Hi there again ... I wonder - if anyone has implemented the following. On 1 IP-Address, have the Firewall identify incoming ssh or https connections ... or even better - SSL Connections through OpenVPN ? and DNAT the connection to different IP|Port combination ... The reason I''d like this feature is to have the possibility to use port 443 on my home server (I have only 1 IP-Address) to open ssh or https connections through port 443. Most companies block all other ports - and on 443 I can even use the company''s proxy to reach my home-site. Now - how can this be done ? For ssh, once the TCP connection is established, the server speaks first, presenting itself by saying something like: SSH-2.0-OpenSSH_3.6.1p2 <Distribution etc.> With SSL - the client speaks first. Now - would it be possible to let shorewall identify which side speaks first - and then redirect the traffic to one or another internal IP-Address|Port combination ? That would ease a lot of things. Right now - I''m doing it through a perl-script I got on the Net, but I''d really like shorewall to handle that :) Any ideas ? Hints ? Cheers Joerg -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Joerg Mertin wrote:> Hi there again ... > > I wonder - if anyone has implemented the following. > On 1 IP-Address, have the Firewall identify incoming ssh or https > connections ... or even better - SSL Connections through OpenVPN ? and > DNAT the connection to different IP|Port combination ... > > The reason I''d like this feature is to have the possibility to use port > 443 on my home server (I have only 1 IP-Address) to open ssh or https > connections through port 443. Most companies block all other ports - and > on 443 I can even use the company''s proxy to reach my home-site. > > Now - how can this be done ? > For ssh, once the TCP connection is established, the server speaks first, > presenting itself by saying something like: > > SSH-2.0-OpenSSH_3.6.1p2 <Distribution etc.> > > With SSL - the client speaks first. > > Now - would it be possible to let shorewall identify which side speaks > first - and then redirect the traffic to one or another internal > IP-Address|Port combination ?Of course not -- it has to redirect the initial SYN packet which contains no clue about what is to follow.> > That would ease a lot of things. Right now - I''m doing it through a > perl-script I got on the Net, but I''d really like shorewall to handle that > :) > > Any ideas ? Hints ?None, I''m afraid -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
>Any ideas ? Hints ?This is a bit of a work-around, but wouldn''t it just be easiest to connect to the OpenVPN server and then connect to the second server via SSH over the OpenVPN connection? That limits the number of Internet-accessible services on your network and solves the single port limitation. Anyway, that is how I do things around here -Russel Riley ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Russel wrote:>> Any ideas ? Hints ? > This is a bit of a work-around, but wouldn''t it just be easiest to > connect to the OpenVPN server and then connect to the second server via > SSH over the OpenVPN connection? That limits the number of > Internet-accessible services on your network and solves the single port > limitation. > > Anyway, that is how I do things around hereRussel, I had composed a post similar to yours but then I wasn''t sure if Joerg wanted HTTPS too. He talks about HTTPS, SSH and OpenVPN so it was very unclear to me what the real requirement was. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
>Russel wrote: >>> Any ideas ? Hints ? >> This is a bit of a work-around, but wouldn''t it just be easiest to >> connect to the OpenVPN server and then connect to the second server >> via >> SSH over the OpenVPN connection? That limits the number of >> Internet-accessible services on your network and solves the single >> port >> limitation. >> >> Anyway, that is how I do things around here > >Russel, >I had composed a post similar to yours but then I wasn''t sure if Joerg >wanted HTTPS too. He talks about HTTPS, SSH and OpenVPN so it was very >unclear to me what the real requirement was. >-TomPerhaps a better solution can be found in the OpenVPN 2.1 manual: quote: --port-share host port When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not implemented on Windows. End quote I''ve never tried this, but it might work for Joerg -Russel Riley ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Russel wrote:> > Perhaps a better solution can be found in the OpenVPN 2.1 manual: > quote: > --port-share host port > When run in TCP server mode, share the OpenVPN port with another > application, such as an HTTPS server. If OpenVPN senses a connection to > its port which is using a non-OpenVPN protocol, it will proxy the > connection to the server at host:port. Currently only designed to work > with HTTP/HTTPS, though it would be theoretically possible to extend to > other protocols such as ssh. > Not implemented on Windows. > End quote > > I''ve never tried this, but it might work for JoergThanks, Russel -- that must be new in OpenVPN 2.1 -- it doesn''t appear in the manpage for 2.0.8. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thu, May 17, 2007 at 11:15:04PM +0200, Joerg Mertin wrote:> Any ideas ? Hints ?Aside from the openvpn feature that was already pointed out (which will work in the case of precisely two services sharing a port), in general this is the same problem as HTTPS virtual hosting. The answer is also the same: use multiple IP addresses, because you don''t know what the client wants to talk to until it''s too late. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
