[oclug] ssh port forwarding question

Strosberg, Bill bill.strosberg at rcpsc.edu
Fri Apr 27 07:53:02 EDT 2001 

All:

I've been playing with ssh port forwarding since David's great presentation
a couple of months ago.  Like most, I've historically used ssh basically as
a drop in telnet/rsh/rcp replacement, and have found it indispensable.  Now
that I've been making ssh do party tricks, I want to try to fix a problem
that's been troubling me.

I've got a question for David (or anyone else who could answer).  Can I use
ssh port forwarding in the following situation:

Workstation (at work)------WWW Browser
	|
	|
Work Site Firewall/Router (Checkpoint FW1, VPN1)
	|
	|
Internet
	|
	|
Home Firewall/Router (Linux, ssh server)
	|
	|
Home Network

In normal circumstances, web browsing on my workstation at work routes
through the firewall and out to the web.  All web sites visited using the
work network is audited and logged.  This is fine and expected, and
perfectly within the rights of the organization.

There are some times however, that I wish to be able to view a web site
without it being logged and audited.  I'm a contractor, and do work for more
than one organization, and some of the work involves remote administration
via the web.  To date, I usually ssh to my home network and browse out via
lynx, but lynx isn't compatible with the graphical nonsense many web
applications rely on for navigation.

I'd like to be able to set up ssh port forwarding to allow me to use the
browser on my workstation at work, to browse with my Internet connection at
home through an ssh tunnel.

In thinking the situation through (albeit somewhat foggy), I can not
completely see how I can make this work.  

Here are the problems as I see them:

1)	I can not predict the random.high port used by the workstation
browser to originate the socket to the remote web site.
(random.high:localhost:80 remote.webserver)

2)	If I can't know what port is used locally to originate the http
request, I can not create a tunnel forwarding that port to my "Home
Firewall".

If I was using ssh to connect to a web server that was running ssh, I can
see that working instantly (and have done so already).

My understanding of the http communications is as follows:


browser.IP				website.IP
-------------------------------------------------	
RANDOM="23305" 	#(for example)

source	dest				source	dest

http request
$RANDOM	80	------------>

http response
			<------------	80		$RANDOM


Here's my question .... drum roll please ....:

Can I make ssh do what I want?  If so, I do not want a solution posted,
rather I want to know it is possible and I'll figure it out myself.  Once I
reach a solution, if possible I'll post my findings.

--
Bill Strosberg

More information about the OCLUG mailing list