SSH No Ports

Follow

Gareth Owen

• May 10, 2024 17:03

Hi,

We met the Firewalla team at RSA in San Francisco this week and asked about SSH and communicating over starlink. Our software enables ssh (or Windows RDP or anything TCP/IP) and supports Starlink connections. We purchased the Firewalla Purple SE, received last evening and then completed the integration today. So we can SSH without opening port 22 (or 3389 if you want to used Windows RDP on the LAN) and have access as local machine. So now we can get access to our Firewalla FW without having to worry about Starllink network address translations and use  AES and makes the device invisible as an attack surface; basically Software DIODE and air gapping Firewalla.  So you can leave SSH on the LAN interface but access it over the WAN interface without opening any port; even if like Starlink which is running carrier grade NAT. So Cool! See below:

firewalla.com is now checked off as something we can run SSH No Ports on

╭─cconstab@servalan in ~
╰$ sshnp -f @cconstab -t @ssh_1 -h @rv_am -d firewalla -i ~/.ssh/GitHub_rsa -s
2024-05-10 09:39:27.056694 : Sending daemon feature check request
2024-05-10 09:39:27.056753 : Resolving remote username for user session
2024-05-10 09:39:27.949175 : Resolving remote username for tunnel session
2024-05-10 09:39:27.949392 : Sharing ssh public key
2024-05-10 09:39:27.949881 : Fetching host and port from srvd
2024-05-10 09:39:29.617080 : Received host and port from srvd
2024-05-10 09:39:29.617104 : Waiting for daemon feature check response
2024-05-10 09:39:29.617113 : Received daemon feature check response
2024-05-10 09:39:29.619084 : Required daemon features are supported
2024-05-10 09:39:30.175745 : Sending session request to the device daemon
2024-05-10 09:39:30.396083 : Waiting for response from the device daemon
2024-05-10 09:39:31.453082 : Received response from the device daemon
2024-05-10 09:39:31.453174 : Creating connection to socket rendezvous
2024-05-10 09:39:31.562738 : Starting tunnel session
2024-05-10 09:39:32.087089 : Starting user session
 _____ ___ ____  _______        ___    _     _        _    
|  ___|_ _|  _ \| ____\ \      / / \  | |   | |      / \  
| |_   | || |_) |  _|  \ \ /\ / / _ \ | |   | |     / _ \  
|  _|  | ||  _ <| |___  \ V  V / ___ \| |___| |___ / ___ \
|_|   |___|_| \_\_____|  \_/\_/_/   \_\_____|_____/_/   \_\
                                                           
 ____  _   _ ____  ____  _     _____     ____  _____
|  _ \| | | |  _ \|  _ \| |   | ____|   / ___|| ____|
| |_) | | | | |_) | |_) | |   |  _| ____\___ \|  _|  
|  __/| |_| |  _ <|  __/| |___| |__|_____|__) | |___
|_|    \___/|_| \_\_|   |_____|_____|   |____/|_____|
                                                     
Welcome to FIREWALLA purple-se 0.1230 (Ubuntu 22.04.1 LTS kernel:5.15.78)

 * Documentation:  https://help.firewalla.com

  System information as of Fri May 10 09:39:10 PDT 2024

  System load:    1.52001953125   Processes:                228
  Usage of /home: unknown         Users logged in:          1
  Memory usage:   58%             IPv4 address for br0:     192.168.124.1
  Swap usage:     0%              IPv4 address for docker0: 172.17.0.1
  Temperature:    62.1 C          IPv4 address for eth0:    192.168.1.92
Last login: Fri May 10 09:39:32 2024 from 127.0.0.1
pi@Firewalla:~ (Firewalla) $

 

gareth@atsign.com

1

• 

  Colin Constable

  • May 11, 2024 01:27
  • Edited

  If you want to try this for yourself then there are a couple of things to be aware of as you do the SSH No Ports install.

  https://noports.com 

  I will be writting this all up and creating and install video but in the meantime these are the small differences as you install SSH No Ports on a Firewalla box.

   

  Install using No Sudo this uses a tmux session and tmux is installed as default.

  ./universal.sh --no-sudo

  Once installed a cronjob is setup but that does not survive a reboot so follow the instructions here to add a cronjob that does survive the reboot..

  https://help.firewalla.com/hc/en-us/articles/360054056754-Customized-Scripting 

  The line you want to put into /home/pi/.firewalla/config/user_crontab is

  */5 * * * * tmux new-session -d -s sshnpd 2>/dev/null && tmux send-keys -t sshnpd /home/pi/.local/bin/sshnpd.sh C-m

  This will start the tmux session and if for any reason it dies it will restart. I normally use a @reboot but that does not work currently with the way firewalla starts cron. This is fine as it is belt and braces !
  
  If you get stuck or have questions let me know.

  0

  Comment actions Permalink
• 

  Client Support

  • May 11, 2024 07:31

  Hey @Colin, 

  Thank you! Very interesting. 

  You can also put a script in /home/pi/.firewalla/config/post_main.d/ which will fire anytime the box boots, if that's helpful. 

   

  See https://help.firewalla.com/hc/en-us/articles/360054056754-Customized-Scripting

  0

  Comment actions Permalink
• 

  Colin Constable

  • May 11, 2024 23:27
  • Edited

  That was my preference and I did try it but for some reason the background tmux session dies and I could not figure out why. Would love to fault find that with you. So for the moment the cron line works.

   

  I am a Starlink user and it so nice to be able to dial home via my firewalla box ! Using SSH No Ports also allows me to VNC/RDP to my Mac and Windows machines at home when I am on the road. This is without any NAT rules (as Starlink does not give you a routable IPV4 address) or a port that is always open via Ngrok or other port forwarding service.

  0

  Comment actions Permalink
• 

  Client Support

  • May 18, 2024 01:00

  Hi Colin,
  
  I'd be happy to work with you on this. I'm creating a ticket for you. 

  0

  Comment actions Permalink

Please sign in to leave a comment.