Reverse tunnel security settings

Morham opensshdev at r.paypc.com
Tue Jun 24 17:44:37 EST 2014


On 6/20/2014 2:25 PM, Stuart Henderson wrote:

> PF can do this, though I'm not quite sure if doing this from a firewall
> counts as a "good way" and, given the controls already available on
> local forwarding, it does seem like something that it would be
> reasonable to implement internally in ssh.

As of the 2.6.x kernels, iptables has support for it as well.

See the "owner" module, and if you're going to do this, you might as well enable uid-logging in any LOG rules.

If you use grsecurity, you can also create gids that restrict client or server (or both) network socket usage completely, i.e., big hammer.

=M=


More information about the openssh-unix-dev mailing list