The Light at the End of the SSH Tunnel
Stuck behind a draconian firewall and you need access to your Mac OS X Server? Read on to find out about the only tunnel on your Mac where you are not likely to be eaten by a grue...(Updated 8/16/2004, 2:03 PM EST)
The Problem
As some of you might, know I have been contracted (pimped?) out to a Fortune 50 company for a few months. Understandably the network here is locked down pretty tight. I can get IMAP mail from, but not send via SMTP to my Mac OS X Servers and I can't access our Filemaker Pro databases either. Now I can, and was, use WebMail on our server but I would rather just use regular old Apple Mail where I keep local caches of things like the Mac OS X Server mailing list. Otherwise I have to copy all those messages when I get home to my local folders. It isn't a hard task, but it is something extra to do.
At first I tried to connect to our VPN server, but both L2PT and PPTP are blocked as well. Enter the ssh tunnel...
Digging a hole to China
Since I have ssh access to my servers, I can use that access to gain access to the services I need on the outside of the firewall. As an added benefit any traffic that I pass through my tunnel is encrypted as well. Think of it as a poor man's VPN. Here's how it works:
Using my ssh access to a server outside the firewall I can setup a tunnel that directs a local TCP port to something else on the other end. If it is a service that runs on a privileged port like 25 then we can direct a high number local port to emerge as the privileged port on the other end. In this example we are going to turn local 1025 into 25 on the other end as well as map the local high port that Filemaker uses to the appropriate host on the other end.
Introducing the new, easily imitated, AFP548 command-o-matic!
(Remember, the final command should be all on one line.)
I'm going to show you how to build the command one step at a time. These are not individual steps, rather I am explaining each part of the command as we go along. So fire up the Terminal and join in the fun!
First we need to start up ssh and tell it what user to login as,
ssh -l joshnext tell it we are going to map a local port, in this case 1025,
ssh -l josh -L 1025:to a remote port on remote target, here port 25 on my mail server,
ssh -l josh -L 1025:mail.mydomain.com:25in my case I also want to use Filemaker Pro so I need a second mapping,
ssh -l josh -L 1025:mail.mydomain.com:25 -L 5003:fmp.mydomain.com:5003and finally I need to tell it what server I have an ssh account on. Your complete command should look something like this:
ssh -l josh -L 1025:mail.mydomain.com:25 -L 5003:fmp.mydomain.com:5003 fmp.mydomain.comNotice that it is the same as my FMP server, that's fine. Once you hit enter you will login to the server via ssh as normal, then just minimize the Terminal window and leave the connection open.
One of the best parts about this technique is that you need nothing more than an ssh account on a remote server.
Using your tunnel
Now that I have the tunnel running all I need to do is tell my apps to access it. In Mail all I need to do is setup a SMTP server option that uses localhost:1025. Filemaker Pro is even easier since it uses a high port and I didn't need to remap anything. Just point FMP at localhost and you are done.
Now I can access my services as if I wasn't behind the firewall at all.
If you get a server that tends to time connections out quickly you can throw a command like cat on the end of your tunneling command. This will often help keep things open longer.
You can use ssh tunnels with most any of your TCP/IP based protocols. Need VNC access? tunnel it! Need AFP? tunnel it! (Incidentally this is the foundation for Apple's \"Secure AFP\" connections.) Need IMAP? tunnel it!
So next time you are stuck behind a firewall and need access, breakout the pickaxe and shovel and make a ssh tunnel.
Did you find this tip helpful? Am I way off base? Put you comments below and let me know!