DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th May 2021
shvehlava shvehlava is offline
Port Guard
 
Join Date: Dec 2020
Posts: 11
Question Tunneling through ssh?

Hello!

I recently picked up learning FreeBSD, coming from OpenBSD. I put it on bare metal so that I may better tinker with it and become acquianted with its ins and outs.

Since as of now it serves as a desktop, I'm working out if I could potentially have it replace my main workstation.

One of the functions I can't figure out right now is tunneling through ssh for use with socks-proxy. On OpenBSD, one would ssh over to a host with -D port. Ie:
Code:
% ssh -D 12345 user@host
While this does connect to the remote host, it doesn't seem to open the port, as I don't see anything in netstat. (maybe netstat is not the tool to use?) For the test I use links.
Code:
% links -socks-proxy localhost:12345
doesn't tunnel the traffic.

I figured the syntax must be different in FreeBSD and the handbook does mention a different approach. localport:remotehost:remoteport.
Code:
% ssh -L 5023:localhost:23 user@foo.example.com
but I'm not quite sure what the remote port should be. Some unsuccesful attempts do make links stuck now, as opposed to just working without tunneling anything.

Thank you for any explanations.
And since this is my first post: it's good to be here.

EDIT:
I see now that the former method with -D does appear in netstat -a, but a web browser utilising socks-proxy gets stuck on 'making connection to another server'

Last edited by shvehlava; 24th May 2021 at 06:49 PM. Reason: new findings
Reply With Quote
  #2   (View Single Post)  
Old 24th May 2021
shvehlava shvehlava is offline
Port Guard
 
Join Date: Dec 2020
Posts: 11
Default

I figured it out. it was pf
Reply With Quote
  #3   (View Single Post)  
Old 24th May 2021
shvehlava shvehlava is offline
Port Guard
 
Join Date: Dec 2020
Posts: 11
Default

My follow-up question then would be, what am I to allow in pf.conf for socks?
Reply With Quote
  #4   (View Single Post)  
Old 24th May 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I did not use the SSH built-in socks proxy for a long time.
This is what works for me on an OpenBSD workstation and OpenBSD server at siralas.nl using the simple -D option :
Code:
-D [bind_address:]port

             Specifies a local "dynamic" application-level port forwarding.
             This works by allocating a socket to listen to port on the local
             side, optionally bound to the specified bind_address.  Whenever a
             connection is made to this port, the connection is forwarded over
             the secure channel, and the application protocol is then used to
             determine where to connect to from the remote machine.  Currently
             the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
             as a SOCKS server.  Only root can forward privileged ports.
             Dynamic port forwardings can also be specified in the
             configuration file.
Note that privileged ports are ports below 1024, that is why I use, as normal user a higher port.
  • Connect to siralas.nl with: $ ssh -D 4000 siralas.nl
    Please note that in .ssh/config I have something like:
    Code:
    Host siralas.nl
        User johndoe
        Port 8888
    On my workstation I get the following output:
    Code:
     $ netstat -an -f inet | grep 4000
    tcp          0      0  127.0.0.1.4000         *.*                    LISTEN
  • Start iridium browser with: $ iridium --proxy-server="socks4://localhost:4000"

    After browsing to daemonforums.org I do the following in the SSH terminal session to/on siralas.nl:
    Code:
    $ dig +short daemonforums.org
    95.170.82.241
    $ netstat -an -f inet | grep 95.170.82.241
    tcp          0      0  136.144.199.186.12283  95.170.82.241.80       CLOSE_WAIT
    $ netstat -an -f inet | grep 95.170.82.241 
    tcp          0      0  136.144.199.186.30933  95.170.82.241.80       CLOSE_WAIT

Using this method I don't have to adjust anything in pf.conf on both workstation and server.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 24th May 2021 at 08:22 PM.
Reply With Quote
  #5   (View Single Post)  
Old 25th May 2021
shvehlava shvehlava is offline
Port Guard
 
Join Date: Dec 2020
Posts: 11
Default

I debugged it.. I forgot
Code:
set skip on lo
Thank you!

Last edited by shvehlava; 25th May 2021 at 11:44 AM.
Reply With Quote
  #6   (View Single Post)  
Old 25th May 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

On your FreeBSD desktop/workstation:
  • Do you see a LISTEN on 127.0.0.1:4000?
  • Does the ssh command succeed and give you terminal session on the remote server?

On your FreeBSD machine do you have a set skip on lo0 directive? If pf blocks loopback 127.0.0.1 traffic it won't work ;-)

Before you do enable that skip loopback directive, you can make pf log blocked packets:
Code:
block in log (all)
This will make the blocked packets show up on the pflog0 interface, which you can view with: # tcpdump -eni pflog0 in a separate xterm.

Then do you ssh tunneling command in xterm nr 2 and start your browser in xterm 3
Anything interesting showing up in xterm 1, running the tcpdump?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 26th May 2021
shvehlava shvehlava is offline
Port Guard
 
Join Date: Dec 2020
Posts: 11
Default

It was indeed set skip on lo0, I've edited my previous post. Thanks again! and thank you for the tcpdump tutorial.
Reply With Quote
Reply

Tags
freebsd ssh tunnel socks proxy

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Prevent SSH tunneling through port 80 pttymuth General software and network 7 15th July 2013 05:35 PM
SSH tunneling vs. OpenVPN revzalot OpenBSD Security 8 31st May 2009 06:45 AM


All times are GMT. The time now is 02:01 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick