divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb.git
Log | Files | Refs | README | LICENSE

proxy.md (2697B)


      1 ### Accessing firewalled services using PF on OpenBSD
      2 
      3 Consider a scenario where all hosts in a network have public IP
      4 addresses, but only one subnet is accessible from the Internet because
      5 of a corporate firewall.  Internal hosts communicate with each other
      6 normally.  In order to access the SSH port of a firewalled machine, say
      7 with the hostname `hidden`, you may use another host, say `middle`,
      8 belonging in the accessible subnet, at a different port, and redirect
      9 traffic to and from `hidden`.  Most of this is described in
     10 [PF User's Guide](http://www.openbsd.org/faq/pf/rdr.html), but the
     11 manual assumes a public and a private interface with NAT between the two.
     12 This guide is about using the same interface to do the forwarding.
     13 It can be done using a user-level proxy or completely in-kernel with PF.
     14 The configuration of the `middle` host is found below.
     15 
     16 
     17 #### User-level proxy with inetd and netcat
     18 
     19 /etc/pf.conf:
     20 
     21     # Proxy SSH to other machines with inetd
     22     pass in quick on egress proto tcp from any to any port 1337 rdr-to (lo)
     23 
     24 /etc/inetd.conf:
     25 
     26     # SSH proxy using nc
     27     127.0.0.1:1337 stream tcp nowait proxy /usr/bin/nc nc hidden 22
     28 
     29 /etc/rc.conf.local:
     30 
     31     inetd_flags=
     32 
     33 
     34 #### Kernel-level proxy only with PF rules
     35 
     36 /etc/pf.conf:
     37 
     38     # Proxy SSH to other machines
     39     pass in quick on egress proto tcp to port 1337 rdr-to hidden port ssh
     40     pass out quick on egress proto tcp to hidden port ssh nat-to (egress)
     41 
     42 /etc/sysctl.conf:
     43 
     44     net.inet.ip.forwarding=1
     45 
     46 
     47 #### Tips for SSH access
     48 
     49 For seamless SSH access to the `hidden` host you can alias it to the
     50 `middle` host, and use the appropriate port like this.
     51 
     52 ~/.ssh/config:
     53 
     54     Host hidden
     55         HostName middle
     56         Port 1337
     57 
     58 The aliasing can also be done at the `/etc/hosts` or DNS level using a
     59 CNAME record for `hidden.example.org` that points to
     60 `middle.example.org` and use:
     61 
     62 ~/.ssh/config:
     63 
     64     Host hidden.example.org
     65         Port 1337
     66 
     67 
     68 #### Performance evaluation
     69 
     70 A rough benchmarking of the two methods shows that the PF-only setup
     71 performs slightly better probably because it generates less local traffic
     72 and context switches.  Throughput and latency was measured over ssh as
     73 shown below.  The tests are a single large file transfer and the timing
     74 of login and logout.  The load on the `middle` host is also displayed
     75 broken down as interrupts and system time.
     76 
     77     # large file transfer
     78     $ time scp install54.iso hidden:
     79 
     80     # login operation
     81     $ time ssh hidden echo
     82 
     83 And the results:
     84 
     85     #            throughput   latency   ints  system
     86     user-level:     3.9MB/s   0.6461s    35%      5%
     87     kernel-only:    3.9MB/s   0.6220s    23%      0%
     88 
     89 Choose your destiny!
     90 
     91 Cheers!
     92 
     93 lostd@