Martin Gregorie  wrote:
> On Tue, 27 Oct 2020 16:25:47 +0000, Scott Alfter wrote:
>
> > In article ,
> > Martin Gregorie   wrote:
> >>So, why use the reverse SSH setup rather than running sshd behind a
> >>firewall on the RPi with the firewall configured to only accept
> >>connections from your other systems?
> >
> > It sounded like he had things set up like that because the system in
> > question is behind a firewall that he doesn't control.  I didn't know
> > ssh could be used in that way...clever.  I don't have anything
> > positioned where such a trick would be useful (I have control of
> > firewall settings at home and at work, so I just forward an external
> > port to port 22 on the device and call it good), but when you need it,
> > you *need* it.
> >
> I meant a local firewall on the RPi  - the fact that he can make the
> connection at all means, I think, that any sitewide firewall between him
> and the RPi must understand references to machines behind it in order to
> pass incoming ssh connection requests to the appropriate machine on the
> remote LAN.
>
Using an ssh reverse tunnel will get one through just about *any*
firewall. All the firewall/routers can see is ssh traffic going the
'normal way' from the client behind the firewall to wherever the
server is.


> So, I'm still curious because regardless of whether the RPi is doing the
> 'ssh -R' trick or running an sshd server, its still only advertising an
> open ssh port (22) and the system running Anydesk still has to know the
> IP of the RPi or access it via some sort of address translation mechanism
> which hasn't been described so far.
>
It's advertising an sshd server port but that port is 'exported' via
the reverse tunnel which is created by an ssh *client* running on the
same system.  So when a remote client is trying to connect it doesn't
need to know anything about the RPi system at all, only a port number
on 'localhost' of the system where it is.

--
Chris Green
·

--- SoupGate-Win32 v1.05