Tuesday, September 25, 2007

Quick SSH Tip: ProxyCommand

Here's a quick tip for OpenSSH:

Suppose there is an SSH server inside a remote network that does not have its SSH port exposed to the Internet (named "internal.hostname.tld"). If there is an SSH gateway host that you can SSH to (that has the ability to reach "internal"'s SSH port), you can use the netcat (nc(1)) command to Proxy your SSH session to "internal" through "gateway".


Put something like the following in your ~/.ssh/config (or /etc/ssh/ssh_config):

Host internal.hostname.tld internal
  User          merdely
  HostName      internal.hostname.tld
  ProxyCommand  ssh merdely@gateway.hostname.tld nc %h %p 2> /dev/null



Then, make connect to "internal" as if you could directly: ssh internal.hostname.tld

Sunday, September 23, 2007

Setting up a Soekris 5501 with OpenBSD 4.2

undeadlyNew story of mine on The OpenBSD Journal:

I wrote about how I went about setting up my new Soekris net5501:

I recently purchased a new Soekris net5501 to replace my beige box firewall. I had previously set up a net4501 but I wasn't happy with it and sold it to a friend. Large file transfers would grind it to a halt and the performance wasn't as good as my beige box. The net5501 has increased horsepower (faster processor, more memory) and a better network chipset (vr(4)). And, most of all, because there are 4 network ports! At my house I have 3 network + my FiOS connection. I have my internal LAN (wired with full access to everything), my wireless network (requires authentication and has limited access to the LAN) and my DMZ (for my web server; no access to the LAN or wireless networks).

For my installation, I use Yaifo so I don't have to deal with a serial console or setting up pxeboot. (I actually did hook up a serial console to update the bios, which I'll discuss later). Also, I use a custom rc and a flashdist-like system so I can mount my CF read-only. My "fdlite" script doesn't rely on a customized install like flashdist. It does use some of the device modifications Chris uses to make the read-only / work properly, though.


Read more at The OpenBSD Journal.