It is actually to provide people https access as usual. However - if require - be able to setup a SSL_Based OpenVPN or SSH-Tunnel through port 443 in case it''s required. For HTTPS and SSH there is already a solution. Working smooth - however it requires a daemon running on the firewall server I would like not to run in. So the trick is simple - depending on what connection type comes in - forward the traffic to either IP. The Perl-script I have actually opens 2 network sockets - one to a Web-Server, the other to the SSH-Server. Depending on the type of connection - it will forward to one or the other server. However - I''ll have a waiting period of up to 2 seconds - to have the connection setup - as the system first awaits the response of the remote SSH-Server if it exists. If not, then open the connection to the HTTPS Server. I thought it might be possible to do that using the packet-filters and checking for some specifics in the connections data to decide upon were to send the requested connection to. It would be great to have such a feature - would ease many setups, and give us poor travelers the possility to do back-homing in case companys limit their entire network infrastructure etc. to their secure policies ... Was just a try ;) I''m used to get things working under Linux. That''s why I ask these questions. And if it''s Important enough for me - I try to implement. But my knowledge is limited to bash/perl/php... Cheers Joerg -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
<quote who="Russel"> [...]> Perhaps a better solution can be found in the OpenVPN 2.1 manual: > quote: > --port-share host port > When run in TCP server mode, share the OpenVPN port with another > application, such as an HTTPS server. If OpenVPN senses a connection to > its port which is using a non-OpenVPN protocol, it will proxy the > connection to the server at host:port. Currently only designed to work > with HTTP/HTTPS, though it would be theoretically possible to extend to > other protocols such as ssh. > Not implemented on Windows. > End quote > > I''ve never tried this, but it might work for JoergThis ! is very good. Never saw this... Damn - I have to read the documentation on that, and specially before I ask these questions ;) Thx for the Hint ! -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
<quote who="Tom Eastep"> [...]> Thanks, Russel -- that must be new in OpenVPN 2.1 -- it doesn''t appear in > the manpage for 2.0.8.Correct - I use 2.0.6 and don''t find it in the documentation. Will have to backport openvpn 2.1 and try it out ... That would solve many of my problems :) -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
If It was for a company, I''d take more than one IP. However in my home env - I don''t have this option. Remember - US detains 75% of the entire IP_Address pool. The remaining 25% are shared amongst the rest of the world ... So - Static IP-Addresses are very expensive in Germany... Can''t afford more than one... Cheers Joerg <quote who="Andrew Suffield">> On Thu, May 17, 2007 at 11:15:04PM +0200, Joerg Mertin wrote: >> Any ideas ? Hints ? > > Aside from the openvpn feature that was already pointed out (which > will work in the case of precisely two services sharing a port), in > general this is the same problem as HTTPS virtual hosting. The answer > is also the same: use multiple IP addresses, because you don''t know > what the client wants to talk to until it''s too late.-- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Fri, May 18, 2007 at 09:24:26AM +0200, Joerg Mertin wrote:> If It was for a company, I''d take more than one IP. However in my home env > - I don''t have this option. Remember - US detains 75% of the entire > IP_Address pool. The remaining 25% are shared amongst the rest of the > world ... So - Static IP-Addresses are very expensive in Germany... Can''t > afford more than one...I do not live in the US, and I would not even consider using an ISP that did not provide a /29 block of static addresses for free, as part of their basic package. You shouldn''t either. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
This is a german problem. There is no ISP in Germany providing static IP''s for free... so I have to tkate what I get ... The Alternative would be to stay offline ;) Cheers Joerg <quote who="Andrew Suffield">> On Fri, May 18, 2007 at 09:24:26AM +0200, Joerg Mertin wrote: >> If It was for a company, I''d take more than one IP. However in my home >> env >> - I don''t have this option. Remember - US detains 75% of the entire >> IP_Address pool. The remaining 25% are shared amongst the rest of the >> world ... So - Static IP-Addresses are very expensive in Germany... >> Can''t >> afford more than one... > > I do not live in the US, and I would not even consider using an ISP > that did not provide a /29 block of static addresses for free, as part > of their basic package. You shouldn''t either. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Simon Hobson
2007-May-18 09:34 UTC
Re: Fixed Addressing (Was: Identify OpenVPN/HTTPS Connection on 443 ?)
