How to Route SSH Traffic Based on Hostname Using FreeBSD/pf

firewallfreebsdpfroutingssh

I have a proxy/firewall machine running FreeBSD 9, using PF to route and filter traffic as needed.

Now I'm setting up a git server, which runs over ssh, but I'm already using port 22 for ssh. I would like to route traffic from any IP to port 22 to another machine, if the hostname they used to reach the server was a subdomain (git.mydomain.com). Kind of a virtual host, but for ssh…

Is this possible with pf?
Any suggestions?

Best Answer

Sorry, what you're asking for is impossible -- IP traffic (and an IP firewall) only knows IP addresses - it knows nothing of hostnames.

You can only have one process listening to a specific port on a specific IP address. Virtual hosts for websites work because the web server receives the hostname in an HTTP header (see http://en.wikipedia.org/wiki/Virtual_hosting), and there is no similar mechanism in SSH.

Your options are pretty limited:

  1. Configure your regular SSH server to handle the git traffic (probably the best option).
  2. Acquire another IP address.
  3. Run the SSH server for git on an alternate port.

Once you have the SSH server for git on an alternate port, you can automagically use it by adding the following to your ~/.ssh/config:

Host git.mydomain.com
    HostName router.mydomain.com
    Port 2222
Related Topic