# PF and ssh problem is jails



## fred974 (Mar 26, 2014)

Hello all,

My current pf.conf is as described bellow:

```
ext_if="bge0"
IP_FREEBSD_HOST="192.168.0.xxx"
IP_WEB="192.168.0.xxx"

PORT_SSH="{22}"

pass in quick proto tcp from any to $IP_FREEBSD_HOST port $PORT_SSH
```
I addition to the rule above, my home router redirect port 22 to 192.168.0.xxx
This work fine to ssh to my FREEBSD_HOST main server. In order to access my jails i normally do 
`jexec 1 tcsh`, `jexec 2 tcsh` ect..

What I would like to achive now is the ability to ssh to each jails without to go through the FREEBSD_HOST.

I have only 1 external static IP and not sure how to achieve that. Do I have to set a different ssh port for each jail?

Thank you


----------



## SirDice (Mar 26, 2014)

fred974 said:
			
		

> I have only 1 external static IP and not sure how to achieve that. Do I have to set a different ssh port for each jail?


Yes, you only have one IP address and a port can only be redirected to one IP address.


----------



## fred974 (Mar 26, 2014)

Hi @SirDice

will this do?

```
ext_if="bge0"

#### SERVERS ####
IP_FREEBSD_HOST="192.168.0.198"
IP_WEB="192.168.0.115"
IP_SQL="192.168.0.120"
IP_MAIL="192.168.0.125"

SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB $IP_SQL $IP_MAIL "}"
IP_SSH_ALLOWED="213.146.159.xxx,82.31.44.xxx,192.168.0.0/24"

# Allow ssh traffic from authorise hosts with synproxy handshaking
pass in quick proto tcp from $IP_SSH_ALLOWED to $SSH_HOSTS port $PORT_SSH flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
```


----------



## SirDice (Mar 27, 2014)

That should allow access to all the jail's sshd(8). If you want to access them from outside your network you have to add additional port forwarding rules in your router. But because you can redirect port 22 only once you're going to have to use other ports to forward them to a jail's sshd(8). The sshd(8) on the jails can be kept on port 22 but the router will need to forward 2222 to jail1 port 22, 2223 to jail2 port 22, etc. The ports 2222 and 2223 are just examples, pick some ports you like.


----------



## fred974 (Mar 27, 2014)

Hi,

I managed to get ssh access to the jail on port 22 but not on a custom port.
Could you please confirm that all I need to do is add

```
Port 21913
```
 in my /etc/ssh/sshd_config file and restart


----------



## junovitch@ (Mar 28, 2014)

Changing each jail's SSH port would be confusing.  Leave each sshd_config as it is on port 22 and use that port while you are internal to your network.

To access it outside your network.  You'll need redirection rules with one unique port for each jail.

```
rdr pass on $ext_if proto tcp from any to any port 21913 -> 192.168.0.198 port 22
rdr pass on $ext_if proto tcp from any to any port 21914 -> 192.168.0.115 port 22
rdr pass on $ext_if proto tcp from any to any port 21915 -> 192.168.0.120 port 22
... continued ...
```


----------



## fred974 (Apr 4, 2014)

junovitch said:
			
		

> Changing each jail's SSH port would be confusing.  Leave each sshd_config as it is on port 22 and use that port while you are internal to your network.
> 
> To access it outside your network.  You'll need redirection rules with one unique port for each jail.
> 
> ...



Hi @junovitch

Sorry for the long reply.
So if I set the redirect rule like you said in Pf, do I need only one port forwarding on the router to redirect ssh to my IP_FREEBSD_HOST?


----------



## SirDice (Apr 4, 2014)

No, you don't need the redirects with PF. You need to create all the redirects on your router. They can be created in a similar fashion though, but they're not needed on the FreeBSD side because your jails are all bound to the 192.168.0.0/24 network.


----------



## fred974 (Apr 4, 2014)

SirDice said:
			
		

> No, you don't need the redirects with PF. You need to create all the redirects on your router. They can be created in a similar fashion though, but they're not needed on the FreeBSD side because your jails are all bound to the 192.168.0.0/24 network.



Thank you.

My router will not allow me to do that (same port different IP), I'll see if I can hack the router or simply have different port for each jails.


----------



## SirDice (Apr 4, 2014)

fred974 said:
			
		

> My router will not allow me to do that (same port different IP), I'll see if I can hack the router or simply have different port for each jails.


There's no need to hack anything. You can only forward your external port 22 once, to one other IP address and port combination. You can however create multiple redirects but they have to redirect different ports. So this is possible:

```
external -> internal
------------------------
 22       -> 192.168.0.1:22
 2222   -> 192.168.0.2:22
 2223   -> 192.168.0.3:22
 2224   -> 192.168.0.4:22
etc.
```

But maybe your router doesn't like that. Blame that on the crap firmware of your router because a normal NAT redirection shouldn't have a problem with it


----------



## fred974 (Apr 4, 2014)

SirDice said:
			
		

> But maybe your router doesn't like that. Blame that on the crap firmware of your router because a normal NAT redirection shouldn't have a problem with it



Yup, thank you virgin.. I'm about to change to a proper ISP.

Thank you guys


----------

