Your browser does not allow storing cookies. We recommend enabling them.

SSH

Remote Tunneling Rule Examples

This section gives examples on using the remote tunneling rules in the ssh-server-config.xml file.

Figure 8.5 shows the different hosts and ports involved in remote port forwarding.

Remote tunneling terminology

Figure 8.5. Remote tunneling terminology


Allow Rules

The following configuration allows opening a listener to port 8765 on the interface 10.1.60.16 on the server and allows connections to it from all addresses. If this is the only tunnel-remote rule, attempts to open remote port forwarding to other interfaces or other ports will be denied:

<rule>
  <tunnel-remote action="allow">
    <listen address="10.1.60.16" port="8765" />
  </tunnel-remote>
...
</rule>

The following configuration allows opening any port on any interface on the server but allows connections only from the listed addresses:

<rule>
  <tunnel-remote action="allow">
    <src fqdn="alpha.example.com" />
    <src fqdn="beta.example.com" />
  </tunnel-remote>
...
</rule>

Note, however, that only users with administrative privileges can create listeners to privileged ports (below 1024).

Deny Rules

The following configuration denies opening ports 1-9000 on the server. If this is the only tunnel-remote rule, it allows opening all other ports:

<rule>
  <tunnel-remote action="deny">
    <listen port="1-9000" />
  </tunnel-remote>
...
</rule>

The following configuration denies connections to ports 1-9000 from the listed addresses. However, listeners can be opened to these ports (with ports 1-1023 restricted to admin users only) and all other addresses can connect to them. If this is the only tunnel-remote rule, it allows opening all other ports and allows connections to them from all other addresses:

<rule>
  <tunnel-remote action="deny">
    <listen port="1-9000" />
    <src fqdn="gamma.example.com" />
    <src fqdn="delta.example.com" />
  </tunnel-remote>
...
</rule>

A rule like the above probably does not have any practical use. Nevertheless, it is shown here as an example of the rule logic.


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more