Status of Bugzilla #1153
Darren Tucker
dtucker at zip.com.au
Wed Feb 22 09:41:52 EST 2006
Simon Vallet wrote:
> I *definitely* think I'm missing something now ;-) How on earth would you route
> every packet destined to the outside through the bastion without specifying
> that bastion in a default route (be it static or dynamic) ?
That's the point: in such a configuration you don't route any *packets*
to the outside at all. Connections get proxied at the TCP or
application level, eg via SOCKS, tcprelay, web proxy, mail gateway or
similar on the bastion host (which typically has IP forwarding disabled).
IP packets destined for addresses not in the internal network result in
an ICMP network-unreachable.
(Your two-hop X11-over-ssh scheme is an example of this kind of
application-level relay; it should be able to work in such an
environment but with your proposed change probably won't.)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list