[Semibug] ssh to host on local network

Nick Holland nick at holland-consulting.net
Fri Apr 29 11:19:17 EDT 2022

I'm on comcast..er..xfinity, my external IP address changes every couple
years or when I change my firewall (new MAC = New IP with Com..er..xfinity).
Otherwise it is rock solid.

If your outside user can find your external IP address, you don't need
a static IP.  I doubt you need to change service providers.

I'm guessing you have a ISP-provided router.  Whether or not it supports
external inbound rules, no idea, you will have to research that.  I bought
my own cable /MODEM/ (just modem), and have my own firewall (OpenBSD, of
course :) ) which is doing NAT so I can (and do) exactly what you propose.

I would suggest using a dedicated machine for the SSH system or at least be
really really careful that you (and everyone else using it) never forgets
that it is directly attached to the external Internet.  It is not uncommon
in a home network to create test accounts with trivial passwords; that WILL
get exploited within hours after being exposed to the Internet.  An SSH
system that someone can log into to can be used to create SSH tunnels to
any service inside your network by default.  I'd also suggest disabling
password logins on that machine, so only public keys can be used.


On 4/29/22 8:57 AM, Matthew Mangold wrote:
> josh's answer is correct here. also, you may want to monitor your own ip-address a while before order a static-ip from your provider. there exists the possibility that the ip theyre already furnishing may be one that does not get rotated. that was the case with the service provider i was using- they didnt make any changes to my account other than charging an additional fee!
> --
> openbsd7
> On Thu, Apr 28, 2022 at 8:27 PM Josh Grosse <josh at jggimi.net <mailto:josh at jggimi.net>> wrote:
>     On Thu, Apr 28, 2022 at 05:54:07PM -0600, Jonathan Drews wrote:
>      > I think what I will do is one ofe two things:
>      >
>      > 1) Pay extra to my ISP for a static ip address.
>      > or
>      > 2) Find a host provider that I can use (like Pair Networks)
>     Port forwarding has been used for decades with NAT routers.
>     It doesn't cost you anything other than provisioning time.
>         * The TCP protocol used by SSH has 4 numbers that direct traffic:
>           the origin and destination IP addresses, and the origin and
>           destination port numbers.
>         * The default (and standard) destination port number used by
>           an SSH server is port 22.  The origin port number from the
>           client is normally random and high number.
>     You would provision port forwarding in the router so that
>     any TCP packets coming in from the Internet for destination
>     port 22 are forwarded to your local SSH server at
>     That's really it.
>     _______________________________________________
>     Semibug mailing list
>     Semibug at lists.nycbug.org <mailto:Semibug at lists.nycbug.org>
>     https://lists.nycbug.org:8443/mailman/listinfo/semibug <https://lists.nycbug.org:8443/mailman/listinfo/semibug>
> _______________________________________________
> Semibug mailing list
> Semibug at lists.nycbug.org
> https://lists.nycbug.org:8443/mailman/listinfo/semibug

More information about the Semibug mailing list