Posted: 2 Mar 2005
Ad-Hoc Firewall Penetration With OpenSSH
The motivation behind writing this tip was a recent problem with our Border
Manager server. We have a unique knack for messing up our Novell products in new
and exciting ways that challenge our Novell support engineers. Recently we
upgraded one of our Border Manager servers to version 3.8, and it caused a
wonderful bug in the packet filter configuration tool to appear. When our
support engineer from Novell wanted to VNC into a computer inside our network in
order to troubleshoot the problem, we set him up using VNC and SSH in the way
described in this tip. He hadn't heard of it before, so I thought others might
find it interesting and useful too.
Like many corporate networks, ours has a specific policy that defines network
and firewall configurations, and describes what traffic is allowed through
firewalls. Sometimes this policy restricts the ability of our network
maintenance team from being able to quickly troubleshoot and repair systems.
They are unable to connect to the appropriate systems using the appropriate
tools, due to restrictive firewall policies. Getting the right connections would
often require modification of existing firewall rules or reconfiguration of VPNs
or NATted addresses.
We have a mixed environment of various versions of Windows on the desktop,
and mostly NetWare and Linux, with some Windows and BSD on the servers. Among
other things, we often use VNC as a remote control tool to access various boxes
in our geographically dispersed network. This article discusses a method of
connecting from a VNC client to a VNC server through a fairly restrictive
firewall, without having to reconfigure the firewall to do so. Though it
describes using VNC, the method is applicable to pretty much any tool that uses
IP to communicate. It works equally well, for example, to allow an IMAP client
inside the firewall to connect to an IMAP server outside without having to open
IMAP protocol through the firewall.
To get your application to go through the firewall, this solution requires a
box with OpenSSH (or presumably a commercial implementation of SSHD) be
accessible through the firewall, on port 22, and that box with OpenSSH must be
able to "see" the target service that you are trying to connect to. For example,
suppose we have a VNC server that we want to connect to inside our firewall, and
the client is outside the firewall. We have a packet filtering firewall such as
Border Manager on the border between the public and private networks. To make
this work, we need to have OpenSSH configured and running on the Border Manager
server with packet filters configured to allow access to it, or we need a
machine inside the firewall with OpenSSH, and a NATed address through Border
Manager with packet filters to allow access to SSH. The SSH server runs on port
22 by default, by the way. This one filter for SSH is all we need to make any IP
client-server connection work.
If you are using OpenSSH server running on a NetWare server, make sure you
use the web administration tool to turn on "Allow TCP Forwarding" on the "Port
Forwarding" page, or that you have added the line "AllowTcpForwarding yes" to
the sshd_config file. Likewise, if you are using an OpenSSH server on Linux or
BSD, you must have the line "AllowTcpForwarding yes" in the /etc/ssh/sshd_config
file. "AllowTcpForwarding yes" is the default setting, at least in Novell Linux
Desktop and SLES9 and SLES8.
Finally, don't forget to create an account for yourself on your SSH server so
you can log in!
Assuming we have OpenSSH working and accessible from the outside of the
firewall, we can use an SSH client to connect to the SSH server. We also tunnel
the appropriate traffic through the SSH connection, so that we can use our tool.
VNC runs on port 5900, so this example shows how to tunnel port 5900 through the
Here's our network configuration:
VNC server: 192.168.1.10
SSH server's public NATed address: 10.20.30.40Assuming we are using the
OpenSSH command-line SSH client on Linux, first we connect to the SSH server
ssh -L 5900:192.168.1.10:5900 email@example.com
The "-L 5900:192.168.1.10:5900" part of the command means "take any
connections to port 5900 on my own IP address and forward them to port 5900 on
192.168.1.10." Once you enter the password for user, you get a nice shell.
- Minimize the shell, but keep it running.
- Open your favorite VNC client.
- Connect it to localhost. You should get the password prompt for your VNC
server, and then the VNC screen once you successfully log in.
Running on Windows
If you are running Windows on your desktop instead of Linux, you can use
Putty instead of OpenSSH's SSH client. To forward ports this way in Putty,
- Start Putty.
- On the main tab, enter the IP address of the ssh server and choose the SSH
- Go to the SSH/Tunnels page of the configuration window.
- Enter 5900 in the Source Ports box and 192.168.1.10:5900 in the
- Click Add.
- Click Open to log in to the SSH server.
- Proceed as above with your VNC client.
The trick to this method is that once you have tunneled your port through
SSH, you connect your tool to "localhost" instead of the destination server.
Beyond this Example
Both Putty and OpenSSH's SSH command-line tool support multiple concurrent
forwarded ports, so you can set up a pretty elaborate sort of personal ad-hoc
VPN connection through your firewall with it. For example, I frequently use SSH
to connect to a weblog server on one port, a Squid proxy server on a second
port, a VNC session on a third port, and an IMAP server on a fourth port, using
a single SSH session to penetrate the firewall.