Re: [TCLUG:8252] Port forwarding: ssh/ipchains

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:8252] Port forwarding: ssh/ipchains
From: "Daniel M. Debertin" <katdan@mninter.net>
Date: Mon, 13 Sep 1999 18:28:07 -0500 (CDT)
In-Reply-To: <37DD6359.A792FEFB@maddog.mn-linux.org>

> 
> I've never tried to use ssh tunneling like port forwarding, but I can
> think of a few problems with it:
> 1. You need to have the ssh tunnel running at all time. This means you
> need ssh to start up without a password if you want it to start
> automatically. This is a security hole.
> 2. It's harder to add new ports. (You need to start new ssh tunnels)
> 3. There is more overhead since the data is being processed by ssh,
> encrypted and then resent. You could reduce the level of encryption, but
> it still would be slower than portforwarding.
> 4. Probably a few more reasons I don't know about.

Just to throw another idea into the pot, have you tried CIPE? Crypto IP
Encapsulation works pretty slick; it's basically a kernel patch with an
accompanying daemon that watches the interface and does the encryption.
It's pretty simple to set up; the only gotcha is key management -- the key
is kept in a text file, which is silly and bad ;). That's all I'll say
about it here, as it's rather involved; check it outon freshmeat.

This has of course not much to do with port forwarding, as CIPE doesn't do
that; it's a point-to-point link over ethernet, but everything to do with
encrypted IP, as it encrypts your packets and encloses them in UDP -- one
level lower than ssh, and therefore slightly better. 

Dan Debertin
katdan@mninter.net

References:
- Re: [TCLUG:8252] Port forwarding: ssh/ipchains
  - From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>

Prev by Date: Re: [TCLUG:8213] Updated DSL questions
Next by Date: Re: [TCLUG:8213] Updated DSL questions
Prev by thread: Re: [TCLUG:8252] Port forwarding: ssh/ipchains
Next by thread: Installfest Publicity
Index(es):
- Date
- Thread