Hi, What I want to accomplish is this: I want to connect with my laptop to my server ssh port 22. This rule is easy and is working very good. Butt when my laptop have an established connection with ssh, I want port 234 to open on my server. So when i''m NOT connected on my ssh, TCP port 234 is closed. when I login to my ssh port I want TCP port 234 to open (only to me if possible.) I looked for this butt the only thing I can find is with port knocking. Then I was thinking to use dyndns so i can use a normal rule to accept 234 to my laptop dynamic ip, but how do I usemylaptop.dyndns.org in my rules? Sincerely, Selvam Matthys ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/19/10 10:21 AM, Selvam Matthys wrote:> Hi, > > What I want to accomplish is this: I want to connect with my laptop to > my server ssh port 22. This rule is easy and is working very good. Butt > when my laptop have an established connection with ssh, I want port 234 > to open on my server. > > So when i''m NOT connected on my ssh, TCP port 234 is closed. when > I login to my ssh port I want TCP port 234 to open (only to me if possible.) >What you are trying to accomplish is not possible with Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
El 19/06/10 17:24, Tom Eastep escribió:> What you are trying to accomplish is not possible with Shorewall. >Adn I hope will never be ;-) ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 6/19/10 3:16 PM, Cristian Rodríguez wrote:> El 19/06/10 17:24, Tom Eastep escribió: > >> What you are trying to accomplish is not possible with Shorewall. >> > > And I hope will never be ;-)I don''t see how any packet filter could do this. All SSH traffic is encrypted so an intermediate node (e.g., the Shorewall box) has no hope of understanding when a remote host has successfully authenticated on a local host. Then the intermediate node has to somehow remember that it opened another port as result of this particular connection and must close that other port when this connection closes. But what if the remote host opens 2 SSH connections? Or 432 connections? Then closes the original connection? The whole thing is fantesy... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
You can''t detect when SSH has been established from everywhere else than your endpoint because of encryption. What you can detect is that someone tried to connect, which is not exactly what you want. Port Knocking will not help you also, it also can''t detect a connection. it can detect that someone tried to access some port(s) but not the result. What you can do is make a script on your login script (e.g.: .profile) that is called whenever you connect and do some bash magic to detect your IP and insert a rule to open the port for your IP. Remember to have a .bash_logout or something similar to close the door at your exit. May I suggest you alter your line of thinking and use FWKNOP (http://www.cipherdyne.org/fwknop/)? With it you can send a packet to open the port for you and specify a timeout which fwknop will close after the timeout, all automatically. It can open multiple ports, run a script, accept direct commands etc. That way you cand send a package (called SPA, Single Packet Authorization) which is encrypted and can''t be replayed like normal port knocking, and fwknop would open SSH and port 234 only for your IP, whatever is your IP at that moment, no need for dyndns either. Flavio Machado Brazil Selvam Matthys <selvam.matthys@gmail.com> wrote on 19 Jun 2010, 02:21 PM: Subject: [Shorewall-users] open ports after established Hi, What I want to accomplish is this: I want to connect with my laptop to my server ssh port 22. This rule is easy and is working very good. Butt when my laptop have an established connection with ssh, I want port 234 to open on my server. So when i''m NOT connected on my ssh, TCP port 234 is closed. when I login to my ssh port I want TCP port 234 to open (only to me if possible.) I looked for this butt the only thing I can find is with port knocking. Then I was thinking to use dyndns so i can use a normal rule to accept 234 to my laptop dynamic ip, but how do I usemylaptop.dyndns.org in my rules? Sincerely, Selvam Matthys ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ----------------------------------------------------------------------------------------------------------------------- Send big files for free. Simple steps. No registration. Visit now http://www.nawelny.com ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo