Predrag Punosevac [punoseva...@gmail.com] wrote: > Hi Misc, > > This is trivial question but I am having a hard time wrapping my head > around the possible use of relayd for ssh traffic redirecting. Namely I > have a situation where I have multiple hosts behind firewall which I > would like to make available for ssh loggin. > > In the past I was using different port numbers to accomplish this > > pass in on egress inet proto tcp to (egress) port 1671 rdr-to $mpi > pass in on egress inet proto tcp to (egress) port 1672 rdr-to $gpu > pass in on egress inet proto tcp to (egress) port 1673 rdr-to $hammer > > However I was wondering if I could use relayd in conjunction with PF to > avoid different port numbers. > > I would like to have something like > > ssh u...@mpi.mylab.org going to mpi machine > ssh u...@mpi.mylab.org going to gpu machine > ssh u...@hammer.mylab.org going to hammer machine >
relayd doesn't support any kind of ssh proxying (it doesn't know anything about SSH, only SSL at this point) and in any event, the SSH 2.0 protocol doesn't make this possible, key exchange happens before there is any negotiation that would allow the client to differentiate the desired host If you want to keep the port numbers at 22, you have to use multiple ports on the "outside" and redirect to the proper internal host, or just give the internal hosts unique public IPs...or just have people log into a menu which gives them a choice of the next host they desire (the old school way!)
