I wanted to give http access to my VoIP phone to users on remote LAN ... MyPhone --- MyFirewall ===== internet ====== RemoteFirewall --- LAN \___________________________________________________/ tunel I run this as noro@MyFirewall: ssh -R RemoteFirewallLanIP:12345:MyPhone:80 RemoteFirewall Now I check what's happened on RemoteFirewall: netstat -ln | grep 12345 and received this output: tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN ^^^^^^^^^^ but expected this: tcp 0 RemoteFirewallLanIP:12345 0.0.0.0:* LISTEN ^^^^^^^^^^ i.e. it look's like I run the command: ssh -R \*:12345:MyPhone:80 RemoteFirewall which is a bug Notes: - on both ends is kernel 2.6.16-gentoo-r6 and openssh-4.3_p2-r1 - if I allow input to port 12345 on public interface on Remote firewall, it's really possible to connect to the phone !!! - if GatewayPorts option is disabled (default), port binds only to localhost, which is correct
*** This bug has been marked as a duplicate of 133112 ***
.
Hi Jacub, please read it again, as I did the RTFM too :-) the problem is exactly in these words: <snip> ... `clientspecified'' to allow the client to select the address to which the forwarding is bound </snip> If I understand it correctly, it is possible to bind to one interface ONLY. But as I experienced, it doesn't matter on specified IP, it ALWAYS binds to ALL available interfaces.
(In reply to comment #3) Erm, you didn't say a single word about 'clientspecified', the only remotely time you've mentioned GatewayPorts is when you said that it binds to localhost when disabled. We can't guess really, kindly reopen with relevant configuration snip.
(In reply to comment #0) > I wanted to give http access to my VoIP phone to users on remote LAN ... > > > MyPhone --- MyFirewall ===== internet ====== RemoteFirewall --- LAN > \___________________________________________________/ > tunel > > I run this as noro@MyFirewall: > > ssh -R RemoteFirewallLanIP:12345:MyPhone:80 RemoteFirewall > > Now I check what's happened on RemoteFirewall: > > netstat -ln | grep 12345 > > and received this output: > > tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN > ^^^^^^^^^^ > but expected this: > > tcp 0 RemoteFirewallLanIP:12345 0.0.0.0:* LISTEN > ^^^^^^^^^^ > i.e. it look's like I run the command: > > ssh -R \*:12345:MyPhone:80 RemoteFirewall > > which is a bug > > > Notes: > - on both ends is kernel 2.6.16-gentoo-r6 and openssh-4.3_p2-r1 > - if I allow input to port 12345 on public interface on Remote firewall, it's > really possible to connect to the phone !!! > - if GatewayPorts option is disabled (default), port binds only to localhost, > which is correct > (In reply to comment #4) > (In reply to comment #3) > > Erm, you didn't say a single word about 'clientspecified', the only remotely > time you've mentioned GatewayPorts is when you said that it binds to localhost > when disabled. We can't guess really, kindly reopen with relevant configuration > snip. > (In reply to comment #4) > (In reply to comment #3) > > Erm, you didn't say a single word about 'clientspecified', the only remotely > time you've mentioned GatewayPorts is when you said that it binds to localhost > when disabled. We can't guess really, kindly reopen with relevant configuration > snip. > (In reply to comment #4) > (In reply to comment #3) > > Erm, you didn't say a single word about 'clientspecified', the only remotely > time you've mentioned GatewayPorts is when you said that it binds to localhost > when disabled. We can't guess really, kindly reopen with relevant configuration > snip. > I don't like to flame ('koz I know my english is not perfect), but ... I pasted remote netstat output after issuing local command, from which is IMO clear, that I specified remote addr to which I wish to bind. At least I wrote expected/correct answer too ...
May I ask why are you repasting the stuff here? Attach your sshd_config. I've already tried to explain twice that the thing will bind to * when 'GatewayPorts yes' is set.
(In reply to comment #6) > May I ask why are you repasting the stuff here? Sorry, I do not have too much experinece with this web, and do not know how it happened. (I would appreciate preview button before I send it and/or edit.) > Attach your sshd_config. The only change in sshd_config is this: GatewayPorts yes > I've already tried to explain twice that the thing will bind to * > when 'GatewayPorts yes' is set. I tried to explain, I do NOT use asterisk in bind address field, (I put local interface's IP,) but it behaves like I use it (i.e. it IGNORES specified address).
(In reply to comment #7) > The only change in sshd_config is this: > > GatewayPorts yes So, it binds to *every* interface available, exactly as stated in the manpage. > > I've already tried to explain twice that the thing will bind to * > > when 'GatewayPorts yes' is set. > > I tried to explain, I do NOT use asterisk in bind address field, > (I put local interface's IP,) but it behaves like I use it > (i.e. it IGNORES specified address). Kindly read above and re-read the manpage a couple of times. INVALID, closing.
Repasting here from the other bug, you've reopened the duplicate one instead. <snip> The argument may be ``no'' to force remote port forwardings to be available to the local host only, ``yes'' to force remote port forwardings to bind to the wildcard address, or ``clientspecified'' to allow the client to select the address to which the forwarding is bound. The default is ``no''. </snip>
*** Bug 133112 has been marked as a duplicate of this bug. ***