[sslh] Using sslh transparent proxy on FreeBSD?

Thu Apr 14 14:53:00 UTC 2016

Am 14.04.2016 um 12:42 schrieb Matt Smith:
> On Apr 14 11:36, Matt Smith wrote:
>> My setup is that I have nginx listening on port 444, and sslh
>> forwarding to port 444 for tls/ssl. My ipfw rules are as follows:
>>
>> ipfw add 00020 fwd 10.0.0.10,4444 tcp from 'table(2)' to 10.0.0.10 443
>> in via re0
>> ipfw add 00021 fwd 10.0.0.10,4444 tcp from 10.0.0.10 422,444 to
>> 'table(2)' out via re0
>
> I should also mention that sslh is listening on port 4444 and openssh is
> listening on port 422. Just to make the above ruleset a lot clearer.

Mat, thanks for your answers.
I have it now running with ipfw, I posted my config, hopefully it will 
help someone else.

For /usr/local/etc/sslh.conf I have now:
# This is a basic configuration file that should provide
# sensible values for "standard" setup.

verbose: false;
foreground: false;
inetd: false;
numeric: false;
transparent: true;
timeout: 2;
user: "root";
pidfile: "/var/run/sslh.pid";

# Change hostname with your external address name.
listen:
(
     { host: "192.168.0.251"; port: "443"; },
     { host: "192.168.1.2"; port: "443"; },
     { host: "192.168.200.6"; port: "443"; }
);

protocols:
(
      { name: "ssh"; service: "ssh"; host: "192.168.200.6"; port: "22"; 
probe: "builtin"; },
      { name: "openvpn"; host: "192.168.200.6"; port: "1194"; probe: 
"builtin"; },
      { name: "xmpp"; host: "192.168.200.6"; port: "5222"; probe: 
"builtin"; },
      { name: "http"; host: "192.168.200.6"; port: "80"; probe: 
"builtin"; },
      { name: "ssl"; host: "192.168.200.6"; port: "8443"; probe: 
"builtin"; },
      { name: "anyprot"; host: "192.168.200.6"; port: "8443"; probe: 
"builtin"; }
);

All services are listen on the standard ports, except apache.
As port 443 (https) is already occupied by sslh I bound apache to port 
8443 and localhost:443 (required for monitoring setup).

I added the following rules for ipfw:
# ssl
ipfw add 20000 fwd 192.168.0.251,443 log tcp from 192.168.0.251 8443 to 
any out
ipfw add 20001 fwd 192.168.200.6,443 log tcp from 192.168.200.6 8443 to 
any out

# ssh
ipfw add 20002 fwd 192.168.200.6,443 log tcp from 192.168.200.6 22 to 
any out

If have not configured the other protocols as I currently need https and 
ssh. But the lines should be the same.

I will check next if I can port it completely to pf, as my complete 
setup is based on pf and I use now ipfw only for transparent proxy 
support for sslh.

Thanks
Matthias

-- 

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook