I have got enough information to configure Windows Desktop RDP over
ssh using the help of this group.
But i am wondering if it is possible to connect RDP ONLY through the
SSH. Please note the word ONLY. I don't want any user to connect
without using the SSH. Is it possible to configure or code it.
Regards,
Y Iguchi
Conceptually you want a port filter to deny all requests from external
hosts, but to allow connections to the RDP port (3389 by default) from
either 127.0.0.1 (localhost of the windows server if that's where the
ssh server is running, or the IP of the ssh server if it's on another
box on your LAN).
Now, how to do that on windows... I'm not certain if the built in
firewall is flexible enough to do what you want, and you would need to
specify which version of windows you are dealing with.
--
Todd H.
http://www.toddh.net/
I don't think that the built in Windows firewall will work with that
configuration. Too great a level of detail. But numerous 3rd party
ones will work.
Btw, have you see WiSSH? http://www.wissh.com
Should make your connections easier.
According to my understanding the ssh server does not change the
packets. Since there is no change in the packets ,To the firewall it
will still appear as it packet is coming from the original address. If
it appear as if it is coming from the original the firewall solution
will not work.
I am little new to networking , please let me know if i m wrong.
Regards,
Y Iguchi
> According to my understanding the ssh server does not change the
> packets. Since there is no change in the packets ,To the firewall it
> will still appear as it packet is coming from the original address. If
> it appear as if it is coming from the original the firewall solution
> will not work.
Not true. SSH port forwarding is not implementing a VPN, so it's not
passing any sort of untranslated packet in and out. It's just moving
the data across and establishing another TCP connection locally.
In addition, even if it did do a more full VPN, most firewalls will work
on the network cards/traffic layer. At that point, only the normal
SSH:tcp/22 traffic will be seen. Any translation would take place
later. How much this is true would depend on the specifics of the
firewall in use, I suppose.
--
Darren Dunham ddu...@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >
Hi,
Ok, that means the packets are translated before hand and are carried
as data on TCP/SSH port. Further the ssh will forward this data to RDP
Server.
If we are using standard windows firewall will see at RDP port > data
is coming from the localhost only.
Please correct me if my understanding is wrong.
Regards,
Y Iguchi
> Hi ,
>
> According to my understanding the ssh server does not change the
> packets. Since there is no change in the packets ,To the firewall it
> will still appear as it packet is coming from the original address.
Your understanding is inaccurate I'm afraid. The traffic will
appear to come from the ssh server's address (127.0.0.1 if RDP and
sshd live on the same box).
As another example, in X11 forwarding wth SSH, when I fire up the X
server on the machine I'm sitting in front of, the address I need to
tell it to add to th exhost list is 127.0.0.1, not the address of the
remote server.
Best Regards,
[snip]
>Ok, that means the packets are translated before hand and are carried
>as data on TCP/SSH port.
No it doesn't - the packets are neither translated nor carried, but
effectively discarded before ssh even sees them. The *data payload* from
the packets is carried across the ssh connection, in standard
SOCK_STREAM byte-stream fashion. And as Darren wrote, at the other end a
*new* TCP connection is established, with no relation whatsoever to the
original one, and the transported data bytes are fed into it.
>If we are using standard windows firewall will see at RDP port > data
>is coming from the localhost only.
This is correct. Though the IP address seen as the source will at least
on Unix depend on how you did the forwarding: -L<port>:localhost:<port>
or -L<port>:127.0.0.1:<port> => the server will see 127.0.0.1 (or
possibly IPv6 :1) as source address, while -L<port>:hostname:<port> or
-L<port>:host.ip.ad.dr:<port> => the server will see host.ip.ad.dr as
source. With some firewall setups, this is a significant difference.
--Per Hedeland
p...@hedeland.org