divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb
Log | Files | Refs | README | LICENSE

commit caccbc54fb5099d425649f3d270036bcf19ee8dc
parent 871e53f3664983a9544c73064ec85554cf76e3d4
Author: lostd <lostd@2f30.org>
Date:   Wed, 30 Apr 2014 17:26:29 +0300

New guide for service proxies

Diffstat:
MMakefile | 3++-
Mguides.md | 1+
Aguides/proxy.md | 85+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile @@ -11,7 +11,8 @@ PAGES = $(MENUPAGES) \ guides/openvpn.html \ guides/icecast.html \ guides/git.html \ - guides/sunsparc.html + guides/sunsparc.html \ + guides/proxy.html EXTRA = css divzerokey.png favicon.ico index.html \ lectures/resources diff --git a/guides.md b/guides.md @@ -4,3 +4,4 @@ Just some notes on various useful tasks. * [icecast](guides/icecast.html): Using icecast and mpd for web radio on OpenBSD * [git](guides/git.html): Simple git guide for CVS users * [sunsparc](guides/sunsparc.html): Booting Sun UltraSPARC machines + * [proxy](guides/proxy.html): Accessing firewalled services using PF on OpenBSD diff --git a/guides/proxy.md b/guides/proxy.md @@ -0,0 +1,85 @@ +### Accessing firewalled services using PF on OpenBSD + +Consider a scenario where all hosts in a network have public IP +addresses, but only one subnet is accessible from the Internet because +of a corporate firewall. Internal hosts communicate with each other +normally. In order to access the SSH port of a firewalled machine, say +with the hostname `hidden`, you may use another host, say `middle`, +belonging in the accessible subnet, at a different port, and redirect +traffic to and from `hidden`. Most of this is described in +[PF User's Guide](http://www.openbsd.org/faq/pf/rdr.html), but the +manual assumes a public and a private interface with NAT between the two. +This guide is about using the same interface to do the forwarding. +It can be done using a user-level proxy or completely in-kernel with PF. +The configuration of the `middle` host is found below. + + +#### User-level proxy with inetd and netcat + +/etc/pf.conf: + + # Proxy SSH to other machines with inetd + pass in quick on egress proto tcp from any to any port 1337 rdr-to (lo) + +/etc/inetd.conf: + + # SSH proxy using nc + 127.0.0.1:1337 stream tcp nowait proxy /usr/bin/nc nc hidden 22 + + +#### Kernel-level proxy only with PF rules + +/etc/pf.conf: + + # Proxy SSH to other machines + pass in quick on egress proto tcp to port 1337 rdr-to hidden port ssh + pass out quick on egress proto tcp to hidden port ssh nat-to (egress) + + +#### Tips for SSH access + +For seamless SSH access to the `hidden` host you can alias it to the +`middle` host, and use the appropriate port like this. + +~/.ssh/config: + + Host hidden + HostName middle + Port 1337 + +The aliasing can also be done at the `/etc/hosts` or DNS level using a +CNAME record for `hidden.example.org` that points to +`middle.example.org` and use: + +~/.ssh/config: + + Host hidden.example.org + Port 1337 + + +#### Performance evaluation + +A rough benchmarking of the two methods shows that the PF-only setup +performs slightly better probably because it generates less local traffic +and context switches. Throughput and latency was measured over ssh as +shown below. The tests are a single large file transfer and the timing +of login and logout. The load on the `middle` host is also displayed +broken down as interrupts and system time. + + # large file transfer + $ time scp install54.iso hidden: + + # login operation + $ time ssh hidden echo + +And the results: + + # throughput latency ints system + user-level: 3.9MB/s 0.6461s 35% 5% + kernel-only: 3.9MB/s 0.6220s 23% 0% + +Choose your destiny! + +Cheers! + +lostd@