divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb
Log | Files | Refs | README | LICENSE
commit caccbc54fb5099d425649f3d270036bcf19ee8dc
parent 871e53f3664983a9544c73064ec85554cf76e3d4
Author: lostd <lostd@2f30.org>
Date:   Wed, 30 Apr 2014 17:26:29 +0300

New guide for service proxies

Diffstat:

MMakefile | 3++-


Mguides.md | 1+


Aguides/proxy.md | 85+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


3 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
@@ -11,7 +11,8 @@ PAGES = $(MENUPAGES) \
         guides/openvpn.html \
         guides/icecast.html \
         guides/git.html \
-        guides/sunsparc.html
+        guides/sunsparc.html \
+        guides/proxy.html
 EXTRA = css divzerokey.png favicon.ico index.html \
         lectures/resources
 
diff --git a/guides.md b/guides.md
@@ -4,3 +4,4 @@ Just some notes on various useful tasks.
   * [icecast](guides/icecast.html): Using icecast and mpd for web radio on OpenBSD
   * [git](guides/git.html): Simple git guide for CVS users
   * [sunsparc](guides/sunsparc.html): Booting Sun UltraSPARC machines
+  * [proxy](guides/proxy.html): Accessing firewalled services using PF on OpenBSD
diff --git a/guides/proxy.md b/guides/proxy.md
@@ -0,0 +1,85 @@
+### Accessing firewalled services using PF on OpenBSD
+
+Consider a scenario where all hosts in a network have public IP
+addresses, but only one subnet is accessible from the Internet because
+of a corporate firewall.  Internal hosts communicate with each other
+normally.  In order to access the SSH port of a firewalled machine, say
+with the hostname `hidden`, you may use another host, say `middle`,
+belonging in the accessible subnet, at a different port, and redirect
+traffic to and from `hidden`.  Most of this is described in
+[PF User's Guide](http://www.openbsd.org/faq/pf/rdr.html), but the
+manual assumes a public and a private interface with NAT between the two.
+This guide is about using the same interface to do the forwarding.
+It can be done using a user-level proxy or completely in-kernel with PF.
+The configuration of the `middle` host is found below.
+
+
+#### User-level proxy with inetd and netcat
+
+/etc/pf.conf:
+
+    # Proxy SSH to other machines with inetd
+    pass in quick on egress proto tcp from any to any port 1337 rdr-to (lo)
+
+/etc/inetd.conf:
+
+    # SSH proxy using nc
+    127.0.0.1:1337 stream tcp nowait proxy /usr/bin/nc nc hidden 22
+
+
+#### Kernel-level proxy only with PF rules
+
+/etc/pf.conf:
+
+    # Proxy SSH to other machines
+    pass in quick on egress proto tcp to port 1337 rdr-to hidden port ssh
+    pass out quick on egress proto tcp to hidden port ssh nat-to (egress)
+
+
+#### Tips for SSH access
+
+For seamless SSH access to the `hidden` host you can alias it to the
+`middle` host, and use the appropriate port like this.
+
+~/.ssh/config:
+
+    Host hidden
+        HostName middle
+        Port 1337
+
+The aliasing can also be done at the `/etc/hosts` or DNS level using a
+CNAME record for `hidden.example.org` that points to
+`middle.example.org` and use:
+
+~/.ssh/config:
+
+    Host hidden.example.org
+        Port 1337
+
+
+#### Performance evaluation
+
+A rough benchmarking of the two methods shows that the PF-only setup
+performs slightly better probably because it generates less local traffic
+and context switches.  Throughput and latency was measured over ssh as
+shown below.  The tests are a single large file transfer and the timing
+of login and logout.  The load on the `middle` host is also displayed
+broken down as interrupts and system time.
+
+    # large file transfer
+    $ time scp install54.iso hidden:
+
+    # login operation
+    $ time ssh hidden echo
+
+And the results:
+
+    #            throughput   latency   ints  system
+    user-level:     3.9MB/s   0.6461s    35%      5%
+    kernel-only:    3.9MB/s   0.6220s    23%      0%
+
+Choose your destiny!
+
+Cheers!
+
+lostd@