Getting off-topic now ... Andrew Suffield wrote:> > If It was for a company, I''d take more than one IP. However in my home env >> - I don''t have this option. Remember - US detains 75% of the entire >> IP_Address pool. The remaining 25% are shared amongst the rest of the >> world ... So - Static IP-Addresses are very expensive in Germany... Can''t >> afford more than one...>I do not live in the US, and I would not even consider using an ISP >that did not provide a /29 block of static addresses for free, as part >of their basic package. You shouldn''t either.I see you have a UK address, so I''d be interested to know which ISPs offer a /29 on residential connections - at all, let alone for free ! PlusNet force you to have a fixed address on the pacakge I''m on, some packages don''t allow it, others it''s an option (it varies by package and the packages change from time to time). I know most don''t offer a fixed address AT ALL (that includes BT IIRC) on residential services, and where it is available it''s normally an extra cost option (eg BT charge an EXTRA £5/mo on their business connections). In most cases I''m aware of, to have a fixed address, let alone a /29, means taking a substantially more expensive package - usually waaaay more expensive than than is justified by the supposed benefits. I was musing from an Italian hotel a few weeks ago about running a VPN over port 53 (UDP) since that didn''t seem to be blocked by the hotspot ;-) ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andrew Suffield
2007-May-18 10:22 UTC
Re: Fixed Addressing (Was: Identify OpenVPN/HTTPS Connection on 443 ?)
On Fri, May 18, 2007 at 10:34:20AM +0100, Simon Hobson wrote:> Getting off-topic now ... > > Andrew Suffield wrote: > > > > If It was for a company, I''d take more than one IP. However in my home env > >> - I don''t have this option. Remember - US detains 75% of the entire > >> IP_Address pool. The remaining 25% are shared amongst the rest of the > >> world ... So - Static IP-Addresses are very expensive in Germany... Can''t > >> afford more than one... > > >I do not live in the US, and I would not even consider using an ISP > >that did not provide a /29 block of static addresses for free, as part > >of their basic package. You shouldn''t either. > > I see you have a UK address, so I''d be interested > to know which ISPs offer a /29 on residential > connections - at all, let alone for free !I use Zen (http://www.zen.co.uk/) wherever possible. They offer free /29 blocks on all packages, even the cheapest ones (you just have to ask for it when ordering - they don''t waste addresses on people who won''t know how to use them). They also have actual customer support, rather than a callcentre with a script, and will sell you a real SLA if you want to pay for it, which is excellent for those pesky small-business ADSL lines. They are slightly more expensive than the competition''s similar packages, but you get a lot more for your money.> PlusNet force you to have a fixed address on the > pacakge I''m on, some packages don''t allow it, > others it''s an option (it varies by package and > the packages change from time to time). I know > most don''t offer a fixed address AT ALL (that > includes BT IIRC) on residential services, and > where it is available it''s normally an extra cost > option (eg BT charge an EXTRA £5/mo on their > business connections).After a spate of mergers over the past decade, most UK ISPs are actually resellers for or subsidiaries of BT (who own plusnet), virgin (was NTL), or orange (was wanadoo). This means their offers tend to be more or less identical, and all of them suck, catering to the lowest common denominator of home users. There''s about half a dozen independent ISPs who don''t. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/