Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
    File Transfer Using SFTP >>
    File Transfer Using Transparent FTP Tunneling >>
    Tunneling on the Command Line >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
        ssh-socks-proxy >>
        ssh-socks-proxy-config >>
            Document Type Declaration and the Root Element
            The general Element
            The default-settings Element
            The profiles Element
            The static-tunnels Element
            The filter-engine Element
            The logging Element
        ssh-socks-proxy-ctl >>
        ssh-certview >>
        ssh-cmpclient >>
        ssh-keydist2 >>
        ssh-scepclient >>
    Log Messages >>

The filter-engine Element

Note: The filter-engine element is read from the global configuration file, if such a file is available. On Unix, the global configuration is stored as /etc/ssh2/ssh-socks-proxy-config.xml. Only when no global configuration file exists, this element is read in the user-specific configuration file.

The filter-engine element defines the Transparent Tunneling filter rules. Also the static-tunnels element with a socks-proxy tunnel needs to be defined for the Transparent Tunneling to work.

The top level element is filter-engine. It has one attribute: ip-generate-start. This attribute defines the start address of the pseudo IP address space. Pseudo IPs are generated by the SOCKS Proxy when applications do the DNS query through the SOCKS Proxy.

Under the filter-engine element there can be any amount of elements of the type network, dns, or filter. The order of the elements is important, because the filter engine uses the elements in the order they were specified in the configuration file.

  • network

    The network element specifies a "location" where SSH Tectia Client is running. It has four attributes: id, address, domain, and ip-generate-start.

    The id attribute specifies a unique identifier for the network element. The address attribute specifies the address of the network. It can be missing or empty, in which case it is not used. The domain attribute contains the domain name of the computer. It can also be missing or empty, in which case it is not used. The ip-generate-start attribute defines the start address of the pseudo IP space. If it is defined here, it overrides the ip-generate-start attribute of the filter-engine element.

  • dns

    The dns element creates a DNS rule for the filter engine. It has six attributes: id, network-id, application, host, ip-address, and pseudo-ip.

    The id attribute specifies a unique identifier for the dns element. The network-id attribute contains a reference to a network element. This can be left empty if the dns entry does not bind to a specific network. The application attribute specifies the application for which this DNS entry is used. This can be a regular expression.

    The host attribute specifies a target host name. It can be a regular expression. The ip-address attribute specifies the target host IP address. It can be a regular expression. When both the hostname and the IP address are defined, the host attribute takes precedence and the ip-address attribute is ignored. When the ip-address is left empty and the host matches one of the following things happen:

    • When the pseudo-ip attribute is set to yes, the SOCKS Proxy assigns a pseudo IP address for the target host and SSH Tectia Server resolves the real IP address.

      Pseudo IP addresses should be used when accessing an internal network from the outside, because name resolution for the machines in the internal network is not available from the outside.

    • When the pseudo-ip attribute is set to to no, a normal DNS query is made for the target hostname.

  • filter

    The filter element specifies an action for a connection. It has five attributes: dns-id, ports, action, profile-id, and fallback-to-plain.

    The dns-id attribute is a reference to a dns element.

    The ports attribute can be a single port or a range. A range is specified with a dash between two integers (such as "21-25").

    Note: Always specify the port unambiguously if fallback mode is set. Do not use an asterisk (*), because it causes problems in passive mode file transfer when connected to a plaintext FTP server.

    The action attribute specifies the action to be done when a filter is used. Its value can be DIRECT, BLOCK, TUNNEL, or FTP-TUNNEL.

    • DIRECT causes the connection to be made directly as plaintext without tunneling.

    • BLOCK causes the connection to be blocked.

    • TUNNEL is used for TCP tunneling when the Secure Shell connection is opened only with some non-interactive method like public keys or certificates. There is no user interaction which means that passphrases in private keys cannot be used or the SOCKS Proxy has already asked the passphrases or suitable connection has already been established. User ID and other parameters can be defined in a SOCKS Proxy profile.

    • FTP-TUNNEL is used for FTP tunneling. If the referenced connection profile does not have the user attribute specified, the SOCKS proxy asks the FTP client to provide the username and password, which can be used in opening the Secure Shell connection. Public keys can also be used with this method, but there is no interaction to give private key passphrases. Neither is it possible to get user interaction to save a host key.

    When applying the filter rule, if creating the tunnel fails (or the connection to the Secure Shell server fails) the SOCKS Proxy will normally return a "host not reachable" error. However, if the fallback-to-plain attribute is set to yes, a direct (unsecured) connection is used instead.

    The fallback-to-plain and pseudo-ip options should not be enabled at the same time. If they are, and the secure connection fails, the application will try a direct connection with the pseudo IP, which will not work.

An example of a filter rules for transparent FTP tunneling is shown below.

   <dns id="id1_dns"
        pseudo-ip="NO" />
   <filter dns-id="id1_dns"
           fallback-to-plain="YES" />

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now