Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

Tectia

Remote Tunneling Rule Examples

This section gives examples on using the remote tunneling rules in the ssh-server-config.xml file.

Figure 8.5 shows the different hosts and ports involved in remote port forwarding.

Remote tunneling terminology

Figure 8.5. Remote tunneling terminology

Allow Rules

The following configuration allows opening a listener to port 8765 on the interface 10.1.60.16 on the server and allows connections to it from all addresses. If this is the only tunnel-remote rule, attempts to open remote port forwarding to other interfaces or other ports will be denied:

<rule>
  <tunnel-remote action="allow">
    <listen address="10.1.60.16" port="8765" />
  </tunnel-remote>
...
</rule>

The following configuration allows opening any port on any interface on the server but allows connections only from the listed addresses:

<rule>
  <tunnel-remote action="allow">
    <src fqdn="alpha.example.com" />
    <src fqdn="beta.example.com" />
  </tunnel-remote>
...
</rule>

Note, however, that only users with administrative privileges can create listeners to privileged ports (below 1024).

Deny Rules

The following configuration denies opening ports 1-9000 on the server. If this is the only tunnel-remote rule, it allows opening all other ports:

<rule>
  <tunnel-remote action="deny">
    <listen port="1-9000" />
  </tunnel-remote>
...
</rule>

The following configuration denies connections to ports 1-9000 from the listed addresses. However, listeners can be opened to these ports (with ports 1-1023 restricted to admin users only) and all other addresses can connect to them. If this is the only tunnel-remote rule, it allows opening all other ports and allows connections to them from all other addresses:

<rule>
  <tunnel-remote action="deny">
    <listen port="1-9000" />
    <src fqdn="gamma.example.com" />
    <src fqdn="delta.example.com" />
  </tunnel-remote>
...
</rule>

A rule like the above probably does not have any practical use. Nevertheless, it is shown here as an example of the rule logic.

===AUTO_SCHEMA_MARKUP===