Better port forwarding control

Michael Salmon ms at
Wed Mar 7 09:14:22 EST 2001

hi kieran,
i've had the same need before and have the patches to do this also, we needed to
allow only specific ports to be forwarded. This was rejected to the mainstream
because it was requested to be implemented using a security protocol that i 
once bookmarked, planned on reading over, and have since forgotten and deleted 
it. (ring a bell anyone?)
If you want to get together and work on adding this feature using the protocol
markus said it required, i'd be happy to talk with you about it since I think
this is a good feature to have for many users.
I was told this was already in an older version of openssh, but I havent tried 
it out. It was removed from the head before i checked out the code.


On Tue, Mar 06, 2001 at 08:48:28PM -0000, Kieran Barry wrote:
> Hi,
> I've just joined the list, so please forgive if I missed something in
> the FAQ/docs etc.
> Overview
> I am likely to need to allow someone (untrusted) to forward a port on
> one of my boxes
> to one of theirs for EDI. It appears to involve only one port, so an
> IPSEC-type VPN is
> likely to be over the top. I'd like to do this with ssh port
> forwarding, but to only
> allow a single port to be forwarded. I'd also like to prevent the
> remote party forwarding
> a local (on their machine) port to random ports on machines in my DMZ.
> The target platforms I am aware of are Linux/Solaris boxes. This
> raises questions about
> coding against the portable vs non-portable code bases.
> Since I know less about the codebase than you guys, I'd like some
> guidance on the following:
> My plan is to provide an account, a dsa key, and a shell which
> effectively goes to sleep
> for a week, and ask the other party to put this in a loop.
> Is there an easier way to do what I want to do, either with ssh or
> another tool?
> I have a couple of questions on the project
> 1. Would patches adding this sort of functionality be accepted by the
> project if it
> followed man 9 style?
> 2. Which source tree would patches need to work against?
> 3. I would need to add statements to sshd_config (and the
> ServerOptions struct in
> serverconf.h). Could someone sanity check the outline spec below to
> tell me what
> they think?
> Spec
> Sshd_config changes
> Either:
> New values for the AllTcpForwarding keyword (valid values now
> [no | incoming | outgoing | yes])
> incoming would allow a -L type connection
> outgoing would allow a -R type connection
> yes would allow both
> Or
> New keywords IncomingPortsAllowed, OutgoingPortsAllowed, (and maybe
> IncomingPortsDenied, OutgoingPortsDenied. I would prefer a default
> deny stance, but I could be persuaded
> otherwise.)
> Probably a combination of both is best.
> type ServerOptions (from servconf.h) changes:
> Add the following to the structure:
>   u_int   num_allow_incoming_forwarded_ports;
>   char   *allow_incoming_forwarded_ports;
>   u_int   num_allow_outgoing_forwarded_ports;
>   char   *allow_outgoing_forwarded_ports;
> Extra source files:
> Add .c and .h files
> portaccess
> or
> incomingportaccess and outgoingportaccess
> similar to groupaccess.[ch]
> Any other tips would be useful.
> Thanks for your time.
> Regards
> Kieran

More information about the openssh-unix-dev mailing list