwarding.
             This works by allocating a socket to listen to port on the local
             side, optionally bound to the specified bind_address.  Whenever a
             connection is made to this port, the connection is forwarded over
             the secure channel, and the application protocol is then used to
             determine where to connect to from the remote machine.  Currently
             the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
             as a SOCKS server.  Only root can forward privileged ports.
             Dynamic port forwardings can also be specified in the
             configuration file.

             IPv6 addresses can be specified by enclosing the address in
             square brackets.  Only the superuser can forward privileged
             ports.  By default, the local port is bound in accordance with
             the GatewayPorts setting.  However, an explicit bind_address may
             be used to bind the connection to a specific address.  The
             bind_address of “localhost” indicates that the listening port be
             bound for local use only, while an empty address or ‘*’ indicates
             that the port should be available from all interfaces.
ssh(1)
Click to expand...
Do you know any abilities redirect UPD with SSH?
 
There is a feature in SSH that can do this. There is a way of tunneling layer 2 Traffic:

Code: 
ssh -o Tunnel=ethernet -w 5:5 -t root@REMOTE_HOST

I once did that for UDP traffic using this tutorial:

blog.pboehm.org

SSH Features: Bridging two networks

There are many cases where two networks have to be connected on Layer 2 in a virtual fashion, which is referred to as a Virtual Private Network (VPN). Typically you would use OpenVPN or similar software for that. All of these tools have in common that they require some non trivial setup steps...
blog.pboehm.org blog.pboehm.org
 
You must log in or register to reply here.
Back
Top