Ad-Hoc Firewall Penetration with OpenSSH

Posted: 2 Mar 2005

Ad-Hoc Firewall Penetration With OpenSSH

The motivation behind writing this tip was a recent problem with our Border Manager server. We have a unique knack for messing up our Novell products in new and exciting ways that challenge our Novell support engineers. Recently we upgraded one of our Border Manager servers to version 3.8, and it caused a wonderful bug in the packet filter configuration tool to appear. When our support engineer from Novell wanted to VNC into a computer inside our network in order to troubleshoot the problem, we set him up using VNC and SSH in the way described in this tip. He hadn't heard of it before, so I thought others might find it interesting and useful too.


Like many corporate networks, ours has a specific policy that defines network and firewall configurations, and describes what traffic is allowed through firewalls. Sometimes this policy restricts the ability of our network maintenance team from being able to quickly troubleshoot and repair systems. They are unable to connect to the appropriate systems using the appropriate tools, due to restrictive firewall policies. Getting the right connections would often require modification of existing firewall rules or reconfiguration of VPNs or NATted addresses.

We have a mixed environment of various versions of Windows on the desktop, and mostly NetWare and Linux, with some Windows and BSD on the servers. Among other things, we often use VNC as a remote control tool to access various boxes in our geographically dispersed network. This article discusses a method of connecting from a VNC client to a VNC server through a fairly restrictive firewall, without having to reconfigure the firewall to do so. Though it describes using VNC, the method is applicable to pretty much any tool that uses IP to communicate. It works equally well, for example, to allow an IMAP client inside the firewall to connect to an IMAP server outside without having to open IMAP protocol through the firewall.


To get your application to go through the firewall, this solution requires a box with OpenSSH (or presumably a commercial implementation of SSHD) be accessible through the firewall, on port 22, and that box with OpenSSH must be able to "see" the target service that you are trying to connect to. For example, suppose we have a VNC server that we want to connect to inside our firewall, and the client is outside the firewall. We have a packet filtering firewall such as Border Manager on the border between the public and private networks. To make this work, we need to have OpenSSH configured and running on the Border Manager server with packet filters configured to allow access to it, or we need a machine inside the firewall with OpenSSH, and a NATed address through Border Manager with packet filters to allow access to SSH. The SSH server runs on port 22 by default, by the way. This one filter for SSH is all we need to make any IP client-server connection work.

If you are using OpenSSH server running on a NetWare server, make sure you use the web administration tool to turn on "Allow TCP Forwarding" on the "Port Forwarding" page, or that you have added the line "AllowTcpForwarding yes" to the sshd_config file. Likewise, if you are using an OpenSSH server on Linux or BSD, you must have the line "AllowTcpForwarding yes" in the /etc/ssh/sshd_config file. "AllowTcpForwarding yes" is the default setting, at least in Novell Linux Desktop and SLES9 and SLES8.

Finally, don't forget to create an account for yourself on your SSH server so you can log in!


Assuming we have OpenSSH working and accessible from the outside of the firewall, we can use an SSH client to connect to the SSH server. We also tunnel the appropriate traffic through the SSH connection, so that we can use our tool. VNC runs on port 5900, so this example shows how to tunnel port 5900 through the SSH session.

Here's our network configuration:

VNC server:
SSH server's public NATed address:
Assuming we are using the OpenSSH command-line SSH client on Linux, first we connect to the SSH server like this:
ssh -L 5900: user@

The "-L 5900:" part of the command means "take any connections to port 5900 on my own IP address and forward them to port 5900 on" Once you enter the password for user, you get a nice shell. Then,

  1. Minimize the shell, but keep it running.
  2. Open your favorite VNC client.
  3. Connect it to localhost. You should get the password prompt for your VNC server, and then the VNC screen once you successfully log in.

Running on Windows

If you are running Windows on your desktop instead of Linux, you can use Putty instead of OpenSSH's SSH client. To forward ports this way in Putty,

  1. Start Putty.
  2. On the main tab, enter the IP address of the ssh server and choose the SSH protocol.
  3. Go to the SSH/Tunnels page of the configuration window.
  4. Enter 5900 in the Source Ports box and in the Destination box.
  5. Click Add.
  6. Click Open to log in to the SSH server.
  7. Proceed as above with your VNC client.

The trick to this method is that once you have tunneled your port through SSH, you connect your tool to "localhost" instead of the destination server.

Beyond this Example

Both Putty and OpenSSH's SSH command-line tool support multiple concurrent forwarded ports, so you can set up a pretty elaborate sort of personal ad-hoc VPN connection through your firewall with it. For example, I frequently use SSH to connect to a weblog server on one port, a Squid proxy server on a second port, a VNC session on a third port, and an IMAP server on a fourth port, using a single SSH session to penetrate the firewall.

Informacja z serwisu